Password should never be passed as an argument

tpm2-software / tpm2-totp

Attest the trustworthiness of a device against a human using time-based one-time passwords

https://tpm2-software.github.io

BSD 3-Clause "New" or "Revised" License

166 stars 37 forks source link

Password should never be passed as an argument #86

Closed EvilBit closed 3 years ago

EvilBit commented 3 years ago

Passing the password as an argument exposes it to other processes via /proc and constitutes a potential leak of this critical secret.

The password should only ever be passed via a file descriptor, possibly stdin per default or if called interactively.

diabonas commented 3 years ago

Good point; probably the easiest way of achieving this would be accepting - as a special value to mean "read the password from stdin instead" (which means you cannot specify a literal dash - as a password any more directly as a command line argument, but I can live with that).