crypto plugin: master password is lost on umount

[petermax2]

Situation / Problem

The plugin configuration holding the encrypted master password is lost on kdb umount.

Example

kdb mount test.ecf user/test crypto_gcrypt
kdb set user/test "secret"
kdb setmeta user/test crypto/encrypt 1
kdb umount user/test
kdb mount test.ecf user/test crypto_gcrypt

Expected Behaviour

The encrypted master password can be restored on kdb mount.

[petermax2]

This is a follow-up task to #892 .

[markus2330]

So you want to store the password twice during mount?

An alternative is that we add hooks for unmounting plugins and then ask the user if he/she actually wants to lose the data. I am not sure if this actually improves usability, though.

[markus2330]

A special backup-place that can be used by checkconf seems like a good (and easy) option. So we simply store the password twice, and the user is able to restore it (manually).

Idea: checkconf appends a key to backup/masterpassword, the mount-process handles this config in a special way and stores the keys below system/elektra/mountpoints/backup. (Should be no issue for the other tools as long system/elektra/mountpoints/backup itself does not exist.)

The issue, however, does not have the highest priority.

[markus2330]

A very simple solution would be that umount moves all keys to system/elektra/backup/mountpoints and we allow to undo previous umount!

[markus2330]

@petermax2 Any progress here? Would be great to see better usability for the crypto plugin!

[petermax2]

Any progress here? Would be great to see better usability for the crypto plugin!

Well, not yet. 😺

A special backup-place that can be used by checkconf seems like a good (and easy) option. So we simply store the password twice, and the user is able to restore it (manually).

I agree, but can I access the mount-point of the plugin in checkconf. Is it available somewhere within the plugin configuration keyset?

[markus2330]

It is maybe not the prettiest solution, but checkconf could open a new KDB, and then check:

1. if currently a remount of a previously backuped mountpoint is done ("restore" the backup)
2. or simply do a backup of the master password.

[petermax2]

What do you think about having a plugin configuration parameter for the plugin that specifies a path where the "master password" should be stored. If it is not provided, we use the default (i.e. the plugin configuration) but we could specify some other location. Thus we should be able to restore the keys after re-mounting.

[markus2330]

I am afraid the whole mounting depends on that the master-password is exactly where it is right now. If it is not there, the plugin will not find it during initialization (opening).

And there is currently also no way for the plugin to write somewhere it should not write to (outside of the keys it is responsible for).

[petermax2]

This issue is a really tricky one.

but checkconf could open a new KDB, and then check:

Isn't it possible to get stuck in an infinite loop if I open KDB for the same mount-point as the plugin currently handles?

I am afraid the whole mounting depends on that the master-password is exactly where it is right now. If it is not there, the plugin will not find it during initialization (opening).

Fully agreed. 😕

[markus2330]

Isn't it possible to get stuck in an infinite loop if I open KDB for the same mount-point as the plugin currently handles?

If it is done within plugins it would be like this. Within checkconf, however, it might work. (Iirc kdb mount opens KDB after checkconf is called).

[stale]

I mark this issue stale as it did not have any activity for one year. I'll close it in two weeks if no further activity occurs. If you want it to be alive again, ping the issue by writing a message here or create a new issue with the remainder of this issue.
Thank you for your contributions 💖

[stale]

I closed this issue now because it has been inactive for more than one year. If I closed it by mistake, please do not hesitate to reopen it or create a new issue with the remainder of this issue.
Thank you for your contributions 💖