I am switching from a GUI based password file to a text based one and I intend to encrypt with
openssl might be employed in a way similar to the following.
The following script might have a name like
#!/bin/bash if [ ! -f pw.txt ] ; then echo "pw.txt not found" exit 1 fi openssl aes128 <pw.txt >pw.aes128 if [ -f pw.aes128 ] ; then rm pw.txt rm --force pw.txt~ else echo "failed to create pw.aes128" fi
The plain text password file might be edited via
gedit. This creates a small risk if a person obtains unauthorized access to Ubuntu if the user is absent when logged in or some other way that provides access to the file system. Does
gedit leave cache files or temp files after the
gedit application is closed?
Aside: I will switch to full disk encryption since 16.04 is nearing end of long term support but in the meanwhile I have an interest in an answer to this
gedit question. Even when a machine has full disk encryption it might make sense to continue to use this script because one would not want this file to be plain text in backups. If the backup goes to a cloud server then you have even more reason not to have plain text in backups. Assumption: The backup itself is not encrypted so for example just boot and de-crypt the full disk and execute tar and the tar archive constitutes backup. If the backup is an image copy of an encrypted disk then obviously "plain text risk" does not apply.
Edit: Thanks to the answer and comment below I was able to add
rm --force pw.txt~ to the script.
#!/bin/bash if [ ! -f pw.aes128 ] ; then echo "pw.aes128 not found" exit 1 fi openssl aes128 -d <pw.aes128 >pw.txt
#!/bin/bash if [ ! -f pw.aes128 ] ; then echo "pw.aes128 not found" exit 1 fi openssl aes128 -d <pw.aes128 >pw.txt cat pw.txt rm pw.txt rm --force pw.txt~
If it is just one file you are just accessing manually:
You could encrypt the password file with vi.
vi -x pw.txt ....and then create a password when asked.
Then you type in the password on each access.
If someone does look into the file, it can't be deciphered...humanly
The limitation is that you'd have to use vi to work in it.
I wasn't sure if you are accessing a lot of password files
.... or just trying to maintain one that you have to go into once in a while
..... or manipulating programmatically, which for this would not be any good.
...just another possible option that solves the security concern.
Hidden temporary tilde-suffixed files will normally exist by default after your first save, and of course they will remain if gedit (or your OS) crashes: Recover files from gedit
The tilde-suffixed file is in the same directory as the original file.
Creation of these files is optional and it can be changed in the preferences as follows: in the gedit menu follow the sequence Edit > Preferences > Editor > find the option that says 'Create a backup of files before saving' > uncheck that option.
There should not be any other temporary files or crash files in other directories.