0

I have followed the following link: Mutt: how to safely store password?

Not sure what i am missing, but not working the way I need it to. Here is what I notice

when I got to the shell prompt and type in mutt it will pop up a screen for me to enter passphrase once I enter it the mail client will pop-up and I can send and receive email with no issues. If I close it and do it again it will not ask for passphrase, however if I close completely out and ssh back into the sever and type mutt it will ask for passphrase.

What I a trying to accomplish is encrypting the password so that when I run a cronjob it will have no issues and bypass being asked for passphrase. Can someone please assist me with getting this to work?

Donny
  • 1
  • 2

1 Answers1

0

There are several different options with different levels of security, so lets outline some of the options so you can make the best decision. To automate decryption, a passphrase has to be stored somewhere (on disk, in memory, or on another machine). It is usually worth considering:

  • Who has access to the machine?
  • Is it publicly accessible or host a publicly accessible service?

Option 1: Store the email passphase unencrypted in your muttrc file.

Limit the read access of muttrc to the user running the cron and encrypt the underlying file system. Since your are using Gmail, create an App Password that can be rotated/revoked if it is compromised. This is probably the easiest solve for the problem.

The downside of this solution, the root user or anyone with sudo privileges can access this file. You can configure sudo to require a password to help reduce that possibility.

Option 2: Store the gpg passphrase unencrypted in a file.

For this option, you are configuring mutt to run gpg non-interactively. Read access should be restricted for your mutt passwords and gpg passphrase files. You should also encrypt the underlying filesystem to protect against physical access. This only adds obscurity to just storing a password unencrypted in the muttrc. The same downsides apply, and this solution would be considered equally secure.

For gpg to be run by a non-interactive user, you will need to run gpg commands with:

  • --batch to disable interactive mode
  • --passphrase-file to provide a password for the gpg private key
  • --pinentry-mode loopback to redirect pinentry queries back to the caller.

So, in the mutttrc:

source "/usr/local/bin/gpg -d --batch --passphrase-file=$HOME/.passFile.txt --pinentry-mode loopback $HOME/.mutt/passwords.gpg |"

Option 3: Use a secrets management service.

No real standard exists in this space, and there are many options in this space. A secrets management service centralizes the management of secrets providing auditing and control of access to secrets at scale. Advantages and disadvantages will change dependent on your deployment and implementation, and going any further into this space would be largely opinion based.

Additionally, here is another question that largely touches on the question domain that might be helpful.

nickdew
  • 303
  • 1
  • 4
  • Thanks for getting back to me in regards to this. so how do I bypass the passphrase from popping up when I use mutt. I did follow the instructions in that link. I did add this line to muttrc file "source "gpg -d ~/.mutt/passwords.gpg |" I think were my problem is that it is the encryption password is not getting stored and may not be tied to user session not sure though. – Donny Apr 07 '20 at 19:22
  • @Donny Updated the response with the necessary config changes. Automating encryption means you have to store a passphrase somewhere. – nickdew Apr 07 '20 at 20:47
  • Thanks @nickdew I will give this a shot today and let you know. – Donny Apr 08 '20 at 13:56
  • I add that line above to my .muttrc it looks as it does not ask for passphrase, but now when typing mutt from the shell I get this -- Password for [email protected]@imap.gmail.com: – Donny Apr 08 '20 at 16:37
  • Once I put the password in I can see the mutt inbox and send and receive emails, however need to not have to put this password in or the cronjob will not run. – Donny Apr 08 '20 at 16:46
  • I add that line above to my .muttrc it looks as it does not ask for passphrase, but now when typing mutt from the shell I get this -- Password for [email protected]@imap.gmail.com: any ideas on this and what I can do to make it work? – Donny Apr 10 '20 at 15:19
  • Updated the command for the original answer to include `--pinentry-mode loopback`. – nickdew Apr 13 '20 at 19:48
  • still getting prompt for password for above [email protected]:imap.gmail.com is there a way to verify this is the case?The email account password is stored in: $HOME/.mutt/passwords.gpg The gpg encryption passphrase is stored in: $HOME/.passFile.txt ( How to verify this)? – Donny Apr 14 '20 at 18:56
  • pwd shows this /home/username/.mutt and ls -al shows muttrc & passwords.gpg. Doing cat $HOME/.passFile.txt says this -bash: /home/username/.passFile.txt: No such file or directory looks like it does not exists there. Any ideas or how can I get this? – Donny Apr 14 '20 at 19:01
  • You have to create the `$HOME/.passFile.txt`. This file should contain the gpg passphrase used to unlock your `$HOME/.mutt/passwords.gpg`. This is essentially as secure as just hard coding your password in the muttrc. – nickdew Apr 14 '20 at 19:30
  • do I just create a file called passFile.txt and store the password in there? Or is there a certain way to create this? Also, will this be readable and cleartext or will it be encrypted? Please advise on how to do this. Want to make sure it is secure. – Donny Apr 14 '20 at 23:42
  • when I added this line to the muttrc file set imap_pass = "password" with my account password it worked with no problem, the challange I have is I don't want this to be in plain text I need it to be encrypted. Please advise – Donny Apr 15 '20 at 00:31
  • reverted back to the instructions and did this correct this time. set imap_pass="password" set smtp_pass="password" and then did this $ gpg --gen-key next this gpg -r [email protected] -e ~/.mutt/passwords $ ls ~/.mutt/passwords* /home/user/.mutt/passwords /home/user/.mutt/passwords.gpg $ shred ~/.mutt/passwords $ rm ~/.mutt/passwords then I did this Add to your muttrc: source "gpg -d ~/.mutt/passwords.gpg |" after this when I type mutt is ask for this Passphrase: if I put the Passphrase in it goes straight to my mutt inbox, – Donny Apr 15 '20 at 00:49
  • how can I make this so it will not ask me to type my Passphrase when launching mutt? – Donny Apr 15 '20 at 00:53
  • Rewrote my attempt at an answer. Basically, you can store the email password unencrypted in muttrc, store the gpg password unencrypted in a file, or use a secrets manager. – nickdew Apr 15 '20 at 18:38
  • Yes i can put the email password in the muttrc, but again that is not encrypted and this will not work for security. The main purpose of this is to have it encrypted and not show plaintext password. I am using pgp, however do you recommend a different one? – Donny Apr 15 '20 at 19:55
  • You have to authenticate to send an email using Gmail SMTP servers, so a secret has to be stored somewhere. You three options as I see it: store the Gmail passphase unencrypted in muttrc, store the GPG passphase unencrypted in another file, or use a secrets manager. For security, the most you can do is limit access as much as possible and limit the blast radius of compromised credentials. – nickdew Apr 15 '20 at 21:27
  • what is **secrets manager**? Is this the most secure way of doing it? – Donny Apr 16 '20 at 15:47
  • Read the links in the answer I posted. There is no "most secure" way, you still have to preform some type of auth to get your secrets, period. – nickdew Apr 16 '20 at 22:11