Support for encrypted secretes instead of plain text ~/.2fa

[doronbehar]

Hi,

First of all, this is a great command line utility so thank you for making it.

Adding support for a password encrypted using PGP/GPG could be cool. A JSON format like the one outputs the backup mechanism of https://github.com/andOTP/andOTP could be great, because the secrets can be shared easily between the 2fa and andOTP on Android.

Here is an example of a formatted decrypted JSON backup made by andOTP:

[
  {
    "secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "label": "Google:doron.behar@gmail.com",
    "period": 30,
    "digits": 6,
    "type": "TOTP",
    "algorithm": "SHA1",
    "tags": []
  },
  {
    "secret": "XXXXXXXXXXXXXXXX",
    "label": "GitHub - GitHub:doronbehar",
    "period": 30,
    "digits": 6,
    "type": "TOTP",
    "algorithm": "SHA1",
    "tags": []
  },
]

I'll be glad to hear your thoughts :)

[heywoodlh]

TL;DR:
Create an alias or function in your shell to use GPG to encrypt and decrypt your ~/.2fa file:

BASH function:
2fa() { gpg --decrypt ~/.2fa.gpg > ~/.2fa; **/path/to**/go/bin/2fa "$@"; rm ~/.2fa; }

Fish function:

function 2fa
    gpg --decrypt **/path/to**/.2fa.gpg > ~/.2fa
    /path/to/go/bin/2fa $argv
    rm ~/.2fa
end

Long Response:

I was able to solve this by writing a function in my shell (fish) to use gpg to decrypt the file. You could do the same thing with BASH using an alias or just writing a shell script.

It's a sloppy solution but it totally works and relies on the security of GPG rather than keeping the file stored in plaintext.

As an example, here is my function for fish:

function 2fa
    gpg --decrypt ~/.2fa.gpg > ~/.2fa
    /path/to/go/bin/2fa $argv
    rm ~/.2fa
end

This example presumes that the ~/.2fa file has been encrypted with gpg and stored as ~/.2fa.gpg. Once the encrypted file exists, you can remove the original ~/.2fa file that has everything stored in plaintext.

To break down the function:
gpg --decrypt ~/.2fa.gpg > ~/.2fa will decrypt the gpg file and create a ~/.2fa file.
/path/to/go/bin/2fa $argv will run the 2fa binary and accept arguments.
rm ~/.2fa will remove the ~/.2fa file. You could erase it securely using shred instead.

[doronbehar]

Cool! Thanks for your response, I'm using pass-otp now which fits well to my workflow with pass So I don't need this workaround anymore.