Securely Store Password
This pages describes how to store password in a secure fashion and retrieve password from offlineimap and msmtp
Both offlineimap and msmtp can read password from config file or
~/.netrc. But that doesn't sounds very secure. Luckily we have password
managers tackling this problem. The following instructions will guide you
configuring offlineimap and msmtp to integrate with your system's password
manager(referred to as "keyring").
First you need a keyring installed and running. For OS X, Gnome and KDE users, you should already have the default keyring ready to serve. For users of other desktop environment, see https://wiki.archlinux.org/index.php/Gnome-keyring for how to get gnome-keyring running.
Install Python and the python-keyring module for your system:
- Archlinux: python2-keyring on AUR
- Debian / Ubuntu: python-keyring
- Fedora: python-keyring
- General method (should work on Mac OSX as well):
pip install keyring
Optionally, if you want to use gnome-keyring / kwallet as the backend for
python-keyring, you'll need to install corresponding adapter module like
libgnome-keyring, python2-gobject and alike.
Now you can store your password securely via Python:
$ python -c "import keyring; keyring.set_password('gmail', 'personal', 'PASSWORD')"
# Test that the password is successfully stored:
$ python -c "import keyring; print(keyring.get_password('gmail', 'personal'))"
PASSWORDOfflineimap can run Python code to retrieve password.
Open your ~/.offlineimaprc with your editor. Find the remote repository
and edit like this:
[general]
pythonfile = ~/.offlineimap.py
[Repository personal-remote]
remoteuser = user@domain.com
# Comment out or remove the `remotepass` line
# remotepass = password
# Use remotepasseval instead:
remotepasseval = keyring.get_password('gmail', 'personal')And create ~/.offlineimap.py by running:
$ echo import keyring >> ~/.offlineimap.pyBy now offlineimap should be able to read password from keyring.
Msmtp can read password from any process's stdout. Open your ~/.msmtprc
and edit it like this:
# Find the account section
account personal
# Again, comment out or remove the `password` line
# password PASSWORD
# Use passwordeval instead:
passwordeval python -c "import keyring; print(keyring.get_password('gmail', 'personal'))"
Easy, isn't it?
Note: msmtp supports reading from gnome-keyring natively. But we are not introducing how to do that here. It's not as portable as python-keyring. And it'd be a little more tedious to retrieve password from offlineimap.
The pass password manager can be used to retrieve the password for your accounts. As an example for OfflineIMAP, you make the following changes (given that you have stored your work email password in work/email):
[general]
pythonfile = ~/.offlineimap.py
[Repository ...]
remotepasseval = subprocess.check_output(["pass", "show", "work/email"]).strip()and create ~/.offlineimap.py:
$ echo import subprocess >> ~/.offlineimap.py- Archlinux Wiki: Offlineimap#python-keyring