R4.0 Saving default backup profile writes plaintext passphrase

[awokd]

Qubes OS version:

R4.0

Affected TemplateVMs:

N/A

---

Steps to reproduce the behavior:

Use Qubes Backup VM GUI
Enter passphrase
Check "Save settings as default backup profile" box
Proceed and run backup
cat /etc/qubes/backup/qubes-manager-backup.conf

Expected behavior:

Empty passphrase in file

Actual behavior:

Passphrase displayed in plaintext

General notes:

I know if dom0 is compromised to the point where individual files can be viewed it's pretty much game over, but this does not appear to be a good default if we are concerned about shoulder sniffing passphrases for example (#2777). If it's by design, it seems to me it should be strongly called out in the GUI and man/help page. I can see leaving the option of saving passphrases in profiles for users who are utilizing qvm-backup from the command line.

---

Related issues:

[marmarek]

I agree, there should be a warning in the GUI
cc @marmarta

[marmarek]

I agree, there should be a warning in the GUI
cc @marmarta

[awokd]

Reworded title slightly because it's the act of saving the "default backup profile" that poses the issue, not a default setting somewhere.

Was thinking about this a bit more too. Should the dilemma of saving a passphrase be posed to the GUI user? Could remove it entirely so checking the box in the GUI saves all settings except passphrase, but leave the option to do so open to CLI users (with appropriate warnings there).

[awokd]

Reworded title slightly because it's the act of saving the "default backup profile" that poses the issue, not a default setting somewhere.

Was thinking about this a bit more too. Should the dilemma of saving a passphrase be posed to the GUI user? Could remove it entirely so checking the box in the GUI saves all settings except passphrase, but leave the option to do so open to CLI users (with appropriate warnings there).

[andrewdavidwong]

Was thinking about this a bit more too. Should the dilemma of saving a passphrase be posed to the GUI user? Could remove it entirely so checking the box in the GUI saves all settings except passphrase, but leave the option to do so open to CLI users (with appropriate warnings there).

That's a tough question, but I'm inclined to say that we shouldn't intentionally omit options from the GUI that are present in the CLI on the assumption that the classes of users who self-select into using the CLI vs. the GUI cleanly map onto the classes of users who are sophisticated enough to make this decision vs. those who are not, respectively. There's probably a correlation, but it might be a weak one. I know some savvy users who simply prefer the GUI for certain tasks.

[andrewdavidwong]

Was thinking about this a bit more too. Should the dilemma of saving a passphrase be posed to the GUI user? Could remove it entirely so checking the box in the GUI saves all settings except passphrase, but leave the option to do so open to CLI users (with appropriate warnings there).

That's a tough question, but I'm inclined to say that we shouldn't intentionally omit options from the GUI that are present in the CLI on the assumption that the classes of users who self-select into using the CLI vs. the GUI cleanly map onto the classes of users who are sophisticated enough to make this decision vs. those who are not, respectively. There's probably a correlation, but it might be a weak one. I know some savvy users who simply prefer the GUI for certain tasks.

[marmarta]

I've added a warning, and I'm wondering whether it would be a better idea to store the password in base64 - it's no encryption, but at least solves the shoulder-surfing problem a bit.

[marmarta]

I've added a warning, and I'm wondering whether it would be a better idea to store the password in base64 - it's no encryption, but at least solves the shoulder-surfing problem a bit.

[awokd]

That's usually how SMB commercial backup software saves passphrases too, some trivial algorithm easily reversed with third party tools in case you are in a rush to do a restore.

[awokd]

That's usually how SMB commercial backup software saves passphrases too, some trivial algorithm easily reversed with third party tools in case you are in a rush to do a restore.

[lunarthegrey]

@marmarta I would opt for base64 encoded. Better than it is now, at least a temporary solution.

[lunarthegrey]

@marmarta I would opt for base64 encoded. Better than it is now, at least a temporary solution.

[awokd]

Thank you.

[awokd]

Thank you.

[qubesos-bot]

Automated announcement from builder-github

The package qubes-manager-4.0.14-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-manager-4.0.14-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-manager-4.0.15-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-manager-4.0.15-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update