Securely Store Password

Nate Jackson edited this page Apr 18, 2018 · 7 revisions

This pages describes how to store password in a secure fashion and retrieve password from offlineimap and msmtp

Introduce password manager

Both offlineimap and msmtp can read password from config file or ~/.netrc. But that doesn't sounds very secure. Luckily we have password managers tackling this problem. The following instructions will guide you configuring offlineimap and msmtp to integrate with your system's password manager(referred to as "keyring").

First you need a keyring installed and running. For OS X, Gnome and KDE users, you should already have the default keyring ready to serve. For users of other desktop environment, see https://wiki.archlinux.org/index.php/Gnome-keyring for how to get gnome-keyring running.

Access keyring from Python

Install Python and the python-keyring module for your system:

Optionally, if you want to use gnome-keyring / kwallet as the backend for python-keyring, you'll need to install corresponding adapter module like libgnome-keyring, python2-gobject and alike.

Now you can store your password securely via Python:

$ python -c "import keyring; keyring.set_password('gmail', 'personal', 'PASSWORD')"
# Test that the password is successfully stored:
$ python -c "import keyring; print(keyring.get_password('gmail', 'personal'))"
PASSWORD

Retrieve password from offlineimap

Offlineimap can run Python code to retrieve password.

Open your ~/.offlineimaprc with your editor. Find the remote repository and edit like this:

[general]
pythonfile = ~/.offlineimap.py

[Repository personal-remote]
remoteuser = user@domain.com
# Comment out or remove the `remotepass` line
# remotepass = password 
# Use remotepasseval instead:
remotepasseval = keyring.get_password('gmail', 'personal')

And create ~/.offlineimap.py by running:

$ echo import keyring >> ~/.offlineimap.py

By now offlineimap should be able to read password from keyring.

Retrieve password from msmtp

Msmtp can read password from any process's stdout. Open your ~/.msmtprc and edit it like this:

# Find the account section
account personal
# Again, comment out or remove the `password` line
# password PASSWORD
# Use passwordeval instead:
passwordeval python -c "import keyring; print(keyring.get_password('gmail', 'personal'))"

Easy, isn't it?

Note: msmtp supports reading from gnome-keyring natively. But we are not introducing how to do that here. It's not as portable as python-keyring. And it'd be a little more tedious to retrieve password from offlineimap.

Using the pass program

The pass password manager can be used to retrieve the password for your accounts. As an example for OfflineIMAP, you make the following changes (given that you have stored your work email password in work/email):

[general]
pythonfile = ~/.offlineimap.py

[Repository ...]
remotepasseval = subprocess.check_output(["pass", "show", "work/email"]).strip()

and create ~/.offlineimap.py:

$ echo import subprocess >> ~/.offlineimap.py

See also

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.