💾 Archived View for remyabel.flounder.online › 2019-12-30-more-caveats.gmi captured on 2023-09-08 at 16:09:06. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Rather than use an environment variable or store my password in a permissioned file, I decided to store them in Seahorse (GNOME keyring). In doing so, I decided to make the keyring password separate from my login password for slightly extra security at the cost of convenience. It occurred to me that I should probably also change the existing password entries because an attacker with my old password can unlock the keyring. This was a mistake.
Currently, Borg recommends you create passwords using the following command:
head -c 1024 /dev/urandom | base64
By default, this emits newlines in the base64 output. This can make dealing with the password *a major pain in the ass* as different applications may deal with the newlines in different ways. After changing my passphrase I could not figure out how to get Borg to accept the new passphrase. I deleted my existing backups.
The solution is either to pass `--wrap=0` or use a shorter passphrase. The developer considers 32 bytes instead of 1024 to be sufficient. However, next time I should just generate the passphrase with my password manager.
When dealing with the keyring, I made a couple of key errors due to sloppiness and sleep deprivation:
My tired brain somehow thought that changing the label would be sufficient. Instead this changed the label of the existing entry. IMO, the CLI for `secret-tool` is a little lacking and could use some UX improvements to prevent this kind of mistake.