Hi,
gem basically stores it's credentials just in plaintext in ~/.local/share/gem/credentials. This is not quite a good protection.
Nowadays, it is state of the art to use more modern authentication methods like 2FA, or at least store credentials in a password manager like those provided by modern Linux desktops or keepass, or even systemd itself (see man systemd-creds), optionally using the TPM to encrypt credentials. All these password managers do provide commands to read from the encrypted password storage, and some do require active user confirmation.
Therefore, it should be possible to instead of writing the credential as plaintext into this file, to configure some arbitrary command which is run and the credential is read from it's stdout, like e.g.
- systemd-creds decrypt
- gpg
- keepassxc-cli
- kwallet-query
regards
Hadmut
Hi,
gem basically stores it's credentials just in plaintext in ~/.local/share/gem/credentials. This is not quite a good protection.
Nowadays, it is state of the art to use more modern authentication methods like 2FA, or at least store credentials in a password manager like those provided by modern Linux desktops or keepass, or even systemd itself (see man systemd-creds), optionally using the TPM to encrypt credentials. All these password managers do provide commands to read from the encrypted password storage, and some do require active user confirmation.
Therefore, it should be possible to instead of writing the credential as plaintext into this file, to configure some arbitrary command which is run and the credential is read from it's stdout, like e.g.
regards
Hadmut