Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add tip to set the key using a password manager #230

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

ghaerdi
Copy link

@ghaerdi ghaerdi commented Jul 12, 2023

I think it's a good idea add a tip on the README to set the key through a password manager for all my security-caring friends.
I commented about this on this #227 issue.

@@ -31,6 +31,10 @@
```

This will create a `.aicommits` file in your home directory.
> **Tip**: You might want to set your key using a password manager.
```sh
export OPENAI_KEY=$(<your command to get the key>)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if exporting the key into the session is any more secure.

It exposes the key as an environment variable—which requires no privileges to access—to any process running in the same session.

Kind of defeats the point of using a password manager IMO.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I'm using pass to store only the openai api key, it's based on OpenPGP.
The first time I open a terminal, and every certain period of time, pgp ask me to type my password.
Without the password the key is not provided to the environment variable, I only type the password if I code.
I believe that's some layer of security but probably there are better options. What would you recommend instead?

Copy link

@joeytwiddle joeytwiddle Aug 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could use the same approach in a more focused way, using a wrapper script, e.g. in ~/.local/bin/aicommits:

#!/usr/bin/env bash

export OPENAI_KEY="$(<your command to get the key>)"

exec /path/to/your/real/aicommits "$@"

This means only aicommits will see this variable, not the other tools you run.

However, malicious processes could run pass themselves, within the time limit, to re-use the key you unlocked. (Or does this only work if they are running in the same desktop environment?)

Depending where we things the attack will come from, it might be safer to use ghaerdi's original approach, but with a shorter or immediate timeout.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants