Folder password for decryption / verification. Can be passed through the FOLDER_PASSWORD environment variable instead to avoid recording in a shell’s history buffer or sniffing from the running processes list.
But the “avoid recording in a shell’s history buffer” doesn’t happen automatically.
Indeed the password will be recorded in the history buffer and on disk in .bash_history if the user doesn’t specifically run a few more bash commands, namely:
export HISTCONTROL=ignorespace
And then run the export command with a space in front:
export FOLDER_PASSWORD='passwordhere'
Only then will the export command with the password not be stored in the history buffer, which can be verified with (show the last 10 commands):
history 10
Otherwise, it will be stored in the history buffer and on disk in .bash_history.
Perhaps we could update the text to:
Folder password for decryption / verification. Can be passed through the FOLDER_PASSWORD environment variable instead to avoid recording in a shell’s history buffer (please read about histcontrol=ignorespace to hide from history buffer) or sniffing from the running processes list.
Command history will still be in the memory buffer, but it won’t be saved to disk when the current shell session exits. It avoids the need to remember to prepend a space for any follow-up commands that might include sensitive info.
Unfortunately it’s dependent on the shell environment (not all have a HISTCONTROL setting), and generally only applicable to Unix and Unix-like OSes so it might be confusing (especially to Windows users).
Using the environment variable in this way doesn’t give any security advantage. You should initialize it without writing the password on the command line at all. For example with the backtick operator:
As a thought, what if the syncthing decrypt will read the password from stdin by itself? Wouldn’t that solve the problem of the password being saved to the bash/zsh history?