FOLDER_PASSWORD environment variable for decrypt functions

I’m thinking of a slight improvement to the decrypt feature documentation.

The documentation says here:

Folder password for decryption / verification. Can be passed through the FOLDER_PASSWORD environment variable instead to avoid recording in a shell’s history buffer or sniffing from the running processes list.

But the “avoid recording in a shell’s history buffer” doesn’t happen automatically.

Indeed the password will be recorded in the history buffer and on disk in .bash_history if the user doesn’t specifically run a few more bash commands, namely:

export HISTCONTROL=ignorespace

And then run the export command with a space in front:

 export FOLDER_PASSWORD='passwordhere'

Only then will the export command with the password not be stored in the history buffer, which can be verified with (show the last 10 commands):

history 10

Otherwise, it will be stored in the history buffer and on disk in .bash_history.

Perhaps we could update the text to:

Folder password for decryption / verification. Can be passed through the FOLDER_PASSWORD environment variable instead to avoid recording in a shell’s history buffer (please read about histcontrol=ignorespace to hide from history buffer) or sniffing from the running processes list.

1 Like

It depends on the OS distribution, some do configure HISTCONTROL to include ignorespace by default.

Another option is this:

unset HISTFILE
export FOLDER_PASSWORD='passwordhere'

Command history will still be in the memory buffer, but it won’t be saved to disk when the current shell session exits. It avoids the need to remember to prepend a space for any follow-up commands that might include sensitive info.

Unfortunately it’s dependent on the shell environment (not all have a HISTCONTROL setting), and generally only applicable to Unix and Unix-like OSes so it might be confusing (especially to Windows users).

2 Likes

Using the environment variable in this way doesn’t give any security advantage. You should initialize it without writing the password on the command line at all. For example with the backtick operator:

FOLDER_PASSWORD=`some-password-entry-program` syncthing decrypt ... 

That’s what the ssh-askpass program is made for, among others.

2 Likes