https://github.com/anki-code/xontrib-history-encrypt

🔐 The xonsh shell history backend that encrypt the commands history file to prevent leaking sensitive data.
https://github.com/anki-code/xontrib-history-encrypt

command-history encryption security-tools shell shell-history xonsh xontrib

Last synced: about 2 months ago
JSON representation

🔐 The xonsh shell history backend that encrypt the commands history file to prevent leaking sensitive data.

• Host: GitHub
• URL: https://github.com/anki-code/xontrib-history-encrypt
• Owner: anki-code
• License: mit
• Created: 2021-02-24T16:29:18.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2023-02-16T15:21:52.000Z (over 1 year ago)
• Last Synced: 2024-07-28T17:13:11.248Z (about 2 months ago)
• Topics: command-history, encryption, security-tools, shell, shell-history, xonsh, xontrib
• Language: Python
• Homepage:
• Size: 55.7 KB
• Stars: 18
• Watchers: 1
• Forks: 1
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

• awesome-xontribs - history_encrypt - History backend that encrypt the xonsh shell commands history to prevent leaking sensitive data. (Plugins / History backends)

README

        


The xonsh shell history backend that encrypt the commands history file
 to prevent leaking sensitive data. 









  

If you like the idea click ⭐ on the repo and tweet.



## Installation

To install use pip:

```bash

xpip install xontrib-history-encrypt

# or: xpip install -U git+https://github.com/anki-code/xontrib-history-encrypt

```

## Usage: supported encryption

### Base64 (default)

*Protection level: no protection.*

Base64 is not the real encrypter and implemented as fast way to encode history file and for education reasons.

It can save you from the massive scanning the file system for keywords (i.e. password, key) 

as well as reading the history file by not experienced user. But it can be decoded in five minutes by the professional.

```python

# Add to xonsh RC file

$XONSH_HISTORY_ENCRYPTOR = 'base64'

xontrib load history_encrypt

```

### Fernet 

*Protection level: high.*

The implementation of [Fernet](https://cryptography.io/en/latest/fernet.html) (AES CBC + HMAC) that was strongly 

recommended on [stackoverflow](https://stackoverflow.com/a/55147077). On first start it generates a key that you 

should save in secure place. Than you can use this key to decrypt the history.

```python

# Add to xonsh RC file

$XONSH_HISTORY_ENCRYPTOR = 'fernet'

xontrib load history_encrypt

```

### Dummy

*Protection level: super high.*

The best encryption of the data when there is no the data. The dummy encryptor stores command only in the memory during 

the session without saving it on the disk. After the end of the session the commands will be lost.

```python

# Add to xonsh RC file

$XONSH_HISTORY_ENCRYPTOR = 'dummy'

xontrib load history_encrypt

```

### Custom 

*Protection level: all in your hands.*

To create custom encryptor you should implement three functions: key getter function, encryptor and decryptor.

```python

# Add to xonsh RC file

$XONSH_HISTORY_ENCRYPTOR = {

  'key': lambda: input('[xontrib-history-encrypt] Enter any key just for fun: '),

  'enc': lambda data, key=None: data[::-1], # just flip the string

  'dec': lambda data, key=None: data[::-1]  # flip the string back

}

xontrib load history_encrypt

```

After debugging you can add your encryptor to the `history_encrypt` directory of the xontrib by PR.

## Common use case

1. You're on the public/shared/opened server where you have xonsh and bash.

2. Install the xontrib and create your RC-file from bash:

    ```python

    pip install xontrib-history-encrypt

    mkdir -p ~/.local/share/xonsh/

    echo -e '$XONSH_HISTORY_ENCRYPTOR = "fernet"\nxontrib load history_encrypt' > ~/.local/share/xonsh/rc

    ```

3. Run xonsh with RC-file then get the key and remember the key:

    ```python

    xonsh --rc ~/.local/share/xonsh/rc

    # Enter the key or press enter to create new: 

    # Save the key and use it next time: CFB5kAfD3BgdpQHJxmKb

    ```

4. Next time run xonsh with RC and key:

    ```python

    xonsh --rc ~/.local/share/xonsh/rc

    # Enter the key or press enter to create new: CFB5kAfD3BgdpQHJxmKb

    ```

## What should I know?

### How to check the backend is working

```bash

history info

# backend: xontrib-history-encrypt

# sessionid: 374eedc9-fc94-4d27-9ab7-ebd5a5c87d12

# filename: /home/user/.local/share/xonsh/xonsh-history-encrypt.txt

# commands: 1

```

### Some points about the backend

* At start the backend read and decrypt all commands and this could take time. Basically we assume that you will use the xontrib on your servers and haven't so big history.

* The commands are stored in the memory and flush to the disk at the exit from the shell. If the shell has crash there is no flushing to the disk and commands will be lost. Use `history flush` command if you plan to run something experimental.

* The backend has minimal history management support in comparing with json or sqlite backends and you can find the lack of features.

If you want to improve something from the list PRs are welcome!

## Credits

* This package is the part of [ergopack](https://github.com/anki-code/xontrib-ergopack) - the pack of ergonomic xontribs.

* This package was created with [xontrib cookiecutter template](https://github.com/xonsh/xontrib-cookiecutter).