[bug-recutils] First Feedback to encryption feature

[Sven Wick]

Hi Jose,

just tried the encryption feature
and I really like it. Just simple :-)

Here some points I noticed.

1) recsel --help typo

   -s      encrypt confidential fields with the given password

Should say "decrypt"

2) recins silently ignores password

   $ recins -f user -v swick -f password -v topsecret -s password
secrets.rec

The record is silently inserted but not encrypted 
because I didn't defined the record type ( -t passwords )
which includes the confidential field.

   $ recins -t passwords -f user -v swick -f password -v topsecret -s
password secrets.rec

A warning message would be nice:

  "A password string for encryption was given,
   but there is no confidential field
   in the record descriptor"


3) recfix stacks XORs

Let's say I have this little rec file:

  %rec: passwords
  %confidential: password

  username: swick
  password: topsecret

Doing a

 $ recfix --encrypt -s mypassword secrets.rec

fixes un-encrypted records as designed:

  %rec: passwords
  %confidential: password

  username: swick
  password: encrypted-abcdefgh==

Now I add a new record manually with vim (or emacs :-) ) :

  %rec: passwords
  %confidential: password

  username: swick
  password: encrypted-abcdefgh==

  username: ballmer
  password: I-Love-GNU

If I now forget to "--decrypt" first,
then the first password value gets XOR-ed twice:

  %rec: passwords
  %confidential: password

  username: swick
  password: encrypted-aGhghgf54JHjhghgfHFggfdGDFSD==

  username: ballmer
  password: encrypted-ijklmno==


Maybe checking first for any encrypted data
and a warning message would be helpful.
Something like:

 The file contains encrypted data.
 Please "--decrypt" first.

By giving the hint to decrypt first,
this also ensures, that the same password
string is used on subsequent encryptions.

Cheers,
Sven