[Feature Request] Something like /usr/bin/security
I would love to be able to use 1Password on the command line and in scripts.
Apples Keychain has a command line tool /usr/bin/security
that can lookup stuff in the keychain, and I'm suggesting you add a 1security
command that works in a similar way.
From previous discussions I can see that you are somewhat reluctant to the idea of an API or a tool that can access the users encrypted data. From what I can gather you are reluctant to do this because you do not want to expose a way to export all the users encrypted data just because 1Password has been "unlocked".
When using /usr/bin/security
to look up an entry in the keychain, you are asked wether to "Deny", "Allow once" or "Allow forever", and this prevents a malicious script from grabbing everything from the keychain without the users knowledge.
So for each entry in the keychain there is an "access list" where you can see who has access to a given entry.
This model can be used by 1Password when implementing an API, an app that stores a password is given implicit access.
Other apps can ask for access and the user can the decide wether or not to give access.
On the command line I would like for you to take /usr/bin/security
a step further, making it a bit more restrictive when accessing my encrypted data.
If I use /usr/bin/security
to access an entry and give it "Allow forever" access, then any process can spawn /usr/bin/security
while my keychain is unlocked and see my password, not quite what I want.
The step further I'm wanting you to add is including the parent process in the "grant", e.g. I give access to a password from a perl script by spawning 1security
then the grant becomes "Allow forever" for 1security
via perl
, or better yet 1security
via my-script.pl
.
This will allow me to keep all my passwords in 1Password and at the same time use them in scripts, Makefiles and other nerdy stuff like that.
Little Snitch does something similar when allowing outgoing network access: e.g.
action: allow direction: outgoing process: /Applications/iTerm.app/Contents/MacOS/iTerm2 via: /usr/local/Cellar/git/2.6.4/libexec/git-core/git-remote-https owner: me destination: github.com port: 443 protocol: 6 help: On 28 Dec 2015, iTerm via git-remote-https tried to establish a connection to github.com on TCP port 443 (https). The request was allowed via connection alert.
What do you think?
--
Best regards,
David Jack Wange Olrik https://david.olrik.dk
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @davidolrik,
Thanks for letting us know you would be interested in this. :)
We don't normally discuss future plans, but I can assure you that your voice is being heard. We have some ideas for secure ways to allow access to 1Password data from other apps, so it's great to know you would be excited if we rolled something like this out.
If we can be of further assistance in the meantime, please let us know. We are always here to help.
Cheers!
0