[Feature Request] Something like /usr/bin/security

davidolrik
davidolrik
Community Member

I would love to be able to use 1Password on the command line and in scripts.

Apples Keychain has a command line tool /usr/bin/security that can lookup stuff in the keychain, and I'm suggesting you add a 1security command that works in a similar way.

From previous discussions I can see that you are somewhat reluctant to the idea of an API or a tool that can access the users encrypted data. From what I can gather you are reluctant to do this because you do not want to expose a way to export all the users encrypted data just because 1Password has been "unlocked".

When using /usr/bin/security to look up an entry in the keychain, you are asked wether to "Deny", "Allow once" or "Allow forever", and this prevents a malicious script from grabbing everything from the keychain without the users knowledge.

So for each entry in the keychain there is an "access list" where you can see who has access to a given entry.

This model can be used by 1Password when implementing an API, an app that stores a password is given implicit access.
Other apps can ask for access and the user can the decide wether or not to give access.

On the command line I would like for you to take /usr/bin/security a step further, making it a bit more restrictive when accessing my encrypted data.

If I use /usr/bin/security to access an entry and give it "Allow forever" access, then any process can spawn /usr/bin/security while my keychain is unlocked and see my password, not quite what I want.

The step further I'm wanting you to add is including the parent process in the "grant", e.g. I give access to a password from a perl script by spawning 1security then the grant becomes "Allow forever" for 1security via perl, or better yet 1security via my-script.pl.

This will allow me to keep all my passwords in 1Password and at the same time use them in scripts, Makefiles and other nerdy stuff like that.

Little Snitch does something similar when allowing outgoing network access: e.g.

action: allow
direction: outgoing
process: /Applications/iTerm.app/Contents/MacOS/iTerm2
via: /usr/local/Cellar/git/2.6.4/libexec/git-core/git-remote-https
owner: me
destination: github.com
port: 443
protocol: 6
help: On 28 Dec 2015, iTerm via git-remote-https tried to establish a connection to github.com on TCP port 443 (https). The request was allowed via connection alert.

What do you think?

--
Best regards,
David Jack Wange Olrik https://david.olrik.dk


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • khad
    khad
    1Password Alumni

    Hi @davidolrik,

    Thanks for letting us know you would be interested in this. :)

    We don't normally discuss future plans, but I can assure you that your voice is being heard. We have some ideas for secure ways to allow access to 1Password data from other apps, so it's great to know you would be excited if we rolled something like this out.

    If we can be of further assistance in the meantime, please let us know. We are always here to help.

    Cheers!

This discussion has been closed.