Add tip to set the key using a password manager #230
Conversation
| @@ -31,6 +31,10 @@ | |||
| ``` | |||
|
|
|||
| This will create a `.aicommits` file in your home directory. | |||
| > **Tip**: You might want to set your key using a password manager. | |||
| ```sh | |||
| export OPENAI_KEY=$(<your command to get the key>) | |||
There was a problem hiding this comment.
I'm not sure if exporting the key into the session is any more secure.
It exposes the key as an environment variable—which requires no privileges to access—to any process running in the same session.
Kind of defeats the point of using a password manager IMO.
There was a problem hiding this comment.
Well, I'm using pass to store only the openai api key, it's based on OpenPGP.
The first time I open a terminal, and every certain period of time, pgp ask me to type my password.
Without the password the key is not provided to the environment variable, I only type the password if I code.
I believe that's some layer of security but probably there are better options. What would you recommend instead?
There was a problem hiding this comment.
We could use the same approach in a more focused way, using a wrapper script, e.g. in ~/.local/bin/aicommits:
#!/usr/bin/env bash
export OPENAI_KEY="$(<your command to get the key>)"
exec /path/to/your/real/aicommits "$@"This means only aicommits will see this variable, not the other tools you run.
However, malicious processes could run pass themselves, within the time limit, to re-use the key you unlocked. (Or does this only work if they are running in the same desktop environment?)
Depending where we things the attack will come from, it might be safer to use ghaerdi's original approach, but with a shorter or immediate timeout.
I think it's a good idea add a tip on the README to set the key through a password manager for all my security-caring friends.
I commented about this on this #227 issue.