Image of the glider from the Game of Life by John Conway
Skip to content
{ 2012 02 28 }

Encrypt Your Irssi Config

Actually, this can work for any config that you want to encrypt. Because I'm such an IRC addict (admittidly), and use Irssi as my client of choice, AND the fact that others have asked me about it after blogging about encrypting your IMAP/SMTP passwords with Mutt, I figured this was an appropriate title.

The Problem
You are running Irssi on a shared shell provider. Many people also have logins to the provider. You worry that the administrators of the service could see your usernames and passwords in your software configs.

The Solution
In all reality, just don't put your login credentials in the configuration file, if the utility does not support encrypting them. Plain and simple. It sucks typing in your credentials every time you run the software, but it is the best solution. However, if you want the convenience of having your credentials automatically provided, yet you want them securely stored, then this may be the next best solution.

First, have the site administrator install the eCryptfs utilities:

% sudo aptitude install ecryptfs-utils

Now, create a private encrypted mount, mount it, move your Irssi config (or whatever) into the private directory, create a symlink, start the application, then unmount the encrypted mount:

% ecryptfs-setup-private
% ecryptfs-mount-private
% mkdir ~/Private/configs
% mv ~/.irssi/config ~/Private/configs/irssi-config
% ln -s ~/Private/config/irssi-config ~/.irssi/config
% irssi
% ecryptfs-umount-private

There are a few drawbacks to this setup, that you should be aware of. First, you won't be able to "/reload" or "/save" unless you remount the encrypted ~/.Private filesystem. Second, anything else that Irssi is doing, will not be encrypted on disk, such as autologging channels and queries. You could put those in the encrypted filesystem as well, but then you would not be able to unmount it. It would need to remain mounted, which means the site administrators would still be able to see the login credentials. Third, the encrypted filesystem in ~/.Private/ could be removed or corrupted by the site administrators (at which point, I would stop using the service). Regardless, you would be without an Irssi config entirely. Best to keep a backup.

Until Irssi provides a way to allow encrypting the server or NickServ passwords with GnuPG, OpenSSL, or some other utility, this seems to be the best way to do it.

Posted by Aaron Toponce on Tuesday, February 28, 2012, at 7:28 am. Filed under irssi, Security. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. For IM, Email or Microblogs, here is the Shortlink.

{ 5 } Comments