Image of the glider from the Game of Life by John Conway
Skip to content

Encrypt Your Irssi Config

Actually, this can work for any config that you want to encrypt. Because I'm such an IRC addict (admittidly), and use Irssi as my client of choice, AND the fact that others have asked me about it after blogging about encrypting your IMAP/SMTP passwords with Mutt, I figured this was an appropriate title.

The Problem
You are running Irssi on a shared shell provider. Many people also have logins to the provider. You worry that the administrators of the service could see your usernames and passwords in your software configs.

The Solution
In all reality, just don't put your login credentials in the configuration file, if the utility does not support encrypting them. Plain and simple. It sucks typing in your credentials every time you run the software, but it is the best solution. However, if you want the convenience of having your credentials automatically provided, yet you want them securely stored, then this may be the next best solution.

First, have the site administrator install the eCryptfs utilities:

% sudo aptitude install ecryptfs-utils

Now, create a private encrypted mount, mount it, move your Irssi config (or whatever) into the private directory, create a symlink, start the application, then unmount the encrypted mount:

% ecryptfs-setup-private
% ecryptfs-mount-private
% mkdir ~/Private/configs
% mv ~/.irssi/config ~/Private/configs/irssi-config
% ln -s ~/Private/config/irssi-config ~/.irssi/config
% irssi
% ecryptfs-umount-private

There are a few drawbacks to this setup, that you should be aware of. First, you won't be able to "/reload" or "/save" unless you remount the encrypted ~/.Private filesystem. Second, anything else that Irssi is doing, will not be encrypted on disk, such as autologging channels and queries. You could put those in the encrypted filesystem as well, but then you would not be able to unmount it. It would need to remain mounted, which means the site administrators would still be able to see the login credentials. Third, the encrypted filesystem in ~/.Private/ could be removed or corrupted by the site administrators (at which point, I would stop using the service). Regardless, you would be without an Irssi config entirely. Best to keep a backup.

Until Irssi provides a way to allow encrypting the server or NickServ passwords with GnuPG, OpenSSL, or some other utility, this seems to be the best way to do it.

{ 5 } Comments

  1. Dustin Kirkland | February 28, 2012 at 9:59 am | Permalink

    Very nice, Aaron. Thanks for the eCryptfs props 🙂


  2. Dustin Kirkland | February 28, 2012 at 10:03 am | Permalink

    BTW, there's a typo in your rune:

    -% encryptfs-mount-private
    +% ecryptfs-mount-private

  3. Aaron Toponce | February 28, 2012 at 12:00 pm | Permalink

    Fixed. Thanks for the diff.

  4. Richard | February 28, 2012 at 12:39 pm | Permalink

    A shared shell provider that lets you use aptitude to install packages? That strikes me as more of a security problem than plaintext IRC passwords. 😉

  5. Aaron Toponce | February 28, 2012 at 1:05 pm | Permalink

    Heh. Indeed. I'll modify the post a bit... 🙂

{ 1 } Trackback

  1. [...] Leave a Comment TrackBack URI [...]

    [WORDPRESS HASHCASH] The comment's server IP ( doesn't match the comment's URL host IP ( and so is spam.

Post a Comment

Your email is never published nor shared.