Personal mirror of DanConwayDev/ngit-cli on git.upleb.uk https://upleb.uk/npub1tkq8unhsd5jqx6ueex5lcpsgknrpquxuk44ftpjlpm3ulaake7xs76txrw/ngit-cli-mirror/atom?h=v0.1.1 2023-09-01T00:00:00+00:00 2023-09-01T00:00:00+00:00 DanConwayDev DanConwayDev@protonmail.com 2023-09-01T00:00:00+00:00 urn:sha1:96660a90e4cd296a2922d7a547de4cd9d0b1928b Enables the user to only handle the nsec upon first use of the tool by encrypting it with a password and storing it on disk in an application cache. The approach to encryption draws heavily from that used by the gossip nostr client. - unencrypted nsec is zeroed from memory - a salt is used to defend against rainbow tables - computationally expensive key stretching defends against brute-force attacks of passwords with low entropy. There is UX trade-off between decryption speed and key-stretching computation. This UX challenge is exacerbated in a cli tool as decryption must take place more regularly. Thought was put into the selected n_log and a heavily reduced value is provided for long passwords where security benefits are smaller. A more granular reducing in computation was also considered by rejected to avoided to revealing just how weak a password is as most weak passwords are reused.