mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-02 03:05:30 +00:00
mvt-ios decrypt-backup: Enable pulling password from the environment.
Specifying the password on the command line with `--password XXX` leaves the password itself visible to any process on the machine which can scan the process table. On some systems (including common GNU/Linux distributions) this visibility is possible by default. This change should make it possible to offer the password without putting it into the process table; rather, the user puts the password in the environment, and specifies the name of the environment variable, like so: ``` $ export MVT_IOS_BACKUP_PASSWORD=WronglySconeRoundnessUnruffled $ mvt-ios decrypt-backup -d /path/to/dest /path/to/data/XXXXXXXX-YYYYYYYYYYYYYYY/ $ unset MVT_IOS_BACKUP_PASSWORD ``` or you can do so using a prefixed env var, as described in the updated check.md documentation.
This commit is contained in:
parent
d7f29a4e88
commit
53adc05338
|
@ -41,9 +41,10 @@ In case you have an encrypted backup, you will need to decrypt it first. This ca
|
||||||
-d, --destination TEXT Path to the folder where to store the decrypted
|
-d, --destination TEXT Path to the folder where to store the decrypted
|
||||||
backup [required]
|
backup [required]
|
||||||
|
|
||||||
-p, --password TEXT Password to use to decrypt the backup NOTE: This
|
-p, --password TEXT Password to use to decrypt the backup (or, set
|
||||||
argument is mutually exclusive with arguments:
|
MVT_IOS_BACKUP_PASSWORD environment variable)
|
||||||
[key_file].
|
NOTE: This argument is mutually exclusive with
|
||||||
|
arguments: [key_file].
|
||||||
|
|
||||||
-k, --key-file PATH File containing raw encryption key to use to decrypt
|
-k, --key-file PATH File containing raw encryption key to use to decrypt
|
||||||
the backup NOTE: This argument is mutually exclusive
|
the backup NOTE: This argument is mutually exclusive
|
||||||
|
@ -51,10 +52,10 @@ In case you have an encrypted backup, you will need to decrypt it first. This ca
|
||||||
|
|
||||||
--help Show this message and exit.
|
--help Show this message and exit.
|
||||||
|
|
||||||
You can specify either a password via command-line or pass a key file, and you need to specify a destination path where the decrypted backup will be stored. If `-p` is omitted, MVT will ask for a password. Following is an example usage of `decrypt-backup`:
|
You can specify the password in the environment variable `MVT_IOS_BACKUP_PASSWORD`, or via command-line argument, or you can pass a key file. You need to specify a destination path where the decrypted backup will be stored. If a password cannot be found and no key file is specified, MVT will ask for a password. Following is an example usage of `decrypt-backup` sending the password via an environment variable:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
mvt-ios decrypt-backup -p password -d /path/to/decrypted /path/to/backup
|
MVT_IOS_BACKUP_PASSWORD="mypassword" mvt-ios decrypt-backup -d /path/to/decrypted /path/to/backup
|
||||||
```
|
```
|
||||||
|
|
||||||
## Run `mvt-ios` on a Backup
|
## Run `mvt-ios` on a Backup
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
# https://github.com/mvt-project/mvt/blob/main/LICENSE
|
# https://github.com/mvt-project/mvt/blob/main/LICENSE
|
||||||
|
|
||||||
import errno
|
import errno
|
||||||
|
import getpass
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import sys
|
import sys
|
||||||
|
@ -28,6 +29,8 @@ log = logging.getLogger(__name__)
|
||||||
# Help messages of repeating options.
|
# Help messages of repeating options.
|
||||||
OUTPUT_HELP_MESSAGE = "Specify a path to a folder where you want to store JSON results"
|
OUTPUT_HELP_MESSAGE = "Specify a path to a folder where you want to store JSON results"
|
||||||
|
|
||||||
|
# set this environment variable to a password if needed
|
||||||
|
PASSWD_ENV = 'MVT_IOS_BACKUP_PASSWORD'
|
||||||
|
|
||||||
#==============================================================================
|
#==============================================================================
|
||||||
# Main
|
# Main
|
||||||
|
@ -44,8 +47,7 @@ def cli():
|
||||||
@click.option("--destination", "-d", required=True,
|
@click.option("--destination", "-d", required=True,
|
||||||
help="Path to the folder where to store the decrypted backup")
|
help="Path to the folder where to store the decrypted backup")
|
||||||
@click.option("--password", "-p", cls=MutuallyExclusiveOption,
|
@click.option("--password", "-p", cls=MutuallyExclusiveOption,
|
||||||
help="Password to use to decrypt the backup",
|
help=f"Password to use to decrypt the backup (or, set {PASSWD_ENV} environment variable)",
|
||||||
prompt="Enter backup password", hide_input=True, prompt_required=False,
|
|
||||||
mutually_exclusive=["key_file"])
|
mutually_exclusive=["key_file"])
|
||||||
@click.option("--key-file", "-k", cls=MutuallyExclusiveOption,
|
@click.option("--key-file", "-k", cls=MutuallyExclusiveOption,
|
||||||
type=click.Path(exists=True),
|
type=click.Path(exists=True),
|
||||||
|
@ -55,13 +57,21 @@ def cli():
|
||||||
def decrypt_backup(destination, password, key_file, backup_path):
|
def decrypt_backup(destination, password, key_file, backup_path):
|
||||||
backup = DecryptBackup(backup_path, destination)
|
backup = DecryptBackup(backup_path, destination)
|
||||||
|
|
||||||
if password:
|
if key_file:
|
||||||
backup.decrypt_with_password(password)
|
if PASSWD_ENV in os.environ:
|
||||||
elif key_file:
|
log.warning(f"Ignoring {PASSWD_ENV} environment variable, using --key-file '{key_file}' instead")
|
||||||
backup.decrypt_with_key_file(key_file)
|
backup.decrypt_with_key_file(key_file)
|
||||||
|
elif password:
|
||||||
|
log.warning("Your password may be visible in the process table because it was supplied on the command line!")
|
||||||
|
if PASSWD_ENV in os.environ:
|
||||||
|
log.warning(f"Ignoring {PASSWD_ENV} environment variable, using --password argument instead")
|
||||||
|
backup.decrypt_with_password(password)
|
||||||
|
elif PASSWD_ENV in os.environ:
|
||||||
|
log.info(f"Using password from {PASSWD_ENV} environment variable")
|
||||||
|
backup.decrypt_with_password(os.environ[PASSWD_ENV])
|
||||||
else:
|
else:
|
||||||
raise click.ClickException("Missing required option. Specify either "
|
sekrit = getpass.getpass(prompt='Enter iOS backup password: ')
|
||||||
"--password or --key-file.")
|
backup.decrypt_with_password(sekrit)
|
||||||
|
|
||||||
backup.process_backup()
|
backup.process_backup()
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user