- Do not store secret in plain text blocked by #3 - Ask if user wants to delete the QR code as it is not good idea to leave the QR code from which secret can be extracted blocked by #11 - Root user can use strace to read user secret using a script like ~~~ #!/bin/bash #hack user secret while(true);do pid=$(ps aux|grep -i otpgen/otpgen.sh|grep -iv grep|awk '{print $2}') if [ -z "$pid" ]; then continue else break fi done strace -ttTvf -s 1024 -o /tmp/strace -p "$pid" ~~~ - the only option is to use **shc** to create encrypted binary this can be generated during installation and re-generated during clean-install. - Also there should be easy option given to re-generate the binary either if any changes are made by user or script is updated.
blocked by [RFE][otpgen.sh] encrypt the secret instead of plain text file. #3
blocked by [otpgen.sh]check if user wants to delete the image after key added successfully #11