0

I have several directories on my Mac, two most popular examples are:

  • ~/.aws
  • ~/.ssh

They can be read by any script file or third-party app in system.

I do not see a way to protect them in macOS (and in Linux). Mechanisms to protect such directories exist: macOS blocks third-party access to files of iMessage, iMail and Contacts which are located under home dir.

The contents of these directories are very sensitive and secret and should not be even listed by any third-party app. ~/.ssh/config file contains sensitive usernames and IP addresses, and must not be read without user authentication. I assume Terminal should actually ask for a password before it will be able to use a certain ssh configuration.

What are practical solutions for such hardening?

UPDATE

Logging in is not an authentication for sensitive data used one time a day to deploy a secure app update with private keys and signatures. This question is about hardening and making additional malware protection that works when user is logged in.

I am looking for the same security as gpg protection by keychain, but without keychain.

Croll
  • 163
  • 9
  • As for your update: why not just use `gpg` then? Would that not meet your needs? – schroeder Mar 05 '19 at 10:47
  • fully described situation, and it is reasonable to look for hardened security of these files if you work with an environment that you cannot "trust" (this is what hardening is about) – Croll Mar 05 '19 at 11:26
  • 1
    If we know why gpg does not meet your needs, then we can be better equipped not to suggest something that has the same weakness as gpg. – schroeder Mar 05 '19 at 11:28
  • because .aws/credentials file is read by aws client SDK with filesystem calls not gpg or keychain calls. same with .ssh/config. Both examples contain secrets of top level that possibly can be. – Croll Mar 05 '19 at 11:29
  • But then you could simply decrypt when you need to access those files. You said you do not need access to them except rarely. A bash script could take care of this for you (decrypt, call AWS client, re-encrypt when finished). – schroeder Mar 05 '19 at 11:31
  • True. But there is a desire to have everything in common pattern or open standard if there is any for this situation. Like with keychain, and i don't see a way to integrate AWS SDK (awscli tool) or ssh with keychain. – Croll Mar 05 '19 at 11:33
  • Ah! Then that is an important requirement in your question. You want a built-in solution in these OS's. A home-grown script does not meet your needs. Is that right? – schroeder Mar 05 '19 at 11:35

0 Answers0