cli: encryptwallet password entered from stdin. fixes #15318 #15346

pull darosior wants to merge 1 commits into bitcoin:master from darosior:cli_encryptwallet_stdin changing 1 files +39 −0
  1. darosior commented at 10:09 PM on February 4, 2019: member

    This PR adds the possibility to enter the password from encryptwallet to be entered from stdin, as discussed in #15318. I know it can be done using the -stdin parameter from , but I think entering the password from stdin should become the default for encryptwallet (as well as for walletpassphrase) as it can be retrieved easily (grep encryptwallet ~/.bash_history).

  2. jonasschnelli commented at 10:30 PM on February 4, 2019: contributor

    I dislike the fact that bitcoin-cli does have insight into specific commands and argument positions, etc.

    Nevertheless I think this is an improvement.

    Concept ACK

  3. kristapsk commented at 10:36 PM on February 4, 2019: contributor

    Concept ACK

    If we should do special handling for encryptwallet, I think something similar should be done with walletpassphrase and walletpassphrasechange as well. Especially walletpassphrase, which is most often used from these three.

  4. fanquake added the label Utils/log/libs on Feb 4, 2019
  5. darosior commented at 6:28 AM on February 5, 2019: member

    Yes, I wanted to add the other commands once this one is accepted, in order to do one thing at a time.

  6. darosior force-pushed on Feb 5, 2019
  7. darosior force-pushed on Feb 5, 2019
  8. darosior force-pushed on Feb 5, 2019
  9. darosior force-pushed on Feb 5, 2019
  10. laanwj commented at 5:27 PM on February 5, 2019: member

    Yes, I wanted to add the other commands once this one is accepted, in order to do one thing at a time.

    I'd prefer to do this all at once, if we're going to do this.

  11. kristapsk commented at 5:42 PM on February 5, 2019: contributor

    I agree with @laanwj, less time spent on testing and code review.

  12. promag commented at 5:57 PM on February 5, 2019: member

    One way to avoid client side knowledge of these commands is to support special arguments that are replaced after reading the stdin. For instance:

    # before
bitcoin-cli encryptwallet myawesomepass

# after
bitcoin-cli encryptwallet -p
Enter password: *************
Verify password: *************

    When -p is detected it is replaced after double reading the password from stdin (ideally without echoing).

  13. kristapsk commented at 9:59 PM on February 5, 2019: contributor

    One way to avoid client side knowledge of these commands is to support special arguments that are replaced after reading the stdin.

    Problem is these three RPCs differ - with encryptwallet you would expect being asked for password twice to verify they match, with walletpassphrasechange you expect to be asked first for the old password and then twice for the new password, with walletpassphrase you would expect being asked for a password just once.

    Using -p as an universal replacement for any argument with meaning "ask to enter value using password prompt" also would not work, because it will not allow to use "-p" as a string in arguments, so will break compatibilty. And, as mentioned above, there are RPC arguments where you would expect being asked for password just once, and others where you are expected to being asked twice.

    So, I don't see how we can work around special handling for these three there (ok, without introducing some obscure syntax that no one would use, like "-passarg=3,2" before arguments = ask for a third argument with a password prompt, requiring entering it twice).

    But -p (or some other name, other bitcoin-cli arguments are long ones, not single letter) as an flag to do special handling for these three commands looks ok to me, examples could be:

    $ bitcoin-cli -p encryptwallet
Enter password: ***
Verify password: ***
$ bitcoin-cli -p walletpassphrasechange
Enter current password: ***
Enter new password: ***
Verify new password: ***
$ bitcoin-cli -p walletpassphrase 60
Enter password: ***

    I am also not a fan of special handling for some RPCs in client, but I think benefits are worth it here.

  14. in src/bitcoin-cli.cpp:453 in 20816de7ed outdated 
     448 | +            if(!std::getline(std::cin, password)) {
 449 | +                throw std::runtime_error("Failed to read password");
 450 | +            }
 451 | +            fprintf(stdout, "Re-enter password : ");
 452 | +            if(!std::getline(std::cin, verification) || password != verification) {
 453 | +                throw std::runtime_error("Passwords do not match");
    shahzadlone commented at 10:39 AM on February 6, 2019:

    perhaps document about the additional throws so user can expect this new behaviour.

    darosior commented at 11:16 AM on February 6, 2019:

    This is classic behaviour of enter-then-reenter password, where sould I document ?

  15. darosior commented at 11:24 AM on February 6, 2019: member

    Yes, I wanted to add the other commands once this one is accepted, in order to do one thing at a time.

    I'd prefer to do this all at once, if we're going to do this.

    Ok, I'll commit changes for the other commands.

    One way to avoid client side knowledge of these commands is to support special arguments that are replaced after reading the stdin. For instance:

    # before
bitcoin-cli encryptwallet myawesomepass

# after
bitcoin-cli encryptwallet -p
Enter password: *************
Verify password: *************

    When -p is detected it is replaced after double reading the password from stdin (ideally without echoing).

    This is similar to using -stdin, as it would requires to add an argument. What I propose is to use stdin for passwords in bitcoin-cli as a default : I have seen some people "securising their wallet" by using encryptwallet the default way just because they didn't know about -stdin, nor they bother to search, and I could retrieve their pass from the bash_history.

    About the echoing, I have not found a clean and not too verbose way to achieve it. Maybe now that 3 commands will be covered it worth adding a function (kind of getpass instead of getline) that would not echo the password.

  16. promag commented at 8:47 PM on February 6, 2019: member

    Have you seen #13716?

  17. darosior force-pushed on Feb 6, 2019
  18. darosior commented at 10:05 PM on February 6, 2019: member

    Have you seen #13716?

    Yes I have, and I still think it is more convenient for the user to change the behavior of the existing commands instead of adding another. However the two PR are not incompatible and not echoing the password would be nice.

  19. darosior commented at 10:10 PM on February 6, 2019: member

    I added a commit to change the behavior of walletpassphrase and walletpassphrasechange too.

    ./src/bitcoin-cli encryptwallet
Enter passphrase to encrypt the wallet : test
Re-enter passphrase : test

./src/bitcoin-cli walletpassphrasechange
Enter current passphrase : test
Enter new passphrase : testt
Repeat new passphrase : testt

./src/bitcoin-cli walletpassphrase 100
Enter passphrase to unlock the wallet : testt
  20. darosior force-pushed on Feb 7, 2019
  21. kristapsk commented at 12:27 AM on February 11, 2019: contributor

    Tested this and #13716 and I like this approach better, apart from no-echo password part from by @kallewoof, which would be cool have here too.

  22. in src/bitcoin-cli.cpp:445 in 799c543778 outdated 
     440 | @@ -441,6 +441,45 @@ static int CommandLineRPC(int argc, char *argv[])
 441 |              method = args[0];
 442 |              args.erase(args.begin()); // Remove trailing method name from arguments vector
 443 |          }
 444 | +        // Get wallet encryption passphrases from command line
 445 | +        if (method == "encryptwallet" && !args.size()) {
    practicalswift commented at 8:27 PM on February 11, 2019:

    Nit: args.empty() is more idiomatic?

    darosior commented at 10:38 PM on February 11, 2019:

    Fixed.

  23. in src/bitcoin-cli.cpp:466 in 799c543778 outdated 
     461 | +            if(!std::getline(std::cin, passphrase)) {
 462 | +                throw std::runtime_error("Failed to read the passphrase");
 463 | +            }
 464 | +            args.insert(args.begin(), passphrase); // Second parameter is timeout
 465 | +        }
 466 | +        else if (method == "walletpassphrasechange" && !args.size()) {
    practicalswift commented at 8:27 PM on February 11, 2019:

    Same here.

    darosior commented at 10:38 PM on February 11, 2019:

    Fixed.

  24. darosior force-pushed on Feb 11, 2019
  25. darosior force-pushed on Feb 12, 2019
  26. darosior force-pushed on Feb 13, 2019
  27. Get wallet encryption passphrases from stdin if not passed as an argument. fixes #15318 00b422bef1
  28. darosior force-pushed on Feb 13, 2019
  29. darosior commented at 9:15 AM on October 10, 2019: member

    Closing in favor of https://github.com/bitcoin/bitcoin/pull/13716

  30. darosior closed this on Oct 10, 2019
  31. DrahtBot locked this on Dec 16, 2021
Contributors
darosiorjonasschnellikristapsklaanwjpromagshahzadlonepracticalswift
Labels
Utils/log/libs
Linked (view graph)
#15318 `encryptwallet` password entered in clear
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-27 21:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me