Is decrypting secrets with ccrypt and piping the result via stdin to openvpn secure?


I’ve written the following alias to start an openvpn client more easily than before:

sudo bash -c 'cd OPVN_CONFIGS_DIR && ccrypt --cat _auth.conf.cpt | openvpn --config waw-001.ovpn --auth-user-pass /dev/stdin' 

NB: OPVN_CONFIGS_DIR is located in a synced folder (lets say Dropbox for simplicity)

NB: bash -c rather than a simple expansion because this is sometimes run in fish shell

The options I had before:

  • Use auth-user-pass to store my username + password in clear text. Looks to be the default option with openvpn but seems like a bad idea in general and even more so in my case since the secrets would be stored in a synced folder.
  • Enter my openvpn username and password every time which is a pain since the password is a very long random string. I cannot set a password myself, only reset it to another, just as long, random string. (and I’m not comfortable using a CLI password manager that stores passwords in the clipboard like passwordstore.org does)

My issue is that with the previous command openvpn complains about the following:

WARNING: file '/dev/stdin' is group or others accessible 

My questions:

  • What are the implications of this warning?
  • what is the ‘group’ mentioned in the warning? The sudo group?
  • Is there a better way to manage secrets on the client side with openvpn?

Thank you