Is decrypting secrets with ccrypt and piping the result via stdin to openvpn secure?

I’ve written the following alias to start an openvpn client more easily than before:

sudo bash -c 'cd OPVN_CONFIGS_DIR && ccrypt --cat _auth.conf.cpt | openvpn --config waw-001.ovpn --auth-user-pass /dev/stdin' 

NB: OPVN_CONFIGS_DIR is located in a synced folder (lets say Dropbox for simplicity)

NB: bash -c rather than a simple expansion because this is sometimes run in fish shell

The options I had before:

  • Use auth-user-pass to store my username + password in clear text. Looks to be the default option with openvpn but seems like a bad idea in general and even more so in my case since the secrets would be stored in a synced folder.
  • Enter my openvpn username and password every time which is a pain since the password is a very long random string. I cannot set a password myself, only reset it to another, just as long, random string. (and I’m not comfortable using a CLI password manager that stores passwords in the clipboard like does)

My issue is that with the previous command openvpn complains about the following:

WARNING: file '/dev/stdin' is group or others accessible 

My questions:

  • What are the implications of this warning?
  • what is the ‘group’ mentioned in the warning? The sudo group?
  • Is there a better way to manage secrets on the client side with openvpn?

Thank you

Casting spells using the Book of Ancient Secrets

I am playing a 3/3 Divine Soul Sorcerer/HexBlade Warlock, and have just chosen the Pact of the Tome, along with the Book of Ancient Secrets.

I have found a spellbook with Identify, which I am now transcribing into the book. I also have Unseen Servant as a known spell. I create a scroll, using the Arcana skill. And then use the scroll to transcribe the Unseen Servant spell to the Book. The Scroll is destroyed in the process. So far, so good.

I then replace Unseen Servant with Charm Person on my list of known spells.

Can I still cast the Unseen Servant as a ritual from the book?

Can I cast the Unseen Servant as a spell, using the book and a spell slot? This question arises from the interpretation from the text “You can’t cast the spells except as rituals, unless you’ve learned them by some other means.

If this is possible, it basically means I have an external memory extension, that when held, allows me access to cast any of the entries as a ritual.

And cast the spells that previously were known spells from my spell list that has been transcribed into the book, as spells, using spell slots.

Can UA Lore Mastery’s Spell Secrets feature change the damage type of a spell that does not deal damage immediately?

For UA Lore Mastery, Spell Secrets states the following:

At 2nd level, when you cast a spell with a spell slot and the spell deals acid, cold, fire, force, lightning, necrotic, radiant, or thunder damage, you can substitute that damage type with one other type from that list (you can change only one damage type per casting of a spell). You replace one energy type for another by altering the spell’s formula as you cast it.

This applies easily enough for instant-damage spells. However, the wording does not specify that the damage must be dealt immediately in order to be eligible for the change. Would I then be able to change the damage type of, say, holy weapon from radiant to another type? Or substitute the necrotic damage of a symbol spell for cold?

Note: I am aware that Lore Mastery is playtest material.

How do Eberron Dragonmarks and Book of Ancient Secrets Invocation interact?

I might be over-analyzing and confusing myself, but I’m not certain regarding the interaction between Dragonmark learned Ritual spells and the Book of Ancient Secrets warlock invocation.

Let’s take as an example the Mark of Hospitality subrace’s trait:

Spells of the Mark. If you have the Spellcasting or the Pact Magic class feature, the spells on the Mark of Hospitality Spells table are added to the spell list of your spellcasting class.

This list includes ritual spells like, Leomund’s tiny hut, Mordenkainen’s private sactum and hallow.

Now let’s take the Book of Ancient Secrets invocation:

You can now inscribe magical rituals in your Book of Shadows.[…] You can also cast a warlock spell you know as a ritual if it has the ritual tag.

On your adventures, you can add other ritual spells to your Book of Shadows. When you find such a spell, you can add it to the book if the spell’s level is equal to or less than half your warlock level (rounded up) and if you can spare the time to transcribe the spell. For each level of the spell, the transcription process takes 2 hours and costs 50 gp for the inks needed to inscribe it.

In order to ritual-cast these spells (added to my list by the Dragonmark) as non-prepared spells, but rather as ritual spells from my Book of Shadows, which of the following mechanism is appropriate, per RAW (and/or RAI):

  1. Do they count as warlock spells (by being added to my spell list as per the spells of the mark trait), thus I can cast them without preparation since they have the ritual tag (as per the Book of Ancient Secrets Invocation?)
  2. Do I magically learn them (as per the spells of the mark trait) but I have to spent time to transcribe the spell in the Book of Shadows, although I don’t have a physical written form of the spell?
  3. It does not satisfy either mechanism, and the only way to cast these spells is to prepare them as warlock spells, until I find them in written form and can transcribe them in the Book of Ancient Secrets?

Should I have to roll to copy a spell into my Book of Ancient Secrets?

The Book of Ancient Secrets invocation says (PH p. 110):

On your adventures, you can add other ritual spells to your Book of Shadows. When you find such a spell, you can add it to the book if the spell’s level is equal to or less than half your warlock level (rounded up) and if you can spare the time to transcribe the spell. For each level of the spell, the transcription process takes 2 hours and costs 50 gp for the rare inks needed to inscribe it.

There’s no mention of rolling anything.

But in the DMG (p. 200) under the Spell Scroll magic item it says:

A wizard spell on a spell scroll can be copied just as spells in spellbooks can be copied. When a spell is copied from a spell scroll, the copier must succeed on an Intelligence (Arcana) check with a DC equal to 10 + the spell’s level. If the check succeeds, the spell is successfully copied. Whether the check succeeds or fails, the spell scroll is destroyed.

This entry refers specifically to wizard spells, and seems to be more directed toward wizards copying wizard spells into their spellbooks, but since warlocks can copy any scroll that would also include wizard scrolls.

I’ve copied one spell already in our campaign, and the DM didn’t call for a roll, which is fine with me, but I’m just wondering if anyone knows what was intended.

Mobile Phones And Mobile Broadband – The Secrets Of Choosing The Perfect Deal

How exactly do you choose the perfect mobile phone deal? Or mobile broadband? Join me, as I show you buy phone list!
Let’s face it, if you’re trying to find yourself a new mobile phone, or if you’re trying to get yourself that perfect mobile broadband deal, it can be a bit of a minefield. You have to factor in the tariff, how many minutes you get, how many texts, whether you get international roaming… well, the list goes on. But the thing is, it doesn’t have to be a minefield. It can actually be really, really easy. Like anything, though, it takes a bit of preparation. You need to get your mind straight, and then everything else will follow on from that. There’s no point running in half-cocked, and buying a mobile phone or a mobile broadband package, purely on the spur of the moment. Otherwise you’ll get buyer’s remorse, and you won’t enjoy your purchase. Like anything in life, prepare, prepare, prepare!
Step 1 – Analyse what you really want from your new deal
Ok, it sounds obvious, and it sounds silly, but you’d be amazed how many people don’t do this. You need to ask yourself: ‘What factors determine that I need a new mobile phone or mobile broadband? What benefits do I want to get from my new gadget? How am I going to use it?’ In essence, sit down and follow this rough guideline:
– How many minutes-worth of calls do I, or will I, make per month?
– How many text messages do I send per month?
– Do I need to send photo messages?
– Do I need internet access? If I do, might I be better off getting a mobile broadband package?
– How much am I willing to (or can afford to) pay every month?
Only when you’ve answered those questions in your mind should you move on to step 2.
Step 2 – Choosing the right handset
This is the bit that traditionally is the hardest. You know, now, what deal you want, but have you decided on a phone? As before, don’t just buy the first one you find! Fortunately, you have a tool on your side, here: comparison sites (think along the lines of MobileShop, Pricerunner, or Kelkoo). They list everything you ca buy, and will let you search under various criteria, like price, how many minutes and so on. So, go on to one of them, armed with the knowledge you have from Step 1, and start searching. Once you filled in what you want from the deal, no doubt lots of mobile phones or mobile broadband packages will come back.
Now, the next bit of advice may sound contrary, but basically… once you have fed in the details of what you want from the deal, the comparison site will bring back handsets that match that deal. So, you know that whatever you’re now seeing is within your range of options. Once you know that, it lets you move onto the next step with confidence…
Step 3 – Choose from the heart!
Now that you’ve made all the logical choices about what you need, you have a list of mobile phones and mobile broadband packages that fit your needs. So, now, you can choose a handsets based on what you want, on how the handset looks, or how you like the feel of it, or the fact it’s got a massive camera, or the fact that it plays back 93 billion different types of music. Or if you’re looking at mobile broadband, how it can run at speeds of 300 Megamassivemungabits per second!
You see, this is why you made all the important choices early on. This is why you did all the boring ‘what do I really need?’ stuff right at the start. You did it so that NOW, you can jump in and grab whatever mobile phones catch your eye, whatever mobile broadband package says, to you, ‘Buy me!’ And voila, before you know it, you’ll have bought the perfect deal!


Can protonmail access my passwords and hence my secrets?

protonmail provides encrypted “zero-access” encryption mailboxes. The way they explain “zero-access” is, at least for me, similar to zero-knowledge encryption. However protonmail has in its servers my private keys. They say that the keys are encrypted as well, but they also have in their servers my password for that encryption. Therefore, it seems to me that protonmail could at any time access my private keys and my mailbox.

Is this correct, or am I missing something? Is this the reason why they do not call it zero-knowledge encryption?

When Deserializing a User in Passport is there any reason not to remove Secrets?

I am using the passport-local passport strategy, but in general I have a few questions (sorry for the length). They might be very novice questions so I apologize in advance, but please criticize every aspect of my question and code for security purposes. I want to follow the principle of least privilege, so I was wondering if I should remove certain secret properties from the user when I deserialize them in passport. For example my user has the hash, salt, and iterations properties whose values I don’t want to accidentally leak to the frontend.

If you’re unfamiliar with passport it puts user data on the request object on the server. When using anything with Connect middlewares (I’m using Express) this request object is passed through multiple request handlers/middlewares until eventually one of them sends a response to the client. The deserialize user method is what provides passport with a way to deserialize the user from it’s serialized state (which in the below example the serialized state is the id).

  1. First question, what would be the major advantages or disadvantages if I deserialize my user without these properties (namely the hash, salt, and iterations) in the deserialize user properties before allowing the user to be put onto the server-side request object (i.e. request.user)?

For example instead of this:

passport.deserializeUser(async function(id, done) {   try {     const users = await sqlFetch`SELECT * From users WHERE id = $  {id}`;     const user = users[0];     done(null, user);   } catch (err) {     done(err, null);   } }); 

I could do this:

passport.deserializeUser(async function(id, done) {   try {     const users = await sqlFetch`SELECT username, email, id, isAdmin From users WHERE id = $  {id}`;     const user = users[0];     done(null, user);   } catch (err) {     done(err, null);   } }); 

That way I do not ever accidentally leak the hash, salt, and iterations to the client.

If I want to prevent sending the hash, salt, and iterations with a deserialized user while answering no to question 1 I would probably do it at the time I send the webpage to the client like the example here:

router.get("/", (req, res) => {   res.render("index", {     user: req.user && {       id:,       email:,       displayName: req.user.displayName,       isAdmin: req.user.isAdmin     },   }); }); 

Given that there are tons of routes that would do this it just seems like something might go wrong at one point. So, I could use middleware on specific routers so that every router.get,, etc. that comes after it will not have the full user:

router.use(function (req, res, next) {   req.user = req.user && {     id:,     email:,     displayName: req.user.displayName,     isAdmin: req.user.isAdmin   };   next(); })  router.get("/", (req, res) => {   res.render("index", {     user: req.user,   }); }); 
  1. I have an assumption that is heavily tied to making me want to say yes to question one; that assumption is that the hash, salt, and iterations never needs to be used by the server past authentication and authorization therefore I would never need to use the full user object outside of passport (e.g. outside as in when using request.user to access the user later), and therefore according to principle of least privilege I shouldn’t use the full user elsewhere. Is this assumption correct?

  2. Also, to go along with 2. I think if I don’t send the user along with the request through my route handlers then I wouldn’t be as vulnerable to shared memory vulnerabilities (I usually host my apps on the cloud, so I assume this should be a concern.) is that a valid concern and assumption?

  3. Say instead the secrets were an API token. The difference with this is I need it to be authorized to an external API at some point in a request cycle. For the same reasons as above (i.e. least privilege, shared memory vulnerabilities) should I grab the users tokens at the start of the request and probably go the middleware route where I don’t allow access outside my API routes, or should I only fetch this API token from the DB (which is an extra database call) when I need it maybe with it’s own middleware (but only on my API routers’ routes)? One other option for API tokens that I’ve heard of is to encrypt the API token in the db and decrypt at time of use? Do any of those last 3 options for API tokens have major advantages or disadvantages over the others?

Ready to make Money Cryptocurrency Secrets, Hot Niche

Grab this chance to own 100% done for you Currently Hot Topic Cryptocurrency trading. Just send traffic and make lot of money.

Unless you've been living under the rock for the last several months, Cryptocurrency is gaining explosive popularity and captured public recognition… although it's been around for a few years.

And I'm about to share with you an amazing opportunity to not only learn about this brand new wealth creation vehicle of the 21st century..

Even if you have not heard of…

Ready to make Money Cryptocurrency Secrets, Hot Niche

Handling secrets and environmental variables in Docker-k8s-skaffold dev environment

Basically, trying to wrap my brain around how I should be handling secrets using Docker, k8s, and Skaffold in a dev environment. I’m pretty new to this tech, so don’t fully understand all of it.

Just not sure if I should be using a .env, or config.json, that isn’t committed to the repo, or if there is a better way with using Docker.

Ideally, I could just refer to process.env.API_KEY in my code, regardless of environment, and it would just work and grab the correct environmental variables. If it is in production in AWS, it would just grab the keys from Key Management Services. In production, it would just grab them from where ever.

Did come across this, which seems to apply to Docker Swarm so may not be relevant:

So what is the best practice using Docker, k8s, Skaffold for handling environmental variables and secrets in developement?