Remove nsec from ~/.profile after daemon flow is proven #12

New issue

Open

opened 2026-02-27 14:07:17 +00:00 by nazim · 0 comments

nazim commented 2026-02-27 14:07:17 +00:00

Owner

Copy link

Problem

The nsec (agent private key) sits in plaintext in ~/.profile. This completely bypasses the vault security model — anyone who can read the profile can decrypt avault.enc directly, no Amber approval needed.

Current state

• NOSTR_NSEC exported in ~/.profile
• avault.py reads it as fallback when daemon is not running
• nsec.enc exists (nsec encrypted to operator pubkey) but is never used
• NIP-46 daemon flow has never been tested end-to-end

Plan

Keep nsec in profile until:

1. Daemon NIP-46 flow is proven working (issue #11)
2. Install script deploys avault properly (issue #10)
3. Agent can reliably restart daemon and request Amber approval
4. At least one successful "reboot → daemon start → Amber approve → secrets available" cycle

Then:

1. Remove NOSTR_NSEC from ~/.profile
2. Remove the nsec-from-profile fallback in avault.py (or gate it behind --insecure flag)
3. The only way to get the nsec is: operator decrypts nsec.enc via Amber

Depends on

• #10 (install script)
• #11 (daemon auto-recovery)

Acceptance criteria

• NOSTR_NSEC removed from ~/.profile
• avault get without daemon running returns error (not silent decrypt)
• Full reboot cycle tested: boot → daemon start → Amber → secrets work

## Problem The nsec (agent private key) sits in plaintext in `~/.profile`. This completely bypasses the vault security model — anyone who can read the profile can decrypt `avault.enc` directly, no Amber approval needed. ## Current state - `NOSTR_NSEC` exported in `~/.profile` - `avault.py` reads it as fallback when daemon is not running - `nsec.enc` exists (nsec encrypted to operator pubkey) but is never used - NIP-46 daemon flow has never been tested end-to-end ## Plan Keep nsec in profile **until**: 1. Daemon NIP-46 flow is proven working (issue #11) 2. Install script deploys avault properly (issue #10) 3. Agent can reliably restart daemon and request Amber approval 4. At least one successful "reboot → daemon start → Amber approve → secrets available" cycle Then: 1. Remove `NOSTR_NSEC` from `~/.profile` 2. Remove the nsec-from-profile fallback in `avault.py` (or gate it behind `--insecure` flag) 3. The only way to get the nsec is: operator decrypts `nsec.enc` via Amber ## Depends on - #10 (install script) - #11 (daemon auto-recovery) ## Acceptance criteria - [ ] `NOSTR_NSEC` removed from `~/.profile` - [ ] `avault get` without daemon running returns error (not silent decrypt) - [ ] Full reboot cycle tested: boot → daemon start → Amber → secrets work

doxios referenced this issue 2026-03-06 21:22:34 +00:00

Security Audit: avault.py — findings and recommendations #16

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

kn/unified-owner-model

feat/install-script

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

nazim/avault#12

No description provided.