I have given up on the keepassxc browser plugin. I am not finding it particularly ergonomic, on the other hand I am pretty sure that's because I am missing something. But I think, all I want is a Rofi/dmenu like interface to quickly select the entry, and such a thing should be possible to script very easily. And indeed, for a change that estimation proved to be true, and for novelty's sake I have written it in Tcl.

Instead of requiring hardcoded password, this program uses Expect to interact with pinentry to get it (info pinentry surprised me with how much complex the inner workings of such an innocuous looking program be). Once it successfully runs for the first time, it then forks itself into background, disconnects from TTY, sets up signal handler and becomes a daemon; these are Expect features that are not available in Tcl. Communication is done through named pipe (fifo). Tcl itself has a built-in event loop, which is used to setup timeout for the daemon (or run forever until told/signalled to exit when kpxc_timeout isn't set).

I deliberately didn't peer into alternatives because I was going to use Expect for practice anyway. It seems there is keepmenu which has more features. I generally balk at the idea of a long running python program due to resource consideration. I would say, if resource consumption isn't a concern, one should use the official GUI anyway, since it has pretty good ergonomics.

One curious difference between invoking the program directly with Expect and invoking it with Tcl (but requiring Expect inside) was that, direct Expect suppresses signals when blocked on I/O calls (open/gets), the work around that works in both cases is to register a handler in the event loop that will run when the named pipe becomes readable. Some gotchas aside, named pipes are so easy and useful that I end up using them all the time; maybe I will use POSIX message queue for my next script. I was also reading up on various keyrings (kernal keyrings or libsecret) that could minimize the scope of the stay of the master password in memory. But I believe hardening features like ptrace_scope=1 are now ubiquitous in all distros. Plus, the keyrings only reduce the scope of the password's stay in daemon's memory, not entirely eliminates it. If Mossad happens to be after you, listen to James Mickens:

In the real world, threat models are much simpler (see Figure 1). Basically, you're either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you'll probably be fine if you pick a good password and don't respond to emails from [email protected]. If your adversary is the Mossad, YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they're going to use a drone to replace your cellphone with a piece of uranium that's shaped like a cellphone, and when you die of tumors filled with tumors, they're going to hold a press conference and say "It wasn't us" as they wear t-shirts that say "IT WAS DEFINITELY US," and then they're going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere.

Aside from setting timeout, the slightly more paranoid should write a script that does things like exits this daemon, runs i3lock and so on, and either hook it to acpid to be invoked when laptop lid is closed or bind it to a hotkey in sxhkd.