Description
Originally from: rust-lang/crates.io#79
Right now crates.io API tokens are stored in the (presently chmod 644 i.e. world readable) ~/.cargo/config file under the [registry.token] section.
Storing credentials in plaintext, even if the file permissions were improved, still makes them vulnerable to local file disclosure (LFD) attacks. These attacks are exceedingly common, especially in environments where developers are running a number of services on their laptops and have not properly configured firewalls and/or service-specific security settings.
Encrypting credentials under a passphrase can help mitigate these attacks. SSH provides precedent for encrypting private keys under a passphrase.
Since cargo already depends on rust-openssl, I would suggest sourcing cryptographic primitives from there. AES-GCM with a password derived via PBKDF2 or as of OpenSSL 1.1.0, scrypt via the EVP_PBE_scrypt() API, which does not yet appear to be supported by rust-openssl (issue opened) should be sufficient to harden cargo API token storage against LFD attacks.