Add offline mode

[davidbarton]

Hello do you plan to add offline mode? Right now I see only Error: Couldn't resolve host name. message.

[bcopeland]

This already exists: use "lpass show --sync=no"

[drzraf]

But show isn't usable before a previous login?.
When my internet drops I've no access to my passwords. This should really be fixed.

[bcopeland]

You have to log in at least once to get the passwords onto your disk. After that, you no longer need to log in.

[GrantEdwards]

You have to log in at least once to get the passwords onto your disk. After that, you no longer need to log in.

Sorry, that doesn't really seem to be the case. I have logged in many, many times, yet...

$ lpass show --sync=no foo
Error: Could not find decryption key. Perhaps you need to login with `lpass login`.

The various command with --sync=no require that you are logged in, and you can't login without an internet connection.

Are you proposing that for "offline mode" you log in and then never log out? Leaving all your passwords sitting there on your machine in plaintext? [Or at least with the decryption key sitting there
wide open.] Sorry, but that's a horrible idea.

What offline mode needs to to is to store the encrypted vault locally, and then allow you to "log in" to that vault by supplying your master password without an internet connection. AFAICT, the broswer extensions can do that; the Android app can do that; the "pocket" app can supposedly do that (I havent' gotten it to run on Gentoo yet, since it requires Ubuntu-specific libraries).

The command-line app needs to be able to do that.

[bcopeland]

No, I certainly am not proposing that. When you login, the command-line app does cache the blob, in encrypted form on disk.

I just tried this -- killed the agent and my network connection; lpass show --sync=no foo WorksForMe.

[tsaedek]

I am with @GrantEdwards.

I'd like to be able to login, do my work with lastpass and then logout. This works perfectly fine, if there is a internet connection available. However, if there isn't, I wouldn't be able to login.

Currently, when logging in and doing lpass ls you are downloading the encrypted blob from the lastpass servers and provide an decryption key. When logging, out both the decryption key and the blob get deleted!

lpass show --sync=no foo is only possible if you are logged in. However, if you logged out the last time you turned your computer off, password retrieval isn't possible any more. Hence, it is not possible to both provide security (being logged in all the time is like storing passwords in plaintext) and retrieve passwords when offline (or when the server is offline).

[bcopeland]

On Sat, Nov 18, 2017 at 04:29:52PM +0000, tsaedek wrote: `lpass show --sync=no foo` is only possible if you are logged in. However, if you logged out the last time you turned your computer off, password retrieval isn't possible any more. Hence, it is not possible to both provide security (being logged in all the time is like storing passwords in plaintext) and retrieve passwords when offline (or when the server is offline).

There's a bit of a misunderstanding here: being logged in is _not_ like storing passwords in plaintext. The passwords, saved in the blob file, are still encrypted by your key. The key is only available if the agent is running, which is the process that caches the key in memory. You can be logged in without having the agent running, and also the agent will exit itself after an hour. This is why you have to reenter your password (but not 2fa) after being idle for an hour: there is no way for lpass to get the passwords otherwise. Being logged in instead means that you have authenticated to the server at least once, and your blob has been downloaded and session id is cached. Both blob and session id are stored encrypted. You can try this: after doing 'lpass show', find the agent pid and kill it. Try using 'lpass show' again: it will prompt you for master password and won't be able to retrieve your passwords until you do. But you will be "logged in" the whole time.

[tsaedek]

Should have read the part in the man page about the agent!
I tested, if I can access the password after logging my linux user account out. That did work and confused me. Would be nice to have a subcommand to kill the agent. But killing it manually is also completely fine for me.