Hide encrypt password in bash file to stop accidentally seeing it

Question

Sorry if this has been asked before  I did check but couldn t find anything     Is there a function in Unix to encrypt and decrypt a password in a batch file so that I can pipe it into some other commands in a bash file   I realise that doing this provides no real security  it is more to stop someone accidentally seeing the password if they are looking at the script over my shoulder     I m running on Red Hat 5 3   I have a script which does something similar to this   serverControl sh -u admin -p myPassword -c shutdown   and I would like to do something like this   password   decrypt  fgsfkageaivgea    aDecryptionKey   serverControl sh -u admin -p  password -c shutdown   This doesn t protect the password in any way  but does stop someone from accidentally seeing it over my shoulder

User · Accepted Answer

OpenSSL provides a passwd command that can encrypt but doesn't decrypt as it only does hashes. You could also download something like aesutil so you can use a capable and well-known symmetric encryption routine.

For example:

#!/bin/sh    
# using aesutil
SALT=$(mkrand 15) # mkrand generates a 15-character random passwd
MYENCPASS="i/b9pkcpQAPy7BzH2JlqHVoJc2mNTBM=" # echo "passwd" | aes -e -b -B -p $SALT 
MYPASS=$(echo "$MYENCPASS" | aes -d -b -p $SALT)

# and usage
serverControl.sh -u admin -p $MYPASS -c shutdown

User · Answer

Although this is not a built in Unix solution  I ve implemented a solution for this using a shell script that can be included in whatever shell script you are using   This is usable on POSIX compliant setups   sh  bash  ksh  zsh   The full description is available in the github repo -  https   github com plyint encpass sh   This solution will auto-generate a key for your script and store the key and your password  or other secrets  in a hidden directory under your user  i e     encpass    In your script you just need to source encpass sh and then call the get secret method  For example      bin sh   encpass sh password   get secret    Pasted below is lite version of the code for encpass sh you can get the full version over on github  for easier visibility       bin sh                                                                                      Copyright  c  2020 Plyint  LLC  lt contact plyint com gt   All Rights Reserved     This file is licensed under the MIT License  MIT       Please see LICENSE txt for more information         DESCRIPTION      This script allows a user to encrypt a password  or any other secret  at     runtime and then use it  decrypted  within a script   This prevents shoulder     surfing passwords and avoids storing the password in plain text  which could     inadvertently be sent to or discovered by an individual at a later date        This script generates an AES 256 bit symmetric key for each script  or user-    defined bucket  that stores secrets   This key will then be used to encrypt     all secrets for that script or bucket   encpass sh sets up a directory       encpass  under the user s home directory where keys and secrets will be     stored        For further details  see README md or run    encpass    from the command line                                                                                         encpass checks           -n   ENCPASS CHECKS     amp  amp  return      if   -z   ENCPASS HOME DIR     then         ENCPASS HOME DIR   HOME  encpass      fi         -d   ENCPASS HOME DIR     amp  amp  mkdir -m 700   ENCPASS HOME DIR       if   -f   ENCPASS HOME DIR  extension     then           Extension enabled  load it            ENCPASS EXTENSION    cat   ENCPASS HOME DIR  extension            ENCPASS EXT FILE  encpass- ENCPASS EXTENSION sh          if   -f    extensions  ENCPASS EXTENSION  ENCPASS EXT FILE     then               shellcheck source  dev null                extensions  ENCPASS EXTENSION  ENCPASS EXT FILE          elif     -z    command -v encpass-  ENCPASS EXTENSION  sh      then                shellcheck source  dev null                  command -v encpass- ENCPASS EXTENSION sh           else             encpass die  Error  Extension  ENCPASS EXTENSION could not be found           fi            Extension specific checks  mandatory function for extensions         encpass    ENCPASS EXTENSION   checks     else           Use default OpenSSL implementation         if     -x    command -v openssl      then             echo  Error  OpenSSL is not installed or not accessible in the current path                      Please install it and try again    gt  amp 2             exit 1         fi              -d   ENCPASS HOME DIR keys     amp  amp  mkdir -m 700   ENCPASS HOME DIR keys              -d   ENCPASS HOME DIR secrets     amp  amp  mkdir -m 700   ENCPASS HOME DIR secrets              -d   ENCPASS HOME DIR exports     amp  amp  mkdir -m 700   ENCPASS HOME DIR exports       fi     ENCPASS CHECKS 1        Checks if the enabled extension has implented the passed function and if so calls it  encpass ext func            -z   ENCPASS EXTENSION     amp  amp  ENCPASS EXT FUNC    command -v  encpass   ENCPASS EXTENSION   1       return         -z   ENCPASS EXT FUNC     amp  amp  shift  amp  amp   ENCPASS EXT FUNC              Initializations performed when the script is included by another script  encpass include init         encpass ext func  include init               -z   ENCPASS EXT FUNC     amp  amp  return      if   -n   1     amp  amp    -n   2     then         ENCPASS BUCKET  1         ENCPASS SECRET NAME  2     elif   -n   1     then         if   -z   ENCPASS BUCKET     then           ENCPASS BUCKET   basename   0           fi         ENCPASS SECRET NAME  1     else         ENCPASS BUCKET   basename   0           ENCPASS SECRET NAME  password      fi      encpass generate private key         ENCPASS KEY DIR   ENCPASS HOME DIR keys  ENCPASS BUCKET           -d   ENCPASS KEY DIR     amp  amp  mkdir -m 700   ENCPASS KEY DIR       if     -f   ENCPASS KEY DIR private key     then          umask 0377  amp  amp  printf   s     openssl rand -hex 32    gt   ENCPASS KEY DIR private key       fi      encpass set private key abs name         ENCPASS PRIVATE KEY ABS NAME   ENCPASS HOME DIR keys  ENCPASS BUCKET private key          -n   1     amp  amp      -f   ENCPASS PRIVATE KEY ABS NAME     amp  amp  encpass generate private key      encpass set secret abs name         ENCPASS SECRET ABS NAME   ENCPASS HOME DIR secrets  ENCPASS BUCKET  ENCPASS SECRET NAME enc          -n   1     amp  amp      -f   ENCPASS SECRET ABS NAME     amp  amp  set secret      encpass rmfifo         trap - EXIT     kill   1  2 gt  dev null     rm -f   2       encpass mkfifo         fifo   ENCPASS HOME DIR  1         mkfifo -m 600   fifo     encpass die  Error  unable to create named pipe      printf   s n    fifo       get secret         encpass checks     encpass ext func  get secret            -z   ENCPASS EXT FUNC     amp  amp  return           basename   0        encpass sh     amp  amp  encpass include init   1    2       encpass set private key abs name     encpass set secret abs name     encpass decrypt secret           set secret         encpass checks      encpass ext func  set secret            -z   ENCPASS EXT FUNC     amp  amp  return      if     1      reuse           -z   ENCPASS SECRET INPUT     amp  amp    -z   ENCPASS CSECRET INPUT        then         echo  Enter  ENCPASS SECRET NAME    gt  amp 2         stty -echo         read -r ENCPASS SECRET INPUT         stty echo         echo  Confirm  ENCPASS SECRET NAME    gt  amp 2         stty -echo         read -r ENCPASS CSECRET INPUT         stty echo            Use named pipe to securely pass secret to openssl         fifo    encpass mkfifo set secret fifo       fi      if     ENCPASS SECRET INPUT      ENCPASS CSECRET INPUT     then         encpass set private key abs name         ENCPASS SECRET DIR   ENCPASS HOME DIR secrets  ENCPASS BUCKET               -d   ENCPASS SECRET DIR     amp  amp  mkdir -m 700   ENCPASS SECRET DIR             Generate IV and create secret file         printf   s     openssl rand -hex 16    gt    ENCPASS SECRET DIR  ENCPASS SECRET NAME enc          ENCPASS OPENSSL IV    cat   ENCPASS SECRET DIR  ENCPASS SECRET NAME enc             echo   ENCPASS SECRET INPUT   gt    fifo   amp            Allow expansion now so PID is set           shellcheck disable SC2064         trap  encpass rmfifo     fifo  EXIT HUP TERM INT TSTP            Append encrypted secret to IV in the secret file         openssl enc -aes-256-cbc -e -a -iv   ENCPASS OPENSSL IV                -K    cat   ENCPASS HOME DIR keys  ENCPASS BUCKET private key                  -in   fifo  1 gt  gt    ENCPASS SECRET DIR  ENCPASS SECRET NAME enc      else         encpass die  Error  secrets do not match   Please try again       fi      encpass decrypt secret         encpass ext func  decrypt secret            -z   ENCPASS EXT FUNC     amp  amp  return      if   -f   ENCPASS PRIVATE KEY ABS NAME     then         ENCPASS DECRYPT RESULT    dd if   ENCPASS SECRET ABS NAME  ibs 1 skip 32 2 gt   dev null   openssl enc -aes-256-cbc               -d -a -iv    head -c 32   ENCPASS SECRET ABS NAME    -K    cat   ENCPASS PRIVATE KEY ABS NAME    2 gt   dev null           if     -z   ENCPASS DECRYPT RESULT     then             echo   ENCPASS DECRYPT RESULT          else               If a failed unlock command occurred and the user tries to show the secret               Present either a locked or failed decrypt error              if   -f   ENCPASS HOME DIR keys  ENCPASS BUCKET private lock     then              echo    Locked                else                   The locked file wasn t present as expected   Let s display a failure             echo  Error  Failed to decrypt              fi         fi     elif   -f   ENCPASS HOME DIR keys  ENCPASS BUCKET private lock     then         echo    Locked        else         echo  Error  Unable to decrypt  The key file    ENCPASS PRIVATE KEY ABS NAME   is not present       fi      encpass die        echo       gt  amp 2    exit 1      LITE

User · Answer

Another solution  without regard to security  I also think it is better to keep the credentials in another file or in a database  is to encrypt the password with gpg and insert it in the script      I use a password-less gpg key pair that I keep in a usb   Note  When you export this key pair don t use --armor  export them in binary format     First encrypt your password      EDIT  Put a space before this command  so it is not recorded by the bash history     echo -n  pAssw0rd    gpg --armor --no-default-keyring --keyring  media usb key pub --recipient someone mail com --encrypt   That will be print out the gpg encrypted password in the standart output  Copy the whole message and add this to the script   password   gpg --batch --quiet --no-default-keyring --secret-keyring  media usb key priv --decrypt  lt  lt EOF  -----BEGIN PGP MESSAGE-----  hQEMA0CjbyauRLJ8AQgAkZT5gK8TrdH6cZEy Ufl0PObGZJ1YEbshacZb88RlRB9 h2z s Bso5HQxNd5tzkwulvhmoGu6K6hpMXM3mbYl07jHF4qr oWijDkdjHBVcn5 0mkpYO1riUf0HXIYnvCZq 4k ajGZRm8EdDy2JIWuwiidQ18irp07UUNO AB9mq8 5VXUjUN3tLTexg4sLZDKFYGRi4fyVrYKGsi0i5AEHKwn5SmTb3f1pa5yXbv68eYE lCVfy51rBbG87UTycZ3gFQjf1UkNVbp0WV RPEM9JR7dgR 9I8bKCuKLFLnGaqvc beA3A6eMpzXQqsAg6GGo3PW6fMHqe1ZCvidi6e4a dJDAbHq0XWp93qcwygnWeQW Ozr1hr5mCa QkUSymxiUrRncRhyqSP0ok5j4rjwSJu9vmHTEUapiyQMQaEIF2e2S  NIWGg    uriR -----END PGP MESSAGE----- EOF    In this way only if the usb is mounted in the system the password can be decrypted  Of course you can also import the keys into the system  less secure  or no security at all  or you can protect the private key with password  so it can not be automated

User · Answer

I used base64 for the overcoming the same problem  i e  people can see my password over my shoulder   Here is what I did -  I created a new  db auth cfg  file and created parameters with one being my db password  I set the permission as 750 for the file    DB PASSWORD Z29vZ2xl   In my shell script I used the  source  command to get the file and then decode it back to use in my script   source path to the file db auth cfg DB PASSWORD   eval echo   DB PASSWORD    base64 --decode    I hope this helps

User · Answer

Following line in above code is not working  DB PASSWORD   eval echo   DB PASSWORD    base64 --decode    Correct line is    DB PASSWORD  echo  PASSWORD base64 -d    And save the password in other file as PASSWORD

User · Answer

There s a more convenient way to store passwords in a script but you will have to encrypt and obfuscate the script so that it cannot be read  In order to successfully encrypt and obfuscate a shell script and actually have that script be executable  try copying and pasting it here   http   www kinglazy com shell-script-encryption-kinglazy-shieldx htm  On the above page  all you have to do is submit your script and give the script a proper name  then hit the download button  A zip file will be generated for you  Right click on the download link and copy the URL you re provided  Then  go to your UNIX box and perform the following steps   Installation   1  wget link-to-the-zip-file 2  unzip the-newly-downloaded-zip-file 3  cd  tmp KingLazySHIELD 4    install sh  var tmp KINGLAZY SHIELDX- your-script-name   home  your-username  -force   What the above install command will do for you is    Install the encrypted version of your script in the directory  var tmp KINGLAZY SHIELDX- your-script-name   It ll place a link to this encrypted script in whichever directory you specify in replacement of  home  your-username  - that way  it allows you to easily access the script without having to type the absolute path  Ensures NO ONE can modify the script - Any attempts to modify the encrypted script will render it inoperable   until those attempts are stopped or removed  It can even be configured to notify you whenever someone tries to do anything with the script other than run it   i e  hacking or modification attempts  Ensures absolutely NO ONE can make copies of it  No one can copy your script to a secluded location and try to screw around with it to see how it works  All copies of the script must be links to the original location which you specified during install  step 4     NOTE   This does not work for interactive scripts that prompts and waits on the user for a response  The values that are expected from the user should be hard-coded into the script  The encryption ensures no one can actually see those values so you need not worry about that   RELATION   The solution provided in this post answers your problem in the sense that it encrypts the actual script containing the password that you wanted to have encrypted   You get to leave the password as is  unencrypted  but the script that the password is in is so deeply obfuscated and encrypted that you can rest assured no one will be able to see it   And if attempts are made to try to pry into the script  you will receive email notifications about them

User · Answer

indent it off the edge of your screen  assuming you don t use line wrapping and you have a consistant editor width    or   store it in a separate file and read it in

User · Answer

You should be able to use crypt  mcrypt  or gpg to meet your needs  They all support a number of algorithms  crypt is a bit outdated though    More info    http   manpages ubuntu com manpages lucid man1 mcrypt 1 html http   mcrypt sourceforge net  http   linux about com od commands l blcmdl3 crypt htm http   www cyberciti biz tips linux-how-to-encrypt-and-decrypt-files-with-a-password html

[security] Hide/encrypt password in bash file to stop accidentally seeing it

Examples related to security

Examples related to bash

Examples related to unix

Examples related to passwords