Hiding Passwords in Scripts

Hiding Passwords in Scripts

Sometimes you need to pass a password or even just a string on the command line which you would rather obscure.  For example:

serverControl.sh -u admin -p $MYPASS -c shutdown

Note anything below is not the ideal way of dealing with passwords you should probably use SSH keys if possible instead.

Sometimes you really do not have a better option and this might be your only option.  Still it is a weak solution though to store passwords.  I simplified but you probably don’t want to use obvious variable names or files either.

Very simple base64 encoding:

$ echo "passwd" | base64
$ echo "cGFzc3dkCg==" | base64 --decode

# Use in script as follow or better use a file to store the string:
MYPASS=`echo "$MYENCPASS" | base64 --decode`

Using aesutil:

I saw someone mention aesutil on the Internet but it appears like few modern Linux distros comes with aesutil tools though.

# mkrand generates a 15-character random
$ SALT=`mkrand 15` passwd

$ `echo "passwd" | aes -e -b -B -p $SALT`

# Use in script as follow or use a file to store the string:
MYPASS=`echo "$MYENCPASS" | aes -d -b -p $SALT`

Or maybe openssl is an option:

This is still very lame as you still have to use a password for the opensssl command.   I just named it garbageKey but you are probably better off making it more obscure.

# Test
$ echo 'mySecretPassword' | openssl enc -base64 -e -aes-256-cbc -nosalt  -pass pass:garbageKey
$ echo 'yQA4stTBI8njgNgdmttwjlcFrywQD4XEIgK8HzqEOxI=' | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:garbageKey

# Use a hidden file
$ echo 'mySecretPassword' | openssl enc -base64 -e -aes-256-cbc -nosalt  -pass pass:garbageKey > .hidden.lck 
$ cat .hidden.lck 

# In a script
$ MYENCPASS=`cat .hidden.lck | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:garbageKey`

As you can see in the last example I used a hidden file also instead of keeping the encryption string in the file.

One thought on “Hiding Passwords in Scripts

Leave a Reply

Your email address will not be published. Required fields are marked *