Hiding Passwords in Scripts
Sometimes you need to pass a password or even just a string on the command line which you would rather obscure. For example:
serverControl.sh -u admin -p $MYPASS -c shutdown
Note anything below is not the ideal way of dealing with passwords you should probably use SSH keys if possible instead.
Sometimes you really do not have a better option and this might be your only option. Still it is a weak solution though to store passwords. I simplified but you probably don't want to use obvious variable names or files either.
Very simple base64 encoding:
$ echo "passwd" | base64 cGFzc3dkCg== $ echo "cGFzc3dkCg==" | base64 --decode passwd # Use in script as follow or better use a file to store the string: MYENCPASS="cGFzc3dkCg==" MYPASS=`echo "$MYENCPASS" | base64 --decode`
I saw someone mention aesutil on the Internet but it appears like few modern Linux distros comes with aesutil tools though.
# mkrand generates a 15-character random $ SALT=`mkrand 15` passwd $ `echo "passwd" | aes -e -b -B -p $SALT` i/b9pkcpQAPy7BzH2JlqHVoJc2mNTBM= # Use in script as follow or use a file to store the string: MYENCPASS="i/b9pkcpQAPy7BzH2JlqHVoJc2mNTBM=" MYPASS=`echo "$MYENCPASS" | aes -d -b -p $SALT`
Or maybe openssl is an option:
This is still very lame as you still have to use a password for the opensssl command. I just named it garbageKey but you are probably better off making it more obscure.
# Test $ echo 'mySecretPassword' | openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:garbageKey yQA4stTBI8njgNgdmttwjlcFrywQD4XEIgK8HzqEOxI= $ echo 'yQA4stTBI8njgNgdmttwjlcFrywQD4XEIgK8HzqEOxI=' | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:garbageKey mySecretPassword # Use a hidden file $ echo 'mySecretPassword' | openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:garbageKey > .hidden.lck $ cat .hidden.lck yQA4stTBI8njgNgdmttwjlcFrywQD4XEIgK8HzqEOxI= # In a script $ MYENCPASS=`cat .hidden.lck | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:garbageKey` $ echo $MYENCPASS mySecretPassword
As you can see in the last example I used a hidden file also instead of keeping the encryption string in the file.