3

I am writing a shell script which executes a command which requires a password. I cannot put password in plain text in the script. I read about openssl encrypt decrypt mechanism but for encrypting a file again I need a password which again I cannot put in the script. I am clueless what is the best way to have a script execute a command using a secure password.

Improve this question
5
  • 3
    If the script contains the information it needs to figure out the password, then it also contains the information someone looking at the script needs to figure out the password. Unless there's some way to give the running script access to info that someone reading it can't get at, I don't think there's a way to do what you want. Commented Feb 21, 2018 at 6:20
  • 2
    Can you be a little more specific? Do all users need to be able to run the script? Why does the command require a password? If it's ssh, you can avoid the need by requiring users to have pubkey authentication; if it's sudo, look at editing your /etc/sudoers, etc. As a last resort, you could arrange for the script to read a password from a file provided by each user (e.g. in $HOME/.secret/myapp), and if you're feeling nice, you could even check it's not readable by others. Commented Feb 21, 2018 at 9:22
  • 1
    This is not for user authentication. I need to execute a script which takes a password as argument. So my script needs to execute another script which takes a password as command line argument Commented Feb 21, 2018 at 10:36
  • Maybe you can take advantage from hide/encrypt password in bash file to stop accidentally seeing it. Commented Sep 5, 2019 at 14:49
  • "...which takes a password as command line argument." -- This is an extremely bad idea. A password on the command line will be visible for all users of the system, for the full length the process is running, by doing nothing more sinister than looking at the process list (ps or top will do). Commented Feb 7, 2022 at 18:51

2 Answers 2

Reset to default
5

After reading about "Using OpenSSL to encrypt messages and files on Linux", the following approach might work for you.

Assuming you have private and public key generated for your machine

openssl genrsa -out passwordPrivKey.pem 2048
openssl rsa -in passwordPrivKey.pem -out passwordPubKey.pem -outform PEM -pubout

OpenSSL could be used than to encrypt and decrypt a password. Providing a script stub which will demonstrate how to use the command.

#!/bin/bash
printf "password" > PASSWORD.plain
# To encrypt
openssl rsautl -encrypt -inkey ./passwordPubKey.pem -pubin -in PASSWORD.plain -out PASSWORD.dat
# To decrypt
DECRYPTED=$(openssl rsautl -decrypt -inkey ./passwordPrivKey.pem -in PASSWORD.dat)
echo $DECRYPTED

On the machine where the password is needed unencrypted later, only PASSWORD.dat and passwordPrivKey.pem would be stored.

Further Reading and Similar Q&A

You may also be interested in

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

You confused one thing: The encryption is done with the public key and the decryption is done with the private key. So simply change the referenced files. Everything else works fine.
Oh, one more. To store the password in the plain file, use "echo -n", otherwise the linebreak becomes part of the password.
Actually, replace echo -n with printf, especially if your script needs to be portable.
@rudi technically the Private Key can both encrypt and decrypt while the public key can only encrypt.
-3

Try openssl. It is a command available on UNIX and it can hash your password for you.

https://www.openssl.org/docs/man1.0.2/apps/openssl.html

Improve this answer

2 Comments

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
Hash will create a password hashed but will I be able to use it while executing the command? for eg: ./test.sh -p "myhashedpassword"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.