-   Linux - Security (
-   -   Reading encryption password with bash (

baltazar3 11-20-2010 06:13 PM

Reading encryption password with bash
I have two cryptsetup volumes with the same password that I want to open in a bash script, and I want to avoid writing the passphrase twice. I was thinking of using read -s. Is there any security problems with this?

The other alternative would be to have a password file on a small partition encrypted with a passphrase. Then only give the passphrase and let the script open up all encrypted volumes using the password file. However this seems overly complicated. But is it more secure?

Thanks in advance.

kbp 11-21-2010 09:47 PM

Using 'read' will assign the input to a variable in any case so I don't see how you would be writing the passphrase twice. Security issues with doing this would be the same as any program, if it's still running and the variable hasn't been sanitised then the cleartext password will be easily recoverable from memory.

Remember not to call the script with the password on the command line as it will be clearly visible in 'ps' output. Using a password file is better but still vulnerable as above, booting from other media will bypass any file permissions. It will also be non-interactive if that matters to you.


baltazar3 11-22-2010 07:27 AM

Yes, if I use read I wont have to write the passphrase twice. If I just call cryptsetup twice I will have to write it twice. Thats why I want to use read. Maybe I could have been clearer.

Of course I could remove the variable from memory by setting it to the empty string once read. Is this what you mean by sanitising? I would also turn off echoing with the -s option. Are there any more security precautions which cryptsetups built in password reader takes, which I would lose by using bash's read? Are there any specialized cli password reading programs?

kbp 11-22-2010 08:20 AM

It does seem a little complicated, I'm not sure you'll be gaining much

All times are GMT -5. The time now is 07:39 AM.