Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 04-21-2018, 02:57 PM   #1
Registered: Aug 2006
Location: Michigan
Distribution: Ubuntu
Posts: 282

Rep: Reputation: 30
Sensitive script best practice

I have a backup script I wrote that mounts a cifs share, creates an encrypted zip file, moves that file to the cifs share, and unmounts it. I have my windows password as well as my 7zip password in the script. Currently I have root's cron job running it every night at midnight and the script itself is stored in /root. I would like to not hardcode these passwords but I don't really see a way around it. Are there best practices for this type of situation? Thank you.
Old 04-21-2018, 03:32 PM   #2
Registered: Nov 2010
Location: Bristol, UK
Distribution: Slackware, FreeBSD
Posts: 836
Blog Entries: 3

Rep: Reputation: 297Reputation: 297Reputation: 297
If the script is only ever accessed by the root user, one way is to make sure the script is owned by root, and set permissions so that only root can open the file;
# chown root:root /path/to/file
# chmod 700 /path/to/file
That will give root user access for read/write/execute (but no other user can access or execute the file).

You could also use a keyring application (eg; gnome-keyring) to retrieve the password, but this still requires a secondary password to unlock the keyring, which may not be suitable for an automated cron job.

I would say changing the permissions (chmod 700 / chown root:root) would be suffice for a script running as a cron job.
Old 04-21-2018, 04:49 PM   #3
LQ Guru
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524

Rep: Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015
I'm not sure if 7zip can do this, but you can use a key file with most encryption. That still isn't ideal, because someone could steal the key file.
Old 04-22-2018, 12:14 AM   #4
LQ Guru
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,288
Blog Entries: 3

Rep: Reputation: 3718Reputation: 3718Reputation: 3718Reputation: 3718Reputation: 3718Reputation: 3718Reputation: 3718Reputation: 3718Reputation: 3718Reputation: 3718Reputation: 3718
I wouldn't rely on any of the encryption provided by 7zip. In fact, I'd avoid symmetric encryption if you can do so and use asymmetric incryption instead so that you won't need a passphrase to do the actual encryption.

If you're asking about best practice, then OpenPGP is the way to go so the data can be both encrypted and signed, but at least encrypted. You probably already have GNUpg 2 installed and available, it uses OpenPGP. If your system is a desktop, then it is also quite likely that you have an OpenPGP agent up and running.

That way you can use asymmetric encryption for automatic encryption without having to worry about your passphrase getting stolen. For decryption, you'd need the corresponding private key and its passphrase but those can be kept separately, perhaps even on a separate machine.

Here's how it'd be done for key 474EA2F4F9BBB0CA3705AEDD965A4FB116B21B9 using gpg2 which uses OpenPGP:

gpg2 --batch --encrypt --recipient 474EA2F4F9BBB0CA3705AEDD965A4FB116B21B9 file
That would give you the encrypted file file.gpg while leaving the original clear text unchanged. The original would have to be deleted manually, same for any residue left in the file system if that is important. Or you could have gpg2 read from stdin and pipe in the output directly from 7zip instead. Here's how it'd be done with the regular tools, I'll leave 7zip up to you.

tar cf - /path/to/somewhere/ \
| gzip -c \
| gpg2 --batch --encrypt --recipient 474EA2F4F9BBB0CA3705AEDD965A4FB116B21B9  - \
> archive.tar.gz.gpg
See "man gpg2" and "man gpg-agent"

Last edited by Turbocapitalist; 04-22-2018 at 12:15 AM.
Old 04-22-2018, 02:26 AM   #5
Senior Member
Registered: Dec 2011
Location: Simplicity
Posts: 2,779

Rep: Reputation: 1197Reputation: 1197Reputation: 1197Reputation: 1197Reputation: 1197Reputation: 1197Reputation: 1197Reputation: 1197Reputation: 1197
In certain situations it makes sense to store the passwords in a sepearate file that is extra secured.
Then the script can do
# open for reading with descriptor 3
exec 3</path/to/pwfile
read pw1 <&3
read pw2 <&3
Each read reads one line into a variable.


best practice, password, script

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Children multiplication tables practice test with Bash script on Linux LXer Syndicated Linux News 0 08-23-2017 09:33 AM
[SOLVED] In-sensitive mouse GlennsPref Linux - General 6 04-06-2015 11:28 AM
[SOLVED] Can you make "grep" non-case sensitive in Bash script? Regnets1 Programming 4 01-06-2013 01:00 PM
Are people too sensitive? DanTaylor General 15 01-24-2006 05:49 AM
sensitive mouse dizzutch Debian 0 11-30-2004 05:07 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:49 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration