openssl: using a protected password in a script

robertmarkbram · 01-18-2010, 09:32 PM

Hi All,

I have a bash script that will unencrypt a file, use the unencrypted file for a very short time and then delete the unencrypted file.

The problem is that my password is in clear text

Code:

   openssl des3 -d -salt \
      -out tempFile \
      -in encryptedFile.des3 \
      -pass pass:clearTextPassword

Obviously this isn't so secure, but I need the script to be non-interactive. How do I hash, encrypt or otherwise make secure the password for the openssl command?

I know that the openssl can protect passwords, e.g.:
openssl passwd -crypt "password"
But can I use this protected password in my script?

Any advice would be most appreciated!

rweaver · 01-19-2010, 02:27 PM

Worse than it being in the script it is also going to show up in a ps aux... using file: pathtofile is better, but still the same base problem of storing an unencrypted password. There is no way around that as far as I know and still having it completely automated... make minimum necessary permissions, put it as a .file in the home directory of the user calling it, etc.

unSpawn · 01-19-2010, 02:38 PM

...and besides the unencrypted file will be available for reading from file or memory anyway as a result of all of this "protecting".

robertmarkbram · 01-20-2010, 06:38 PM

OK, all good points - thank rweaver and unSpawn.

I changed the process (painful but I am the main user anyway) so that we read the password each time.