LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-20-2010, 05:13 PM   #1
baltazar3
LQ Newbie
 
Registered: Nov 2009
Posts: 13

Rep: Reputation: 0
Reading encryption password with bash


I have two cryptsetup volumes with the same password that I want to open in a bash script, and I want to avoid writing the passphrase twice. I was thinking of using read -s. Is there any security problems with this?

The other alternative would be to have a password file on a small partition encrypted with a passphrase. Then only give the passphrase and let the script open up all encrypted volumes using the password file. However this seems overly complicated. But is it more secure?

Thanks in advance.
 
Old 11-21-2010, 08:47 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Using 'read' will assign the input to a variable in any case so I don't see how you would be writing the passphrase twice. Security issues with doing this would be the same as any program, if it's still running and the variable hasn't been sanitised then the cleartext password will be easily recoverable from memory.

Remember not to call the script with the password on the command line as it will be clearly visible in 'ps' output. Using a password file is better but still vulnerable as above, booting from other media will bypass any file permissions. It will also be non-interactive if that matters to you.

hth
 
Old 11-22-2010, 06:27 AM   #3
baltazar3
LQ Newbie
 
Registered: Nov 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Yes, if I use read I wont have to write the passphrase twice. If I just call cryptsetup twice I will have to write it twice. Thats why I want to use read. Maybe I could have been clearer.

Of course I could remove the variable from memory by setting it to the empty string once read. Is this what you mean by sanitising? I would also turn off echoing with the -s option. Are there any more security precautions which cryptsetups built in password reader takes, which I would lose by using bash's read? Are there any specialized cli password reading programs?
 
Old 11-22-2010, 07:20 AM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
It does seem a little complicated, I'm not sure you'll be gaining much
 
  


Reply

Tags
bash, cryptsetup, password


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reading a bash variable in bash scripting problem freeindy Programming 3 11-27-2008 02:29 AM
Linux password encryption and data encryption Tux-Slack Programming 4 06-20-2007 06:46 AM
password encryption charafantah Programming 4 10-07-2006 06:13 AM
Password Encryption morningkiran Linux - Security 2 10-10-2004 07:17 AM
password encryption Lanmate Linux - Security 2 12-26-2003 04:15 AM


All times are GMT -5. The time now is 04:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration