Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have two cryptsetup volumes with the same password that I want to open in a bash script, and I want to avoid writing the passphrase twice. I was thinking of using read -s. Is there any security problems with this?
The other alternative would be to have a password file on a small partition encrypted with a passphrase. Then only give the passphrase and let the script open up all encrypted volumes using the password file. However this seems overly complicated. But is it more secure?
Using 'read' will assign the input to a variable in any case so I don't see how you would be writing the passphrase twice. Security issues with doing this would be the same as any program, if it's still running and the variable hasn't been sanitised then the cleartext password will be easily recoverable from memory.
Remember not to call the script with the password on the command line as it will be clearly visible in 'ps' output. Using a password file is better but still vulnerable as above, booting from other media will bypass any file permissions. It will also be non-interactive if that matters to you.
Yes, if I use read I wont have to write the passphrase twice. If I just call cryptsetup twice I will have to write it twice. Thats why I want to use read. Maybe I could have been clearer.
Of course I could remove the variable from memory by setting it to the empty string once read. Is this what you mean by sanitising? I would also turn off echoing with the -s option. Are there any more security precautions which cryptsetups built in password reader takes, which I would lose by using bash's read? Are there any specialized cli password reading programs?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.