Skip to content

Hiding passwords in scripts

wordpress meta

title: 'Hiding Passwords in Scripts'
date: '2014-05-24T06:49:26-05:00'
status: publish
permalink: /hiding-passwords-in-scripts
author: admin
excerpt: ''
type: post
id: 287
category:
    - Security
tag: []
post_format: []

Sometimes you need to pass a password or even just a string on the command line which you would rather obscure. For example:

serverControl.sh -u admin -p $MYPASS -c shutdown

Note anything below is not the ideal way of dealing with passwords you should probably use SSH keys if possible instead.

Sometimes you really do not have a better option and this might be your only option. Still it is a weak solution though to store passwords. I simplified but you probably don't want to use obvious variable names or files either.

Very simple base64 encoding:

$ echo "passwd" | base64
cGFzc3dkCg==
$ echo "cGFzc3dkCg==" | base64 --decode
passwd

# Use in script as follow or better use a file to store the string:
MYENCPASS="cGFzc3dkCg==" 
MYPASS=`echo "$MYENCPASS" | base64 --decode`

Using aesutil:

I saw someone mention aesutil on the Internet but it appears like few modern Linux distros comes with aesutil tools though.

# mkrand generates a 15-character random
$ SALT=`mkrand 15` passwd

$ `echo "passwd" | aes -e -b -B -p $SALT`
i/b9pkcpQAPy7BzH2JlqHVoJc2mNTBM=

# Use in script as follow or use a file to store the string:
MYENCPASS="i/b9pkcpQAPy7BzH2JlqHVoJc2mNTBM=" 
MYPASS=`echo "$MYENCPASS" | aes -d -b -p $SALT`

Or maybe openssl is an option:

This is still very lame as you still have to use a password for the opensssl command. I just named it garbageKey but you are probably better off making it more obscure.

# Test
$ echo 'mySecretPassword' | openssl enc -base64 -e -aes-256-cbc -nosalt  -pass pass:garbageKey
yQA4stTBI8njgNgdmttwjlcFrywQD4XEIgK8HzqEOxI=
$ echo 'yQA4stTBI8njgNgdmttwjlcFrywQD4XEIgK8HzqEOxI=' | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:garbageKey
mySecretPassword

# Use a hidden file
$ echo 'mySecretPassword' | openssl enc -base64 -e -aes-256-cbc -nosalt  -pass pass:garbageKey > .hidden.lck 
$ cat .hidden.lck 
yQA4stTBI8njgNgdmttwjlcFrywQD4XEIgK8HzqEOxI=

# In a script
$ MYENCPASS=`cat .hidden.lck | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:garbageKey`
$ echo $MYENCPASS
mySecretPassword

As you can see in the last example I used a hidden file also instead of keeping the encryption string in the file.