Shell Script: Decrypt the encrypted password and store it in variable
I have a file "credential.txt" which contains the password of mysql. I have another script which calls this text file and retrieves the password from it. For security purposes, I don't want to store the password directly. For that I have encrypted the file by using the Triple-DES Cipher encryption:
openssl des3 -salt -in credential.txt -out credential.des3
Reference: https://linuxtidbits.wordpress.com/2009/01/12/encryptingdecrypting-a-file-easily-with-a-couple-bash-scripts/
Now from my shell script, I want to get the encrypted password from credential.des3, and store it in a variable. From the referenced article, it shows how to decrypt the file and store the decrypted password in a different file.
openssl des3 -d -salt -in credential.des3 -out unencrypted-data.file
The thing is I don't want to save the decrypted file on the system. I want to capture the output of decrypting. My shell script is automated to run using cronjobs, so I can't ask the user to specify the password. Is there any way to decrypt the password and store it in a variable like:
var = $(decrypted_pass)
and use it whenever necessary in a shell script.
I have tried the below command, but it not working.
var=$(openssl das3 -salt -in credential.des3)
shell-script files variable encryption
edited Mar 7 at 22:07
Rui F Ribeiro
41.8k1483142
asked Mar 7 at 21:37
RoseRose
10316
add a comment |
I have a file "credential.txt" which contains the password of mysql. I have another script which calls this text file and retrieves the password from it. For security purposes, I don't want to store the password directly. For that I have encrypted the file by using the Triple-DES Cipher encryption:
openssl des3 -salt -in credential.txt -out credential.des3
Reference: https://linuxtidbits.wordpress.com/2009/01/12/encryptingdecrypting-a-file-easily-with-a-couple-bash-scripts/
Now from my shell script, I want to get the encrypted password from credential.des3, and store it in a variable. From the referenced article, it shows how to decrypt the file and store the decrypted password in a different file.
openssl des3 -d -salt -in credential.des3 -out unencrypted-data.file
The thing is I don't want to save the decrypted file on the system. I want to capture the output of decrypting. My shell script is automated to run using cronjobs, so I can't ask the user to specify the password. Is there any way to decrypt the password and store it in a variable like:
var = $(decrypted_pass)
and use it whenever necessary in a shell script.
I have tried the below command, but it not working.
var=$(openssl das3 -salt -in credential.des3)
shell-script files variable encryption
edited Mar 7 at 22:07
Rui F Ribeiro
41.8k1483142
asked Mar 7 at 21:37
RoseRose
10316
(I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)
– ilkkachu
Mar 7 at 21:56
How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?
– Xen2050
Mar 9 at 16:45
add a comment |
I have a file "credential.txt" which contains the password of mysql. I have another script which calls this text file and retrieves the password from it. For security purposes, I don't want to store the password directly. For that I have encrypted the file by using the Triple-DES Cipher encryption:
openssl des3 -salt -in credential.txt -out credential.des3
Reference: https://linuxtidbits.wordpress.com/2009/01/12/encryptingdecrypting-a-file-easily-with-a-couple-bash-scripts/
Now from my shell script, I want to get the encrypted password from credential.des3, and store it in a variable. From the referenced article, it shows how to decrypt the file and store the decrypted password in a different file.
openssl des3 -d -salt -in credential.des3 -out unencrypted-data.file
The thing is I don't want to save the decrypted file on the system. I want to capture the output of decrypting. My shell script is automated to run using cronjobs, so I can't ask the user to specify the password. Is there any way to decrypt the password and store it in a variable like:
var = $(decrypted_pass)
and use it whenever necessary in a shell script.
I have tried the below command, but it not working.
var=$(openssl das3 -salt -in credential.des3)
shell-script files variable encryption
edited Mar 7 at 22:07
Rui F Ribeiro
41.8k1483142
asked Mar 7 at 21:37
RoseRose
10316
I have a file "credential.txt" which contains the password of mysql. I have another script which calls this text file and retrieves the password from it. For security purposes, I don't want to store the password directly. For that I have encrypted the file by using the Triple-DES Cipher encryption:
openssl des3 -salt -in credential.txt -out credential.des3
Reference: https://linuxtidbits.wordpress.com/2009/01/12/encryptingdecrypting-a-file-easily-with-a-couple-bash-scripts/
Now from my shell script, I want to get the encrypted password from credential.des3, and store it in a variable. From the referenced article, it shows how to decrypt the file and store the decrypted password in a different file.
openssl des3 -d -salt -in credential.des3 -out unencrypted-data.file
The thing is I don't want to save the decrypted file on the system. I want to capture the output of decrypting. My shell script is automated to run using cronjobs, so I can't ask the user to specify the password. Is there any way to decrypt the password and store it in a variable like:
var = $(decrypted_pass)
and use it whenever necessary in a shell script.
I have tried the below command, but it not working.
var=$(openssl das3 -salt -in credential.des3)
shell-script files variable encryption
shell-script files variable encryption
edited Mar 7 at 22:07
Rui F Ribeiro
41.8k1483142
asked Mar 7 at 21:37
RoseRose
10316
edited Mar 7 at 22:07
Rui F Ribeiro
41.8k1483142
asked Mar 7 at 21:37
RoseRose
10316
edited Mar 7 at 22:07
Rui F Ribeiro
41.8k1483142
edited Mar 7 at 22:07
Rui F Ribeiro
41.8k1483142
edited Mar 7 at 22:07
Rui F Ribeiro
41.8k1483142
41.8k1483142
asked Mar 7 at 21:37
RoseRose
10316
asked Mar 7 at 21:37
RoseRose
10316
asked Mar 7 at 21:37
RoseRose
10316
10316
(I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)
– ilkkachu
Mar 7 at 21:56
How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?
– Xen2050
Mar 9 at 16:45
add a comment |
(I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)
– ilkkachu
Mar 7 at 21:56
How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?
– Xen2050
Mar 9 at 16:45
(I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)
– ilkkachu
Mar 7 at 21:56
(I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)
– ilkkachu
Mar 7 at 21:56
How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?
– Xen2050
Mar 9 at 16:45
How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?
– Xen2050
Mar 9 at 16:45
add a comment |
1 Answer
1
active
oldest
votes
You could use
pass=$(openssl des3 -d -salt -in credential.des3)
(with no output file specified)
But the problem here seems to be that you're running the script from cron. While you could arrange to pass some piece of data from cron to the script through an environment variable, there's no easy way to have that password passed to cron without storing it on the filesystem (in a crontab file, most likely).
To avoid the plaintext password from hitting persistent storage, you could arrange to have it stored on a tmpfs filesystem (on Linux). You can mount one with mount -t tmpfs tmpfs /path/to/mount/point, or with the equivalent in fstab. There's also a chance that your system already has /tmp using tmpfs.
Another alternative would be to have the script holding the plaintext password running continuously, and using sleep to do the actual work at the appropriate times. Though in that case, if the script crashed, it wouldn't be restarted automatically (and you'd need to manually input the password to restart it anyway).
Note that in any case, any secrets you have in memory might be written out to swap if you have any. (There's a case to be made for using encrypted swap for that reason.)
answered Mar 7 at 22:10
ilkkachuilkkachu
62.9k10103180
Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?
– Rose
Mar 7 at 22:19
@Rose,opensslhas the-passoption to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.
– ilkkachu
Mar 7 at 22:27
exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.
– Rose
Mar 7 at 22:31
add a comment |
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505011%2fshell-script-decrypt-the-encrypted-password-and-store-it-in-variable%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You could use
pass=$(openssl des3 -d -salt -in credential.des3)
(with no output file specified)
But the problem here seems to be that you're running the script from cron. While you could arrange to pass some piece of data from cron to the script through an environment variable, there's no easy way to have that password passed to cron without storing it on the filesystem (in a crontab file, most likely).
To avoid the plaintext password from hitting persistent storage, you could arrange to have it stored on a tmpfs filesystem (on Linux). You can mount one with mount -t tmpfs tmpfs /path/to/mount/point, or with the equivalent in fstab. There's also a chance that your system already has /tmp using tmpfs.
Another alternative would be to have the script holding the plaintext password running continuously, and using sleep to do the actual work at the appropriate times. Though in that case, if the script crashed, it wouldn't be restarted automatically (and you'd need to manually input the password to restart it anyway).
Note that in any case, any secrets you have in memory might be written out to swap if you have any. (There's a case to be made for using encrypted swap for that reason.)
answered Mar 7 at 22:10
ilkkachuilkkachu
62.9k10103180
Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?
– Rose
Mar 7 at 22:19
@Rose,opensslhas the-passoption to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.
– ilkkachu
Mar 7 at 22:27
exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.
– Rose
Mar 7 at 22:31
add a comment |
You could use
pass=$(openssl des3 -d -salt -in credential.des3)
(with no output file specified)
But the problem here seems to be that you're running the script from cron. While you could arrange to pass some piece of data from cron to the script through an environment variable, there's no easy way to have that password passed to cron without storing it on the filesystem (in a crontab file, most likely).
To avoid the plaintext password from hitting persistent storage, you could arrange to have it stored on a tmpfs filesystem (on Linux). You can mount one with mount -t tmpfs tmpfs /path/to/mount/point, or with the equivalent in fstab. There's also a chance that your system already has /tmp using tmpfs.
Another alternative would be to have the script holding the plaintext password running continuously, and using sleep to do the actual work at the appropriate times. Though in that case, if the script crashed, it wouldn't be restarted automatically (and you'd need to manually input the password to restart it anyway).
Note that in any case, any secrets you have in memory might be written out to swap if you have any. (There's a case to be made for using encrypted swap for that reason.)
answered Mar 7 at 22:10
ilkkachuilkkachu
62.9k10103180
Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?
– Rose
Mar 7 at 22:19
@Rose,opensslhas the-passoption to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.
– ilkkachu
Mar 7 at 22:27
exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.
– Rose
Mar 7 at 22:31
add a comment |
You could use
pass=$(openssl des3 -d -salt -in credential.des3)
(with no output file specified)
But the problem here seems to be that you're running the script from cron. While you could arrange to pass some piece of data from cron to the script through an environment variable, there's no easy way to have that password passed to cron without storing it on the filesystem (in a crontab file, most likely).
To avoid the plaintext password from hitting persistent storage, you could arrange to have it stored on a tmpfs filesystem (on Linux). You can mount one with mount -t tmpfs tmpfs /path/to/mount/point, or with the equivalent in fstab. There's also a chance that your system already has /tmp using tmpfs.
Another alternative would be to have the script holding the plaintext password running continuously, and using sleep to do the actual work at the appropriate times. Though in that case, if the script crashed, it wouldn't be restarted automatically (and you'd need to manually input the password to restart it anyway).
Note that in any case, any secrets you have in memory might be written out to swap if you have any. (There's a case to be made for using encrypted swap for that reason.)
answered Mar 7 at 22:10
ilkkachuilkkachu
62.9k10103180
You could use
pass=$(openssl des3 -d -salt -in credential.des3)
(with no output file specified)
But the problem here seems to be that you're running the script from cron. While you could arrange to pass some piece of data from cron to the script through an environment variable, there's no easy way to have that password passed to cron without storing it on the filesystem (in a crontab file, most likely).
To avoid the plaintext password from hitting persistent storage, you could arrange to have it stored on a tmpfs filesystem (on Linux). You can mount one with mount -t tmpfs tmpfs /path/to/mount/point, or with the equivalent in fstab. There's also a chance that your system already has /tmp using tmpfs.
Another alternative would be to have the script holding the plaintext password running continuously, and using sleep to do the actual work at the appropriate times. Though in that case, if the script crashed, it wouldn't be restarted automatically (and you'd need to manually input the password to restart it anyway).
Note that in any case, any secrets you have in memory might be written out to swap if you have any. (There's a case to be made for using encrypted swap for that reason.)
answered Mar 7 at 22:10
ilkkachuilkkachu
62.9k10103180
answered Mar 7 at 22:10
ilkkachuilkkachu
62.9k10103180
answered Mar 7 at 22:10
ilkkachuilkkachu
62.9k10103180
answered Mar 7 at 22:10
ilkkachuilkkachu
62.9k10103180
62.9k10103180
Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?
– Rose
Mar 7 at 22:19
@Rose,opensslhas the-passoption to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.
– ilkkachu
Mar 7 at 22:27
exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.
– Rose
Mar 7 at 22:31
add a comment |
Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?
– Rose
Mar 7 at 22:19
@Rose,opensslhas the-passoption to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.
– ilkkachu
Mar 7 at 22:27
exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.
– Rose
Mar 7 at 22:31
Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?
– Rose
Mar 7 at 22:19
Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?
– Rose
Mar 7 at 22:19
@Rose,
openssl has the -pass option to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.– ilkkachu
Mar 7 at 22:27
@Rose,
openssl has the -pass option to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.– ilkkachu
Mar 7 at 22:27
exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.
– Rose
Mar 7 at 22:31
exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.
– Rose
Mar 7 at 22:31
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505011%2fshell-script-decrypt-the-encrypted-password-and-store-it-in-variable%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
(I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)
– ilkkachu
Mar 7 at 21:56
How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?
– Xen2050
Mar 9 at 16:45