Shell Script: Decrypt the encrypted password and store it in variable












0















I have a file "credential.txt" which contains the password of mysql. I have another script which calls this text file and retrieves the password from it. For security purposes, I don't want to store the password directly. For that I have encrypted the file by using the Triple-DES Cipher encryption:



openssl des3 -salt -in credential.txt -out credential.des3


Reference: https://linuxtidbits.wordpress.com/2009/01/12/encryptingdecrypting-a-file-easily-with-a-couple-bash-scripts/



Now from my shell script, I want to get the encrypted password from credential.des3, and store it in a variable. From the referenced article, it shows how to decrypt the file and store the decrypted password in a different file.



openssl des3 -d -salt -in credential.des3 -out unencrypted-data.file


The thing is I don't want to save the decrypted file on the system. I want to capture the output of decrypting. My shell script is automated to run using cronjobs, so I can't ask the user to specify the password. Is there any way to decrypt the password and store it in a variable like:



var = $(decrypted_pass)


and use it whenever necessary in a shell script.



I have tried the below command, but it not working.




var=$(openssl das3 -salt -in credential.des3)











share|improve this question

























  • (I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)

    – ilkkachu
    Mar 7 at 21:56











  • How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?

    – Xen2050
    Mar 9 at 16:45


















0















I have a file "credential.txt" which contains the password of mysql. I have another script which calls this text file and retrieves the password from it. For security purposes, I don't want to store the password directly. For that I have encrypted the file by using the Triple-DES Cipher encryption:



openssl des3 -salt -in credential.txt -out credential.des3


Reference: https://linuxtidbits.wordpress.com/2009/01/12/encryptingdecrypting-a-file-easily-with-a-couple-bash-scripts/



Now from my shell script, I want to get the encrypted password from credential.des3, and store it in a variable. From the referenced article, it shows how to decrypt the file and store the decrypted password in a different file.



openssl des3 -d -salt -in credential.des3 -out unencrypted-data.file


The thing is I don't want to save the decrypted file on the system. I want to capture the output of decrypting. My shell script is automated to run using cronjobs, so I can't ask the user to specify the password. Is there any way to decrypt the password and store it in a variable like:



var = $(decrypted_pass)


and use it whenever necessary in a shell script.



I have tried the below command, but it not working.




var=$(openssl das3 -salt -in credential.des3)











share|improve this question

























  • (I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)

    – ilkkachu
    Mar 7 at 21:56











  • How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?

    – Xen2050
    Mar 9 at 16:45
















0












0








0








I have a file "credential.txt" which contains the password of mysql. I have another script which calls this text file and retrieves the password from it. For security purposes, I don't want to store the password directly. For that I have encrypted the file by using the Triple-DES Cipher encryption:



openssl des3 -salt -in credential.txt -out credential.des3


Reference: https://linuxtidbits.wordpress.com/2009/01/12/encryptingdecrypting-a-file-easily-with-a-couple-bash-scripts/



Now from my shell script, I want to get the encrypted password from credential.des3, and store it in a variable. From the referenced article, it shows how to decrypt the file and store the decrypted password in a different file.



openssl des3 -d -salt -in credential.des3 -out unencrypted-data.file


The thing is I don't want to save the decrypted file on the system. I want to capture the output of decrypting. My shell script is automated to run using cronjobs, so I can't ask the user to specify the password. Is there any way to decrypt the password and store it in a variable like:



var = $(decrypted_pass)


and use it whenever necessary in a shell script.



I have tried the below command, but it not working.




var=$(openssl das3 -salt -in credential.des3)











share|improve this question
















I have a file "credential.txt" which contains the password of mysql. I have another script which calls this text file and retrieves the password from it. For security purposes, I don't want to store the password directly. For that I have encrypted the file by using the Triple-DES Cipher encryption:



openssl des3 -salt -in credential.txt -out credential.des3


Reference: https://linuxtidbits.wordpress.com/2009/01/12/encryptingdecrypting-a-file-easily-with-a-couple-bash-scripts/



Now from my shell script, I want to get the encrypted password from credential.des3, and store it in a variable. From the referenced article, it shows how to decrypt the file and store the decrypted password in a different file.



openssl des3 -d -salt -in credential.des3 -out unencrypted-data.file


The thing is I don't want to save the decrypted file on the system. I want to capture the output of decrypting. My shell script is automated to run using cronjobs, so I can't ask the user to specify the password. Is there any way to decrypt the password and store it in a variable like:



var = $(decrypted_pass)


and use it whenever necessary in a shell script.



I have tried the below command, but it not working.




var=$(openssl das3 -salt -in credential.des3)








shell-script files variable encryption






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 7 at 22:07









Rui F Ribeiro

41.8k1483142




41.8k1483142










asked Mar 7 at 21:37









RoseRose

10316




10316













  • (I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)

    – ilkkachu
    Mar 7 at 21:56











  • How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?

    – Xen2050
    Mar 9 at 16:45





















  • (I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)

    – ilkkachu
    Mar 7 at 21:56











  • How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?

    – Xen2050
    Mar 9 at 16:45



















(I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)

– ilkkachu
Mar 7 at 21:56





(I edited out the backslashes from the commands, as they're only used in the original document to wrap the commands on two lines)

– ilkkachu
Mar 7 at 21:56













How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?

– Xen2050
Mar 9 at 16:45







How do you type / enter the password to decrypt the des3 file? I'm assuming you'll be storing and using the decrypted info later, or is entering the password originally the main problem, sending input to the cron script?

– Xen2050
Mar 9 at 16:45












1 Answer
1






active

oldest

votes


















0














You could use



pass=$(openssl des3 -d -salt -in credential.des3)


(with no output file specified)



But the problem here seems to be that you're running the script from cron. While you could arrange to pass some piece of data from cron to the script through an environment variable, there's no easy way to have that password passed to cron without storing it on the filesystem (in a crontab file, most likely).



To avoid the plaintext password from hitting persistent storage, you could arrange to have it stored on a tmpfs filesystem (on Linux). You can mount one with mount -t tmpfs tmpfs /path/to/mount/point, or with the equivalent in fstab. There's also a chance that your system already has /tmp using tmpfs.



Another alternative would be to have the script holding the plaintext password running continuously, and using sleep to do the actual work at the appropriate times. Though in that case, if the script crashed, it wouldn't be restarted automatically (and you'd need to manually input the password to restart it anyway).



Note that in any case, any secrets you have in memory might be written out to swap if you have any. (There's a case to be made for using encrypted swap for that reason.)






share|improve this answer
























  • Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?

    – Rose
    Mar 7 at 22:19











  • @Rose, openssl has the -pass option to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.

    – ilkkachu
    Mar 7 at 22:27











  • exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.

    – Rose
    Mar 7 at 22:31












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505011%2fshell-script-decrypt-the-encrypted-password-and-store-it-in-variable%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














You could use



pass=$(openssl des3 -d -salt -in credential.des3)


(with no output file specified)



But the problem here seems to be that you're running the script from cron. While you could arrange to pass some piece of data from cron to the script through an environment variable, there's no easy way to have that password passed to cron without storing it on the filesystem (in a crontab file, most likely).



To avoid the plaintext password from hitting persistent storage, you could arrange to have it stored on a tmpfs filesystem (on Linux). You can mount one with mount -t tmpfs tmpfs /path/to/mount/point, or with the equivalent in fstab. There's also a chance that your system already has /tmp using tmpfs.



Another alternative would be to have the script holding the plaintext password running continuously, and using sleep to do the actual work at the appropriate times. Though in that case, if the script crashed, it wouldn't be restarted automatically (and you'd need to manually input the password to restart it anyway).



Note that in any case, any secrets you have in memory might be written out to swap if you have any. (There's a case to be made for using encrypted swap for that reason.)






share|improve this answer
























  • Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?

    – Rose
    Mar 7 at 22:19











  • @Rose, openssl has the -pass option to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.

    – ilkkachu
    Mar 7 at 22:27











  • exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.

    – Rose
    Mar 7 at 22:31
















0














You could use



pass=$(openssl des3 -d -salt -in credential.des3)


(with no output file specified)



But the problem here seems to be that you're running the script from cron. While you could arrange to pass some piece of data from cron to the script through an environment variable, there's no easy way to have that password passed to cron without storing it on the filesystem (in a crontab file, most likely).



To avoid the plaintext password from hitting persistent storage, you could arrange to have it stored on a tmpfs filesystem (on Linux). You can mount one with mount -t tmpfs tmpfs /path/to/mount/point, or with the equivalent in fstab. There's also a chance that your system already has /tmp using tmpfs.



Another alternative would be to have the script holding the plaintext password running continuously, and using sleep to do the actual work at the appropriate times. Though in that case, if the script crashed, it wouldn't be restarted automatically (and you'd need to manually input the password to restart it anyway).



Note that in any case, any secrets you have in memory might be written out to swap if you have any. (There's a case to be made for using encrypted swap for that reason.)






share|improve this answer
























  • Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?

    – Rose
    Mar 7 at 22:19











  • @Rose, openssl has the -pass option to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.

    – ilkkachu
    Mar 7 at 22:27











  • exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.

    – Rose
    Mar 7 at 22:31














0












0








0







You could use



pass=$(openssl des3 -d -salt -in credential.des3)


(with no output file specified)



But the problem here seems to be that you're running the script from cron. While you could arrange to pass some piece of data from cron to the script through an environment variable, there's no easy way to have that password passed to cron without storing it on the filesystem (in a crontab file, most likely).



To avoid the plaintext password from hitting persistent storage, you could arrange to have it stored on a tmpfs filesystem (on Linux). You can mount one with mount -t tmpfs tmpfs /path/to/mount/point, or with the equivalent in fstab. There's also a chance that your system already has /tmp using tmpfs.



Another alternative would be to have the script holding the plaintext password running continuously, and using sleep to do the actual work at the appropriate times. Though in that case, if the script crashed, it wouldn't be restarted automatically (and you'd need to manually input the password to restart it anyway).



Note that in any case, any secrets you have in memory might be written out to swap if you have any. (There's a case to be made for using encrypted swap for that reason.)






share|improve this answer













You could use



pass=$(openssl des3 -d -salt -in credential.des3)


(with no output file specified)



But the problem here seems to be that you're running the script from cron. While you could arrange to pass some piece of data from cron to the script through an environment variable, there's no easy way to have that password passed to cron without storing it on the filesystem (in a crontab file, most likely).



To avoid the plaintext password from hitting persistent storage, you could arrange to have it stored on a tmpfs filesystem (on Linux). You can mount one with mount -t tmpfs tmpfs /path/to/mount/point, or with the equivalent in fstab. There's also a chance that your system already has /tmp using tmpfs.



Another alternative would be to have the script holding the plaintext password running continuously, and using sleep to do the actual work at the appropriate times. Though in that case, if the script crashed, it wouldn't be restarted automatically (and you'd need to manually input the password to restart it anyway).



Note that in any case, any secrets you have in memory might be written out to swap if you have any. (There's a case to be made for using encrypted swap for that reason.)







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 7 at 22:10









ilkkachuilkkachu

62.9k10103180




62.9k10103180













  • Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?

    – Rose
    Mar 7 at 22:19











  • @Rose, openssl has the -pass option to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.

    – ilkkachu
    Mar 7 at 22:27











  • exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.

    – Rose
    Mar 7 at 22:31



















  • Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?

    – Rose
    Mar 7 at 22:19











  • @Rose, openssl has the -pass option to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.

    – ilkkachu
    Mar 7 at 22:27











  • exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.

    – Rose
    Mar 7 at 22:31

















Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?

– Rose
Mar 7 at 22:19





Thank you for your suggestion. " pass=$(openssl des3 -d -salt -in credential.des3)" worked. But it asks for the password that I used while encrypting the password. Is there any solution on how should I add this password to my shell script?

– Rose
Mar 7 at 22:19













@Rose, openssl has the -pass option to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.

– ilkkachu
Mar 7 at 22:27





@Rose, openssl has the -pass option to give the password on the command line. But doesn't that defeat the purpose of the encryption in the first place? The encryption password gives access to the encrypted sensitive data, so now you'd need to protect it in the same way.

– ilkkachu
Mar 7 at 22:27













exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.

– Rose
Mar 7 at 22:31





exactly. That defeat the main purpose. Thanks again for suggestions. I will figure it out.

– Rose
Mar 7 at 22:31


















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505011%2fshell-script-decrypt-the-encrypted-password-and-store-it-in-variable%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How to make a Squid Proxy server?

Is this a new Fibonacci Identity?

19世紀