Bash – Safe Way to Pass Password for Multiple Programs

bashcommand lineopensslpassword

I'm writing a bash script, and need to ask user for his password and pass it to openssl. Whilst openssl can read the password itself, I need for two runs of the program and don't want to ask the user twice. Here is the script:

cp file{,.old}
read -sp 'Enter password. ' PASS; echo
export PASS

# decode | edit | encode
openssl enc -d -aes-256-cbc -k "$PASS" -in file.old | \
  sed ... | openssl enc -e -aes-256-cbc -k "$PASS" -out file

unset PASS

This is not safe as the password is easily available by looking at the command line; somebody can read it using ps, for example.

openssl can read a password from an environment variable, so I can replace -k "$PASS" with -pass env:PASS, but it's still not safe; the environment variables of any process can be read freely (again, ps can do it).

So, how can I safely pass the password to the two openssl instances?

Best Answer

Pass the password on a separate file descriptor from the input (twice, once for encryption and once for decryption). Do not export PASS to the environment.

read -sp 'Enter password. ' PASS
printf '%s\n' "$PASS" |
openssl enc -d -aes-256-cbc -kfile /dev/stdin -in file.old |
sed ... | {
  printf '%s\n' "$PASS" |
  openssl enc -e -aes-256-cbc -kfile /dev/stdin -in /dev/fd/3 -out file;
} 3<&0

If your system doesn't have /dev/fd, you can use the -pass argument to tell openssl to read the passphrase from an open file descriptor.

printf '%s\n' "$PASS" | {
  printf '%s\n' "$PASS" |
  openssl enc -d -aes-256-cbc -pass fd:0 -in file.old |
  tr a-z A-Z | tee /dev/tty | {
  openssl enc -e -aes-256-cbc -pass fd:3 -out file; }
} 3<&0

Related Solutions

Bash – Graphically ask for password in a bash script and retain default sudo timeout setting

I add this to my bash script:

# ask for password up-front.
sudo -v
# Keep-alive: update existing sudo time stamp if set, otherwise do nothing.
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

Found it here:

https://serverfault.com/questions/266039/temporarlly-increasing-sudos-timeout-for-the-duration-of-an-install-script

https://gist.github.com/cowboy/3118588

I use another script to launch my main script and I use a .desktop file to launch that helper script. It's not very straightforward, but it can be made to work 100% GUI. I'm still looking for the perfect solution, but this is doing the trick for now.

Unlock ‘pass’

pass uses gpg to encrypt your passwords. This means you can use gpg-agent to cache your passphrase, thereby allowing the gpg tools and therefore pass to decrypt its files without asking for your passphrase again. If you're using GnuPG >= 2.1.0, gpg-agent will be started automatically. If not, there are (unfortunately) numerous ways to have gpg-agent start along with your login or X session.

The Arch Wiki contains a lot of information about how to configure and use gpg-agent, but the most important one is probably the following entry in ~/.gnupg/gpg-agent.conf:

default-cache-ttl 3600

This allows adjusting the time (in seconds) that gpg-agent will remember your passphrase. The default is 60.

2. You can also use gpg-agent to cache ssh keys. Unfortunately I've never managed to set this up reliably, so I can't give you any hints here.

Also, unrelated to your questions, but auth-password-store integrates pass with Emacs' auth-source mechanism.

Best Answer

Related Solutions

Bash – Graphically ask for password in a bash script and retain default sudo timeout setting

Unlock ‘pass’

Related Question