If you too feel awful while keeping your password into plain string within, here is the way it might can help you.
Encrypt your password from OpenSSL using the below command
Assumption : Here i will be encrypting my plain text password as " mysecretpassword "
[root@cyberkeeda]# echo 'mysecretpassword' | openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:garbageKey
You will find a encrypted password output as
O7LX4VmomxrBgNHS+R1FcoNneSrqWFY0oTn3ammEF7w=
[root@cyberkeeda]# echo 'O7LX4VmomxrBgNHS+R1FcoNneSrqWFY0oTn3ammEF7w=' | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:garbageKey
So it must provide a decrypted password as.
"mysecretpassword"
If it works fine, then you can simply save it into a file and use it within your script.
Encrypt it and save it into a hidden file.
[root@cyberkeeda]# echo 'mysecretpassword' | openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:garbageKey > .secret.lck
Then further you can call it within your script as.
#!/bin/bash
#Myscript.sh
#
#
PASS=`cat .secret.lck | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:garbageKey
`
#
#You can use the secret password anywhere within your script.
We ended up needing to solve the same problem and created an opensource (MIT License) tool to do this called encpass.sh. (https://github.com/plyint/encpass.sh) It creates a key for the script and stores the key and encrypted secrets in a hidden directory on disk. (Typically in your user's home directory, but you can define another location if you prefer)
ReplyDeleteIt uses OpenSSL under the covers similar to the recommendation here and uses industry recommended best practices (e.g. salts, named pipes, 10k iterations) to everything as secure as possible. It also provides a simple command line interface, so the user can easily manage secrets without having to know anything about how OpenSSL works.