Avoid to write clear password in a sh script

Question

I'm writing shell script on my custom board. In this script I use openssl to encode file at runtime using this command:

openssl des3 -salt -in file.txt -out my_file.des3 -k my_password

Is there a way to avoid to write clear password in a sh script? Password must be set in development environment. Not even the root user should know this password. Is it possible?

Have you tried to use a hashed password, see https://www.openssl.org/docs/man1.1.0/man1/openssl-passwd.html ? — Fabian, May 06 '20 at 13:47

score 1 · Answer 1 · answered May 07 '20 at 07:21

1

Many programs accept passwords through an external file or env variables. The second option is quite easy to implement in your own scripts:

openssl des3 -salt -in file.txt -out my_file.des3 -k $PASS_VAR

answered May 07 '20 at 07:21

kofemann

4,308
1
21
27

score 0 · Answer 2 · answered May 12 '20 at 07:42

Since I can generate firmware to my board I would to implement something like /etc/shadow file, but with my password. I dont'know if it's possible. Surely user will have the root privilege and this increases the difficulty.

Using external password file or env variables can allows me to avoid to include clear passowrd in a script but obviously, the root user can see everything.

For the moment I think that better solution is to use env variables, even the root user can see it.

score -1 · Answer 3 · answered May 06 '20 at 22:20

-1

Root can see everything. If your script is supposed to run unattended, you are out of luck. If not, you can limit the time password is available by having the user type the password or use ssh or gpg agent to encrypt/decrypt.

answered May 06 '20 at 22:20

Aleksandar Ivanisevic

3,327
19
24

Avoid to write clear password in a sh script

3 Answers3