Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
We know we can encrypt a file with openssl using this command:
openssl aes-256-cbc -a -salt -in twitterpost.txt -out foo.enc -pass stdin
The password will be read from stdin. As such, to provide the password beforehand, all we need do is prepend
echo "someGoodPassword" |
to the above command. My question is: How can I do this more securely? The above method doesn’t look secure enough.
I’d appreciate some comments about this so I can understand this issue better.
pretty much any mechanism you use will be snoopable by root, so bear this in mind.
The echo option, will display in the ‘
ps‘ listings, making it vulnerable to ordinary users snooping and finding the password.You can use
-pass file:filenameto use a file, so you can use:this creates the file, unreadable by other accounts (but still readable by root). One assumes that the script is being used once only to create the passfile, as if you repeat the process, it tends to be in a file, and therefore you need to
chmod go-rwxthe file to make it unreadable by other users.then you use:
to perform the encryption, using the pre-created password file.
Other mechanisms are
-pass env:ENVVARfor using an environment variable (again getting it in there without revealing it is the trick)