Sorry if this has been asked before, I did check but couldn't find anything...

Is there a function in Unix to encrypt and decrypt a password in a batch file so that I can pipe it into some other commands in a bash file?

I realise that doing this provides no real security, it is more to stop someone accidentally seeing the password if they are looking at the script over my shoulder :)

I'm running on Red Hat 5.3.

I have a script which does something similar to this:

serverControl.sh -u admin -p myPassword -c shutdown

and I would like to do something like this:

password = decrypt("fgsfkageaivgea", "aDecryptionKey")
serverControl.sh -u admin -p $password -c shutdown

This doesn't protect the password in any way, but does stop someone from accidentally seeing it over my shoulder.

OpenSSL provides a passwd command that can encrypt but doesn't decrypt as it only does hashes. You could also download something like aesutil so you can use a capable and well-known symmetric encryption routine.

For example:

#!/bin/sh    
# using aesutil
SALT=$(mkrand 15) # mkrand generates a 15-character random passwd
MYENCPASS="i/b9pkcpQAPy7BzH2JlqHVoJc2mNTBM=" # echo "passwd" | aes -e -b -B -p $SALT 
MYPASS=$(echo "$MYENCPASS" | aes -d -b -p $SALT)

# and usage
serverControl.sh -u admin -p $MYPASS -c shutdown

I used base64 for the overcoming the same problem, i.e. people can see my password over my shoulder.

Here is what I did - I created a new "db_auth.cfg" file and created parameters with one being my db password. I set the permission as 750 for the file.

DB_PASSWORD=Z29vZ2xl

In my shell script I used the "source" command to get the file and then decode it back to use in my script.

source path_to_the_file/db_auth.cfg
DB_PASSWORD=$(eval echo ${DB_PASSWORD} | base64 --decode)

I hope this helps.

Although this is not a built in Unix solution, I've implemented a solution for this using a shell script that can be included in whatever shell script you are using. This "should" be usable on POSIX compliant setups. The full description is available in the github repo -> https://github.com/ahnick/encpass.sh. This solution will auto-generate a key for your script and store the key and your password (or other secrets) in a hidden directory under your user (i.e. ~/.encpass).

In your script you just need to source encpass.sh and then call the get_secret method. For example:

#!/bin/sh
. encpass.sh
password=$(get_secret)

Pasting the code for encpass.sh for easier visibility:

#!/bin/sh
################################################################################
# Filename: encpass.sh
# Description: This script allows a user to encrypt a password (or any other
#              secret) at runtime and then use it, decrypted, within another
#              script. This prevents shoulder surfing passwords and avoids
#              storing the password in plain text, which could inadvertently
#              be sent to or discovered by an individual at a later date.
#
#              This script generates an AES 256 bit symmetric key for each
#              script (or user-defined label) that stores secrets.  This key
#              will then be used to encrypt all secrets for that script or
#              label.  encpass.sh sets up a directory (.encpass) under the
#              user's home directory where keys and secrets will be stored.
#
#              Subsequent calls to retrieve a secret will not prompt for a
#              secret to be entered as the file with the encrypted value
#              already exists.
#
# Author: Xan Nick
#
# Usage: . ./encpass.sh
#        ...
#        $password=$(get_secret)
################################################################################

checks() {
if [ -n "$ENCPASS_CHECKS" ]; then
return
fi

if [ ! -x "$(command -v openssl)" ]; then
echo "Error: OpenSSL is not installed or not accessible in the current path." \
"Please install it and try again." >&2
exit 1
fi

ENCPASS_HOME_DIR=$(get_abs_filename ~)/.encpass

if [ ! -d $ENCPASS_HOME_DIR ]; then
mkdir -m 700 $ENCPASS_HOME_DIR
mkdir -m 700 $ENCPASS_HOME_DIR/keys
mkdir -m 700 $ENCPASS_HOME_DIR/secrets
fi

if [ ! -z $1 ] && [ ! -z $2 ]; then
LABEL=$1
SECRET_NAME=$2
elif [ ! -z $1 ]; then
LABEL=$(basename $0)
SECRET_NAME=$1
else
LABEL=$(basename $0)
SECRET_NAME="password"
fi

ENCPASS_CHECKS=1
}

generate_private_key() {
KEY_DIR="$ENCPASS_HOME_DIR/keys/$LABEL"

if [ ! -d $KEY_DIR ]; then
mkdir -m 700 $KEY_DIR
fi

if [ ! -f $KEY_DIR/private.key ]; then
(umask 0377 && printf "%s" "$(openssl rand -hex 32)" > $KEY_DIR/private.key)
fi
}

get_private_key_abs_name() {
PRIVATE_KEY_ABS_NAME="$ENCPASS_HOME_DIR/keys/$LABEL/private.key"

if [ ! -f "$PRIVATE_KEY_ABS_NAME" ]; then
generate_private_key
fi
}

get_secret_abs_name() {
SECRET_ABS_NAME="$ENCPASS_HOME_DIR/secrets/$LABEL/$SECRET_NAME.enc"

if [ ! -f "$SECRET_ABS_NAME" ]; then
set_secret $1 $2
fi
}

get_secret() {
checks $1 $2
get_private_key_abs_name
get_secret_abs_name $1 $2

dd if=$SECRET_ABS_NAME ibs=1 skip=32 2> /dev/null | openssl enc -aes-256-cbc \
-d -a -iv $(head -c 32 $SECRET_ABS_NAME) -K $(cat $PRIVATE_KEY_ABS_NAME)
}

set_secret() {
checks $1 $2
get_private_key_abs_name
SECRET_DIR="$ENCPASS_HOME_DIR/secrets/$LABEL"

if [ ! -d $SECRET_DIR ]; then
mkdir -m 700 $SECRET_DIR
fi

echo "Enter $SECRET_NAME:" >&2
stty -echo
read -r SECRET
stty echo
echo "Confirm $SECRET_NAME:" >&2
stty -echo
read -r CSECRET
stty echo
if [ "$SECRET" = "$CSECRET" ]; then
printf "%s" "$(openssl rand -hex 16)" > \
$SECRET_DIR/$SECRET_NAME.enc

echo "$SECRET" | openssl enc -aes-256-cbc -e -a -iv \
$(cat $SECRET_DIR/$SECRET_NAME.enc) -K \
$(cat $ENCPASS_HOME_DIR/keys/$LABEL/private.key) 1>> \
$SECRET_DIR/$SECRET_NAME.enc
else
echo "Error: secrets do not match.  Please try again." >&2
exit 1
fi
}

get_abs_filename() {
# $1 : relative filename
filename=$1
parentdir=$(dirname "${filename}")

if [ -d "${filename}" ]; then
echo "$(cd "${filename}" && pwd)"
elif [ -d "${parentdir}" ]; then
echo "$(cd "${parentdir}" && pwd)/$(basename "${filename}")"
fi
}

You should be able to use crypt, mcrypt, or gpg to meet your needs. They all support a number of algorithms. crypt is a bit outdated though.

More info:

• http://manpages.ubuntu.com/manpages/lucid/man1/mcrypt.1.html
• http://mcrypt.sourceforge.net/
• http://linux.about.com/od/commands/l/blcmdl3_crypt.htm
• http://www.cyberciti.biz/tips/linux-how-to-encrypt-and-decrypt-files-with-a-password.html

Another solution, without regard to security (I also think it is better to keep the credentials in another file or in a database) is to encrypt the password with gpg and insert it in the script.

I use a password-less gpg key pair that I keep in a usb. (Note: When you export this key pair don't use --armor, export them in binary format).

First encrypt your password:

EDIT: Put a space before this command, so it is not recorded by the bash history.

echo -n "pAssw0rd" | gpg --armor --no-default-keyring --keyring /media/usb/key.pub --recipient someone@mail.com --encrypt

That will be print out the gpg encrypted password in the standart output. Copy the whole message and add this to the script:

password=$(gpg --batch --quiet --no-default-keyring --secret-keyring /media/usb/key.priv --decrypt <<EOF 
-----BEGIN PGP MESSAGE-----

hQEMA0CjbyauRLJ8AQgAkZT5gK8TrdH6cZEy+Ufl0PObGZJ1YEbshacZb88RlRB9
h2z+s/Bso5HQxNd5tzkwulvhmoGu6K6hpMXM3mbYl07jHF4qr+oWijDkdjHBVcn5
0mkpYO1riUf0HXIYnvCZq/4k/ajGZRm8EdDy2JIWuwiidQ18irp07UUNO+AB9mq8
5VXUjUN3tLTexg4sLZDKFYGRi4fyVrYKGsi0i5AEHKwn5SmTb3f1pa5yXbv68eYE
lCVfy51rBbG87UTycZ3gFQjf1UkNVbp0WV+RPEM9JR7dgR+9I8bKCuKLFLnGaqvc
beA3A6eMpzXQqsAg6GGo3PW6fMHqe1ZCvidi6e4a/dJDAbHq0XWp93qcwygnWeQW
Ozr1hr5mCa+QkUSymxiUrRncRhyqSP0ok5j4rjwSJu9vmHTEUapiyQMQaEIF2e2S
/NIWGg==
=uriR
-----END PGP MESSAGE-----
EOF)

In this way only if the usb is mounted in the system the password can be decrypted. Of course you can also import the keys into the system (less secure, or no security at all) or you can protect the private key with password (so it can not be automated).

• indent it off the edge of your screen (assuming you don't use line wrapping and you have a consistant editor width)

or

• store it in a separate file and read it in.

There's a more convenient way to store passwords in a script but you will have to encrypt and obfuscate the script so that it cannot be read. In order to successfully encrypt and obfuscate a shell script and actually have that script be executable, try copying and pasting it here:

http://www.kinglazy.com/shell-script-encryption-kinglazy-shieldx.htm

On the above page, all you have to do is submit your script and give the script a proper name, then hit the download button. A zip file will be generated for you. Right click on the download link and copy the URL you're provided. Then, go to your UNIX box and perform the following steps.

Installation:

1. wget link-to-the-zip-file
2. unzip the-newly-downloaded-zip-file
3. cd /tmp/KingLazySHIELD
4. ./install.sh /var/tmp/KINGLAZY/SHIELDX-(your-script-name) /home/(your-username) -force

What the above install command will do for you is:

1. Install the encrypted version of your script in the directory /var/tmp/KINGLAZY/SHIELDX-(your-script-name).
2. It'll place a link to this encrypted script in whichever directory you specify in replacement of /home/(your-username) - that way, it allows you to easily access the script without having to type the absolute path.
3. Ensures NO ONE can modify the script - Any attempts to modify the encrypted script will render it inoperable...until those attempts are stopped or removed. It can even be configured to notify you whenever someone tries to do anything with the script other than run it...i.e. hacking or modification attempts.
4. Ensures absolutely NO ONE can make copies of it. No one can copy your script to a secluded location and try to screw around with it to see how it works. All copies of the script must be links to the original location which you specified during install (step 4).

NOTE:

This does not work for interactive scripts that prompts and waits on the user for a response. The values that are expected from the user should be hard-coded into the script. The encryption ensures no one can actually see those values so you need not worry about that.

RELATION:

The solution provided in this post answers your problem in the sense that it encrypts the actual script containing the password that you wanted to have encrypted. You get to leave the password as is (unencrypted) but the script that the password is in is so deeply obfuscated and encrypted that you can rest assured no one will be able to see it. And if attempts are made to try to pry into the script, you will receive email notifications about them.

Following line in above code is not working

DB_PASSWORD=$(eval echo ${DB_PASSWORD} | base64 --decode)

Correct line is:

DB_PASSWORD=`echo $PASSWORD|base64 -d`

And save the password in other file as PASSWORD.