How to Use Encrypted Passwords in Bash Scripts – Guide

Passwords in shell scripts are not a crucial consideration. It is indeed a very dangerous concept. If the script falls into the wrong hands, everyone who reads it will likely discover the password. But if you are drawn to using a script, what other options do you have? When the procedure reaches that point, you can enter the password manually, but it won’t work if the script is running unattended. There is an option to encode passwords in the script, thankfully. Surprisingly, it does this through the use of a unique password and strong encryption. In our case, we need to establish a remote connection from our Ubuntu computer to a Fedora Linux computer. To connect to the Fedora computer via SSH, we will use a Bash shell script. We don’t want to enter the remote account password in the script because it must run unattended. As we are assuming that we do not have any manager or administrator access on the Fedora computer, we cannot use SSH keys in this scenario.

How to Knife

Installing OpenSSL and sshpass

Since many different encryption and security tools use OpenSSL, it would already be installed on your PC. However, if it isn’t, it only takes a second to put on. On Ubuntu, type this command: sudo apt get openssl To configure upsshpass, use this command: sudo apt set up sshpass In Fedora, you must type: sudo dnf set up openssl The command to put insshpassis: sudo dnf set up sshpass In Manjaro Linux, we can set up OpenSSL with: sudo pacman -Sy openssl Finally, to put insshpass, use this command: sudo pacman -Sy sshpass

Encrypting from the command line

Before we start using the openssl command with scripts, let’s get used to it using it from the command line. Let’s say the password for the account on the distant pc is rusty!herring.pitshaft. Let’s encrypt this password using openssl. We want to provide an encryption password as soon as we do. The encryption password is used in the encryption and decryption processes. There are many parameters and options in the openssl command. Let’s check each of them in a second. echo ‘rusty!herring.pitshaft’ | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -sal -pass go:’decide.your.password’ We are using echoto to send the password of the distant account through a pipe and in the openssl command. The opening parameters are: The encrypted template of our password rusty!herring.pitshaft is written to the terminal window. To decrypt this, we have to put this encrypted string into openssl with the identical parameters we used to encrypt, but including the -d(decrypt) possibility. echo U2FsdGVkX19iiiRNhEsG+wm/uKjtZJwnYOpjzPhyrDKYZH5lVZrpIgo1S0goZU46 | openssl enc -aes-256-cbc -md sha512 -a -d -pbkdf2 -iter 100000 -sal -pass go:’decide.your.password’ The string is decrypted and our unique textual content – the password for the distant consumer account – is written to the terminal window. This proves that we are able to securely encrypt our distant consumer account password. We can also decrypt it whenever we want, using the password that we offer in the encryption part. But does this really improve our scenario? If we want the encryption password to decrypt the distant account password, should the decryption password be inside the script? Well of course he does. But the encrypted remote consumer account password will likely be saved in a separate, hidden file. The permissions on the file will prevent anyone, be it you – and the root consumer of the system, clearly – from accessing it. To send the output of the encryption command to a file, we can use redirection. The file known as “.secret_vault.txt”. We changed the encryption password to something more robust. echo ‘rusty!herring.pitshaft’ | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -sal -pass go:’secret#vault!password’ > .secret_vault.txt Nothing seen happens, however the password is encrypted and sent to the file “.secret_vault.txt”. We can verify that it worked by decrypting the password inside the hidden file. Note that we are using the cat here, notecho. cat .secret_vault.txt | openssl enc -aes-256-cbc -md sha512 -a -d -pbkdf2 -iter 100000 -sal -pass go:’secret#vault!password’ The password is efficiently decrypted from the information contained in the file. We will use chmod to change the permissions of this file so that no one else can get into it. chmod 600 .secret_vault.txt ls -l .secret_vault.txt Using permission masks of 600 removes all entries for anyone other than the owner of the file. Now we can move on to writing our script.

Using OpenSSL in a Script

Our script is quite simple: #!/bin/bash # remote account title REMOTE_USER=geek # password for remote account REMOTE_PASSWD=$(cat .secret_vault.txt | openssl enc -aes-256-cbc -md sha512 -a -d -pbkdf2 -iter 100000 -sal -pass go:’secret#vault!password’) # distant pc REMOTE_LINUX=fedora-34.native # hook up with the distant pc and put a timestamp in a file called script.log sshpass -p $REMOTE_PASSWD ssh -T $REMOTE_USER@$REMOTE_LINUX< _remote_commands echo $USER “-” $(date) » /house/$REMOTE_USER /script.log _remote_commands With this data, we can use ssh command to connect with distant pc. We’re using a short document here to send a command to the remote computer. Everything between the 2_remote_commandsstrings is sent as instructions to the consumer’s session on the distant computer – in this case, it’s a single line of Bash script. The command sent to the distant computer just records the consumer’s account title and a timestamp in a file called “script.log”. Copy and paste the script into an editor and put it aside in a file called “go-remote.sh”. Remember to change the key points to mirror your individual remote computer address, remote user account, and remote account password. Usechmod to make the script executable. chmod +x go-remote.sh All that’s left is to try. let’s cherish up our script. ./go-remote.sh As our script is a minimalistic model for a standalone script, there is no output to the terminal. But if we examine the “script.log” file on Fedora pc, we can see that the distant connections were made efficiently and that the “script.log” file was up up to date with timestamps. script.log cat

Your password is private

Your remote account password is not registered in the script. And although the decryption password is, inside the script, no one else can enter your “.secret_vault.txt” file with the intention of decrypting it and recovering the password of the distant account.

Final note

I hope you like the guide How to Use Encrypted Passwords in Bash Scripts. In case if you have any query regards this article you may ask us. Also, please share your love by sharing this article with your friends.