/compress_and_encrypt-no_exposed_password.txt
Last active Jul 10, 2018
| # | |
| # This is the simplest and cleanest way I've come up with for securely compressing (gzip, in this example) & encrypting data to disk with OpenSSL from a bash script without exposing the password to inspection of process or environment variable using `ps` and the likes. Naturally, `cat` is just used as an example so the data can come from anywhere. If the compressed data is to be sent via email instead of written to disk, don't use '-out' and use '-a' to base64 encode the compressed data. | |
| # | |
| # References: | |
| # http://www.madboa.com/geek/openssl/#encrypt-simple | |
| # http://unix.stackexchange.com/questions/29111/safe-way-to-pass-password-for-1-programs-in-bash#answer-29186 | |
| # http://stackoverflow.com/questions/6607675/shell-script-password-security-of-command-line-parameters/6607773#6607773 | |
| # https://gist.github.com/philfreo/2321650 | |
| cat "$file" | gzip -c | openssl enc -e -salt -aes-256-cbc -pass fd:3 -out "$file.gz.enc" 3<<<"$password" | |
| # the above can be decrypted with the following (requiring manual password input, but that can be worked around using a file descriptor & here string as above): | |
| openssl enc -d -aes-256-cbc -in "$file.gz.enc" | gunzip -c |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment