I have a bash file and I want execute it by encrypted mode.
by using this command I encrypted my file.
now I want to run it. How could I do this?
openssl des3 -salt -in file.txt -out file.txt.enc -pass pass:password
use shc script compiler to encrypt it (Blowfish), see this http://www.thegeekstuff.com/2012/05/encrypt-bash-shell-script/?utm_source=tuicool
http://www.linuxsecurity.com/content/view/117920/171
http://www.datsi.fi.upm.es/~frosal/
If you want to use DES3 you can try the answer of soFan in this:
https://unix.stackexchange.com/questions/90178/how-can-i-either-encrypt-or-render-my-shell-script-unreadable
write the wrapper #!/bin/sh openssl enc -d -DES3 ... -a -in script-enc | sh -
Related
I have the job of converting some bash scripts to run on Node in an AWS Lambda. The scripts encode and decode some files. As the files are used externally I have to keep the encryption unchanged.
The files are encrypted with the command
openssl -e -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
and decrypted with
openssl -d -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
I've tried just wrapping the openssl calls but openssl is no longer installed in the Node Lambda runtime.
I've tried using the node:crypto module and searching stackoverflow but don't really understand enough about encryption and how openssl works to have a chance of writing any code. For example I can't work out how to get the iv to use when decrypting the file.
So is it possible to reproduce these openssl commands with node?
My backup plan is to build a container or Lambda Layer containing SSL and use one of the SSL wrappers but I'd prefer not to do that if I can help it.
I am running a bunch of shell scripts which uses the properties in config.properties file.. it has database connection details, passwords.. etc.,
I just want to encrypt the passwords.. so that when someone looks at the properties file they shouldn't be able to use it.
Also I don't want to change the permissions on the file, I want only the passwords to be encrypted
I know there are few ways.. like using java or using any encryption algorithm but I don't want to use java.
I am running the shell scripts on CentOS.. sample scripts looks like below..
config.properties
DatabaseHostName=test_host
DatabasePort=4898
DatabaseUserName=test_user
# MY DB Password here is visible.. I want to encrypt this
DatabasePassword=password123
script.sh
#sourcing the above properties file here
source ./config.properties
export PGPASSWORD=${DatabasePassword}
psql -h ${DatabaseHostName} -p ${DatabasePort} ${DatabaseUserName} -c "select * from table_name;"
my both files are under the same folder
Here's the problem, whatever encryption you put in the file, you'd need to be able to reverse in the script. So anyone who can see the script can figure out how to decode the passwords.
command encrypt:
echo 'hoge' | openssl rsautl -encrypt -inkey ~/.ssh/id_rsa > pass.rsa
command decrypt:
openssl rsautl -decrypt -inkey /root/.ssh/id_rsa -in pass.rsa
config modify:
DatabasePassword=S03EXE -> DatabasePassword=$(openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in pass.rsa)
I want to encrypt a parameter with openssl using public.key and decrypt with private.key using linux command line. But the requirement is that the output after encryption should be just in one line so that I can transfer it or send it over to other server. File creation as output is not required.
I have seen rsautl but it gives output in a file or hex dump, which is not possible in my case as I require the output in one line. Please provide the necessary help.
pkeyutl sends its output to a file only if you ask for it. If you do not specify an output file (with the -out option) it sends its output to the standard output. But as it is binary, you cannot easily manipulate it and, moreover, it could be that there are end-of-lines in the output stream.
In order to solve this you can pipe the output of pkeyutl to base64. If your version of base64 wraps its output you'll have to concatenate to get the result on one line only. Some versions (e.g. GNU coreutils 8.10) have a -w0 option that prevents wrapping and produces a single line output (without end-of-line). Example with openssl version 1.0.2a:
echo "foo" | openssl pkeyutl -encrypt -pubin -inkey bob_id_rsa.pub | base64 -w0
where bob_id_rsa.pub is bob's public key in openssl format. You can decrypt with:
base64 -d | openssl pkeyutl -decrypt -inkey bob_id_rsa
where bob_id_rsa is bob's private key. Complete example with encryption followed by decryption:
bar=$( echo foo | openssl pkeyutl -encrypt -pubin -inkey bob_id_rsa.pub | base64 -w0 )
cue=$( echo $bar | base64 -d | openssl pkeyutl -decrypt -inkey bob_id_rsa )
echo $cue
foo
I have the following command but it doesn't work for me...
cd /etc/postfix/ssl/ && openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
password
PASS
UPDATE:
The output is:
109 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...............................++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase for smtpd.key:
It should auto answer the question and put password automaticaly.
I always use HEREDOC for automating my Q&A on bash and work fine...
What is the problem here?
OpenSSL (and OpenSSH) takes measures to read the password directly from the terminal, rather than from stdin, as a security measure.
However there are a load of ways to supply passwords to OpenSSL. Check man openssl for the section PASS PHRASE ARGUMENTS.
So you could do:
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout "pass:mypassword"
... but per the manpage: "Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important"
Or you could do:
printf '%s\n' "$PASS" | {
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout fd:3
} 3<&0
... which is supposedly more secure than other options because the password won't show up in ps.
As #Graeme said HERE
I can do with heredoc like so:
I have to add -passout stdin for openssl to read from stdin.
cd /etc/postfix/ssl/ && openssl genrsa -passout stdin -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
PASSW
Would I have to make any changes to these linux commands to make it work on windows? Do all the pipes and redirects work as they do on linux?
openssl genrsa -out key.pem
openssl rsa -in key.pem -pubout > key.pub
openssl rsa -pubin -modulus -noout < key.pub
#
# to decrypt mess.enc (message encrypted via javascript)
cat mess.enc | openssl base64 -d | openssl rsautl -inkey key.pem -decrypt
I expect I must swap cat for type, and I am hoping the rest will work as it is. Can anyone confirm this?
Equivalent of cat on Windows will be of great help. Rest of the commands are same and should work fine on Windows.
Equivalent of cat on Windows
openssl
cat key.pem
type key.pem
cat=type