I am running a bunch of shell scripts which uses the properties in config.properties file.. it has database connection details, passwords.. etc.,
I just want to encrypt the passwords.. so that when someone looks at the properties file they shouldn't be able to use it.
Also I don't want to change the permissions on the file, I want only the passwords to be encrypted
I know there are few ways.. like using java or using any encryption algorithm but I don't want to use java.
I am running the shell scripts on CentOS.. sample scripts looks like below..
config.properties
DatabaseHostName=test_host
DatabasePort=4898
DatabaseUserName=test_user
# MY DB Password here is visible.. I want to encrypt this
DatabasePassword=password123
script.sh
#sourcing the above properties file here
source ./config.properties
export PGPASSWORD=${DatabasePassword}
psql -h ${DatabaseHostName} -p ${DatabasePort} ${DatabaseUserName} -c "select * from table_name;"
my both files are under the same folder
Here's the problem, whatever encryption you put in the file, you'd need to be able to reverse in the script. So anyone who can see the script can figure out how to decode the passwords.
command encrypt:
echo 'hoge' | openssl rsautl -encrypt -inkey ~/.ssh/id_rsa > pass.rsa
command decrypt:
openssl rsautl -decrypt -inkey /root/.ssh/id_rsa -in pass.rsa
config modify:
DatabasePassword=S03EXE -> DatabasePassword=$(openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in pass.rsa)
Related
I have the job of converting some bash scripts to run on Node in an AWS Lambda. The scripts encode and decode some files. As the files are used externally I have to keep the encryption unchanged.
The files are encrypted with the command
openssl -e -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
and decrypted with
openssl -d -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
I've tried just wrapping the openssl calls but openssl is no longer installed in the Node Lambda runtime.
I've tried using the node:crypto module and searching stackoverflow but don't really understand enough about encryption and how openssl works to have a chance of writing any code. For example I can't work out how to get the iv to use when decrypting the file.
So is it possible to reproduce these openssl commands with node?
My backup plan is to build a container or Lambda Layer containing SSL and use one of the SSL wrappers but I'd prefer not to do that if I can help it.
I executed the below command and generated a random key
openssl rand -hex 45
and it generated me
524ec7a76ad9140087232b8e278c03d4bc121fdfd0e4f13a6bd16959a81e2d289b5edcf0848b435fc201fc4c1c
I then encrypted me file with Open ssl using this. When i tried to decrypt i just changed last two characters like this
524ec7a76ad9140087232b8e278c03d4bc121fdfd0e4f13a6bd16959a81e2d289b5edcf0848b435fc201fc4c2d
and now when it tried to decrypt, it still works and decrypt the file... what could be wrong ? Below is my decrypt command
export my_key=524ec7a76ad9140087232b8e278c03d4bc121fdfd0e4f13a6bd16959a81e2d289b5edcf0848b435fc201fc4c2d
openssl enc -aes-256-cbc -d -in my-secret-encrypted.enc -K $my_key -iv 9 > my-secret.txt
I'm using the OpenWrt Linux distribution and I want to encrypt a file using AES.
How can I do that quickly and easily, and how can I—or someone else—decrypt it again?
The quickest and easiest way is to use openssl util (provided by openssl-util package). For example, to encrypt a file, issue the following command:
openssl enc -aes-256-cbc -in file.txt -out file.enc
To decrypt:
openssl enc -d -aes-256-cbc -in file.enc -out file.dec
The openssl encryption is not a good solution according to this, so please don't use it.
I've used https://www.aescrypt.com/ in the past and I was happy with it. If you want something that has been around for a while - that's not a bad start. It also has both a UI and a cli.
The fact that there is no small, easy to use and super simple cli tool for this purpose annoyed me so much that I sat down and wrote this
https://github.com/ro-tex/aes256cli. I literally wrote it while this discussion was open on my screen, so I'm making no claims as to how good of a solution it is. I just wanted something that will do what I need with zero friction and this is good enough for me.
To encode:
cat 'yourfile' | openssl aes-128-cbc > 'encrypted file'
To decode: First, you have to remember your password which you used to encode, then:
cat 'encrypted file' | openssl enc -d -aes-128-cbc -k 'Your password' > 'decrypted file'
I have a bash file and I want execute it by encrypted mode.
by using this command I encrypted my file.
now I want to run it. How could I do this?
openssl des3 -salt -in file.txt -out file.txt.enc -pass pass:password
use shc script compiler to encrypt it (Blowfish), see this http://www.thegeekstuff.com/2012/05/encrypt-bash-shell-script/?utm_source=tuicool
http://www.linuxsecurity.com/content/view/117920/171
http://www.datsi.fi.upm.es/~frosal/
If you want to use DES3 you can try the answer of soFan in this:
https://unix.stackexchange.com/questions/90178/how-can-i-either-encrypt-or-render-my-shell-script-unreadable
write the wrapper #!/bin/sh openssl enc -d -DES3 ... -a -in script-enc | sh -
I have the following command but it doesn't work for me...
cd /etc/postfix/ssl/ && openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
password
PASS
UPDATE:
The output is:
109 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...............................++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase for smtpd.key:
It should auto answer the question and put password automaticaly.
I always use HEREDOC for automating my Q&A on bash and work fine...
What is the problem here?
OpenSSL (and OpenSSH) takes measures to read the password directly from the terminal, rather than from stdin, as a security measure.
However there are a load of ways to supply passwords to OpenSSL. Check man openssl for the section PASS PHRASE ARGUMENTS.
So you could do:
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout "pass:mypassword"
... but per the manpage: "Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important"
Or you could do:
printf '%s\n' "$PASS" | {
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout fd:3
} 3<&0
... which is supposedly more secure than other options because the password won't show up in ps.
As #Graeme said HERE
I can do with heredoc like so:
I have to add -passout stdin for openssl to read from stdin.
cd /etc/postfix/ssl/ && openssl genrsa -passout stdin -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
PASSW