It is always recommended to use encrypted passwords in Linux bash shell scripts. Typically, in bash shell script we may need password for remote user while connecting to remote system, ftp user and proxy user etc. In this article, we will cover how to encrypt password using openssl command and then will see how this encrypted password can be used in bash shell script.
Encrypt Password Using Openssl
Let’s assume we want to connect to remote system over ssh using password inside a shell script. To encrypt a password, use below openssl command in your linux system.
$ echo "Passw0rD@#2" | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 \ -salt -pass pass:Secret@123#
Note: String followed by echo command ‘Passw0rD@#2’ is the password string that we want to encrypt it and ‘Secret@123#’ is the password that is used during the encryption. If the openssl version is 1.1.0 or less then skip these two options ‘-pbkdf2 -iter 100000’
To save the encrypted password to a file use the following command,
$ echo "Passw0rD@#2" | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 \ -salt -pass pass:Secret@123# > secret.txt
Set the following permissions on secret.txt file using chmod command,
$ chmod 600 secret.txt
Decrypt Encrypted Password Using Openssl
To decrypt the password, run below
$ cat secret.txt | openssl enc -aes-256-cbc -md sha512 -a -d -pbkdf2 -iter 100000 \ -salt -pass pass:Secret@123# Passw0rD@#2 $
Note: If you have noticed carefully, we have used ‘-d’ option to decrypt.
Use Encrypted Password in Bash Shell Script
Use the below sample shell script which will use encrypted password while connecting to remote system over ssh.
$ vi sample.sh #!/bin/bash USERNAME=devops PASSWD=`cat secret.txt | openssl enc -aes-256-cbc -md sha512 -a -d -pbkdf2 \ -iter 100000 -salt -pass pass:Secret@123#` REMOTE=10.20.0.20 sshpass -p $PASSWD ssh -o StrictHostKeyChecking=no $USERNAME@$REMOTE \ 'dmesg -Tx | grep -i error' > /tmp/a.tmp
save and close the file.
Make the script executable by running beneath command,
$ chmod +x sample.sh
Now run the script to verify whether encrypted is successfully used to connect to remote system.
[devops@host1 ~]$ ./sample.sh Or [devops@host1 ~]$ bash -x sample.sh + USERNAME=devops ++ openssl enc -aes-256-cbc -md sha512 -a -d -pbkdf2 -iter 100000 -salt \ -pass pass:Secret@123# ++ cat secret.txt + PASSWD=Passw0rD@#2 + REMOTE=10.20.0.20 + sshpass -p Passw0rD@#2 ssh -o StrictHostKeyChecking=no [email protected] \ 'dmesg -Tx | grep -i error'
Perfect, above output confirms that encrypted is decrypted during the execution.
Let’s verify the contents of /tmp/a.tmp file,
[devops@host1 ~]$ cat /tmp/a.tmp kern :info : [Thu Jun 3 13:36:51 2021] RAS: Correctable Errors collector\ initialized. kern :err : [Thu Jun 3 13:36:53 2021] [drm:vmw_host_log [vmwgfx]] *ERROR*\ Failed to send log kern :err : [Thu Jun 3 13:36:53 2021] [drm:vmw_host_log [vmwgfx]] *ERROR* \ Failed to send log [devops@host1 ~]$
Above output confirms that script is able to capture output of dmesg command. That’s all from article. I hope you got an idea how we can use encrypted password inside a shell script.
thanks, I found this very easy to follow. Got it all working in about 10 mins. Much better than cleartext passwords 🙂
What is the advantage of encrypting the original password but including the decryption password?
Hi Joe,
From security point of view, using encrypted password in shell script play an important role.
I was planning to ask the user for the secret password before decrypting the file. Or maybe use a public key of some kind.
ssh -o StrictHostKeyChecking=no in this -o is not fond is anyone help.
I’m interested if this can be used locally with sudo? So I have a script that runs without terminal using a GUI with only a few limited operations needing root for file access. I’ve found sudo is only reliable across versions when using the -S switch but this always needs a clear text password. One idea I had is using OpenSSL like the above to encrypt a piped password using a random key and then use the key each time to decode it when needed. But, I started off with both a pass code and key in variables, so they are still in the same unprotected place. I wonder then if it would be safer to save the code to a temporary file instead? A slight issue I see with saving and then chmodding a file is that a file could be intercepted before the permissions are set. It would be good to specify this but that is the limits of redirection I suppose.