Shell Programming and Scripting

Just Ice,

Inline with your suggestion d I came up with a way to encrypt the file using gpg (GNU Privacy guard) and then decrypting it.
'
(1) First encrypt it using the below command which generates a binary encrypted file.

echo "some passphrase" |gpg --passphrase-fd 0 --output <full path of output encrypted file> --symmetric <full path of input file>

(2) Then delete the readable flat file

(3) Within my scripts, decrypt the encrypted environment file using
echo "above passphrase" |gpg --passphrase-fd 0 --output <full path of output decrypted file> --decrypt <full path of input encrypted file>

(4) Source the resulting decrypted flat file and read all variables defined in it and immediately delete it within the script.

With this approach nobody would be able to view the flat file as at any point there will only be an encrypted binary file in the file system.
However the caveat with this approach to hiding DB passwords in the env file from developers is that is that developers need to remember the passphrase to use with GPG.If they have access to passphrase anybody can decrypt the encrypted file.

Can you please suggest a mechanism to read the passphrase from somewhere so that nobody can actually see the passphrase but should be able to use it to encrypt and decrypt the envronment file without any problems ?


thanks

if you have to have the passphrase, put it in a file in a protected directory (i.e., /home/sqadmin/.sqlpp) that is source in the beginning of the script as far away as the line sourcing the password and hidden within comments if you could do it ...

Code:

#! /bin/ksh
# jhkjhkhfkljhfkljhlkjh
. /home/sqadmin/.sqlpp #hgjhgjhghkhkjhkjhk
# kljhkjhkljhkljfhsklljljlj;lkj;lkj;lkj;l
# kjlkjdflkj;lkj;lkj;lkjk;k;'k;'lk;'k;l
# llkjlj;lkjlkj;lkjlkj;lkj;lj;lkj;lkjl;kjlk
# lkj;lkj;lkj;lkjlkjlkj;lj;lkjl;kjlkjlkjl
# lkj;lkjl;kjlkjjlkj;ljlkj;lkjljljlkjlkjljj

script=$0
admin=admin@some.com
log=/dir/log
password=$get_sql_pass
date=$(date +%Y%m%d)

.......
.......
......

exit 0

. . . . . Deleted . . . . .

No, we cannot. If the script can decrypt it, so can anyone examining the script, since by necessity it contains complete instructions for doing so.

You could PPK encrypt it using someone's public key, so only their private key can decode it. The private key is usually in a user-only-readable file 0400. Of course, root can peek!

This nicely protects the public key, but I don't see how this prevents any access to the encrypted file. Same problem as before again. If the script can access the private key, so can they, if the script can decrypt the file from it so can they.

The script can only decode if it has read access to the private key, so it has to be run by that user or root. Admittedly, the LINUX culture had gone sadly root/sudo, and that is only not-root-user-safe and no-backdoor-file-access-safe.

Beyond that, the problem becomes like a movie player/file that only plays when conditions are met. Most of them have been hacked open.

There is password encryption, where the script has to ask for the password.