In this article, we will learn how to use the encrypted password in a bash script.
We often write scripts for automation. This allows us to perform repetitive tasks in a short period of time with high accuracy. However, the situation becomes challenging when we want to access sensitive information from the script, for example, usernames and/or passwords. In such cases, we can encrypt the password and access the same from the script.
In this article, we will discuss how to encrypt and decrypt the password using the openssl command. We will also discuss how this approach allows us to use sensitive information in a secure way.
Encrypting Password
openssl is a command line utility that provides a variety of cryptography functions of OpenSSL’s crypto library from the shell. We can use it for various purposes such as:
- To create and manage private keys
- To perform public key cryptographic operations
- To create X.509 certificates
- To perform SSL/TLS Client and Server Tests
However, in this article, we will use it for password encryption and decryption.
Let’s assume that our password is T0pS3cr3t. Now, let’s encrypt it using the below command:
$ echo 'T0pS3cr3t' | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t'
In this example, we have used a lot of parameters with the command. Let’s understand the purpose of each parameter:
- enc -aes-256-cbc: It represents the encoding type. We are using 256 block Advanced Encryption Standard with Cipher Block Chaining(CBC)
- md sha512: It represents the message digest type. We’re using the SHA512 cryptographic algorithm
- a: It represents encoding and decoding in base64 formation. It performs encoding the operation after encryption and decoding before the decryption
- pbkdf2: It represents the Password-Based Key Derivation Function 2(PBKDF2) which makes brute force attacks much more difficult
- iter: It represents the number of computations that will be used by the PBKDF2. In this case, it’s 1000
- salt: It represents random data which makes the encrypted output different every time, even with the same plain text
- pass: It represents the password that will be used to encrypt the data. In our case, this is An0terS3cr3t. Now onwards, we will call it an encryption password.
Decrypting Password
In a similar way, we can decrypt the password using the openssl command. For example, the below command decrypts the password:
$ echo U2FsdGVkX1+MwDT7EXWSyZn+/7sv/vnkWb0JfQcSDzQ= | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t' -d
In this example, we have used the exactly same parameters along with the addition -d option. Here, the -d option indicates the decrypt operation.
Using an Encrypted Password in a Script
In this section, we will write a shell script which uses the encrypted password.
First, create a zip file with the password T0pS3cr3t:
$ zip -e secrets.zip *.txt
In this example, we have used the -e option with the command which accepts the password from the command line.
Next, encrypt the password of the zip file and store it in the text file using the below command:
$ echo 'T0pS3cr3t' | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t' > .password
Now, update the permission of the file so that only the owner of this file or the root user can access it:
$ chmod 600 .password
Finally, decrypt the password using the openssl command as shown below:
$ cat .password | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t' -d
Now, we have a zip file and encrypted password. So, let’s write the bash script to extract the zip file
$ cat extract-zip.sh
#! /bin/bash
ZIP_FILE="secrets.zip"
ZIP_PASSWORD=`cat .password | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t' -d`
echo "Step-1: Directory contents before extracting zip:"
ls -1
echo -e "\n"
# Extract zip file
echo "Step-2: Extracting the zip: "
unzip -P ${ZIP_PASSWORD} ${ZIP_FILE}
echo -e "\n"
echo "Step-3: Directory contents after extracting zip: "
ls -1
Next, set the executable permission on the script using the chmod command,
$ chmod +x extract-zip.sh
Finally, execute the script and observe the result:
$ ./extract-zip.sh
Here, we can see that script is able to perform the unzip operation successfully.
Conclusion
In this article, we discussed how to use the encrypted password in a bash script. First, we saw how to use openssl command to encrypt and decrypt a password. Then we saw how to use the same approach in a shell script. I hope you have found it informative. Please do post your queries and feedback in the below comments section.
Also Read: How To Use Variables in Bash Script (Simple Guide)