freyjagp/blog.raer.me
1
0
Fork 0
Code Actions Packages Releases Activity

new blog entry
Some checks failed
/ Build static site, docker image, upload artifact... (push) Failing after 4s
Details
/ Connect to deployment host, update, and redeploy docs website. (push) Has been skipped
Details

Browse Source
This commit is contained in:
Freyja Odinthrir
2024-05-12 22:22:33 -07:00
parent 63a6ef1152
commit 39ccd1c97f
1 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
content/2024/05/01/20240512.md Normal file
View File

@@ -0,0 +1,36 @@
title: Using passwords in script, securely!
description: Keeping passwords inside of scripts safe from prying eyes.
tags: security, scripting, unix, linux
date: 2024-05-12 21:35
# Storing passwords in plaintext (sorta)
I came across an issue recently wherein I wanted to automate a backup process that requires three different passwords. I had just discovered [borg backup](https://borgbackup.readthedocs.io/en/stable/) and wanted to use it in place of the periodic `rsync -azvh --delete` that I was doing. The rsync method would just sync my home folder to a USB ssd, and one of my two fileservers. This worked, but didn't have the deduplication or archiving benefits of borg. It also required me to mount my fileservers vis nfs which is another manual step in the backup process.
Borg backup works by copying data in blocks. Its much smarter than rsync, and you can encrypt the backups on the fly. For remote backups, they recommend using ssh. They allow you to put the encryption passphrase in an environment variable for automation. I wanted to use borg to backup to three different locations at the push of a button, without storing the backup encryption passphrases in plaintext or entering them every time I run a backup.
Through some trial and error, I settled upon writing my script - passhprases and all - then writing *another* script that encrypts it with my gpg key, and sticks it into *yet another* script that will first decrypt the encrypted script then pipe it directly to bash. That looks like this:
```bash
#!/bin/bash
## This will stop the script if there's no script.sh file in the root dir.
set -e
mv script.sh script.sh
GPG_ID='ENTER_YOUR_GPG_ID'
cat script.sh | gpg --encrypt --armor -r $GPG_ID | base64 --wrap 0 > script.gpg.b64
printf "#!/bin/bash\n\nSCRIPT=\"$(cat script.gpg.b64)\"\n\necho \$SCRIPT | base64 -d | gpg --decrypt --quiet | bash\n\n" > script.obf
chmod +x script.obf
rm script.gpg.b64
```
Now I can take *any* script with passwords in it, and obfuscate it behind a gpg passphrase! How neat!