Re: encryption

To: debian-user@lists.debian.org
Subject: Re: encryption
From: David Christensen <dpchrist@holgerdanske.com>
Date: Fri, 20 Apr 2018 17:07:10 -0700
Message-id: <[🔎] dcf0dea7-4f9b-9fb1-5b65-c122681c77ea@holgerdanske.com>
In-reply-to: <[🔎] 20042018201750.130d9143617e@desktop.copernicus.org.uk>
References: <[🔎] 20042018201750.130d9143617e@desktop.copernicus.org.uk>

On 04/20/18 12:38, Brian wrote:

T have a script. It contains an important password.

I have encrypted the script with

   scrypt dec -t 10 /usr/local/bin/myscript


Looking at:

http://manpages.org/scrypt

That command decrypts /usr/local/bin/myscript (and I don't know if the-t option is valid for decryption).

I can, of course, decrypt it with

   scrypt dec /usr/local/bin/myscript

Assuming /usr/local/bin/myscript is ciphertext, that command will printthe script on STDOUT.

As scrypt is going to prompt you for a passphrase anyway, why don't youleave the script unencrypted and revise it to prompt for the "importantpassword"?

and then execute the script.


How are you executing a script printed on STDOUT?  A pipeline?

The two last steps have been combined into

   DECRYPT=$(scrypt dec /usr/local/bin/myscript) && eval "$DECRYPT"

Should I have any more concerns with this command than I have with the
two-step process?

If the script is too big to fit in an environment variable, that wouldbe a problem.

Assuming the script fits into an environment variable, evaluating thatvariable in double-quoted context requires deep understanding of bothyour shell and the script (especially if the script is written for adifferent shell, and potentially a different version of the same shell).If you're intent upon doing it this way, be sure to test thoroughly.

A pipeline would be more conventional-- decrypt the ciphertext and pipethe script to the appropriate interpreter. Here is an example usingPerl and the ccrypt tools:


2018-04-20 16:59:50 dpchrist@vstretch ~/sandbox/ccrypt
$ ll secret-script.pl
-rwxr-xr-x 1 dpchrist dpchrist 66 2018/04/20 16:58:19 secret-script.pl*

2018-04-20 17:00:02 dpchrist@vstretch ~/sandbox/ccrypt
$ cat secret-script.pl
#!/usr/bin/env perl
print "The important password is 'secret'\n";

2018-04-20 17:00:08 dpchrist@vstretch ~/sandbox/ccrypt
$ ./secret-script.pl
The important password is 'secret'

2018-04-20 17:00:14 dpchrist@vstretch ~/sandbox/ccrypt
$ ccencrypt --key foo secret-script.pl

2018-04-20 17:00:26 dpchrist@vstretch ~/sandbox/ccrypt
$ ll secret-script.pl.cpt
-rwxr-xr-x 1 dpchrist dpchrist 98 2018/04/20 16:58:19 secret-script.pl.cpt*

2018-04-20 17:00:30 dpchrist@vstretch ~/sandbox/ccrypt
$ ll decrypt-run-secret.sh
-rwxr-xr-x 1 dpchrist dpchrist 86 2018/04/20 16:57:27 decrypt-run-secret.sh*

2018-04-20 17:00:40 dpchrist@vstretch ~/sandbox/ccrypt
$ cat decrypt-run-secret.sh
#!/usr/bin/env sh
echo "The decryption key is 'foo'"
ccat secret-script.pl.cpt | perl

2018-04-20 17:00:51 dpchrist@vstretch ~/sandbox/ccrypt
$ ./decrypt-run-secret.sh
The decryption key is 'foo'
Enter decryption key:
The important password is 'secret'


David

Reply to:

Follow-Ups:
- Re: encryption
  - From: Brian <ad44@cityscape.co.uk>

References:
- encryption
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: apt-get: Error: Timeout was reached
Next by Date: X does not work in Debian 9.4
Previous by thread: Re: encryption
Next by thread: Re: encryption
Index(es):
- Date
- Thread