Re: encryption

To: debian-user@lists.debian.org
Subject: Re: encryption
From: David Christensen <dpchrist@holgerdanske.com>
Date: Sat, 21 Apr 2018 14:26:47 -0700
Message-id: <[🔎] 53dbae4d-215e-aead-a6fd-a04fe2be26d1@holgerdanske.com>
In-reply-to: <[🔎] 21042018195951.26d5b9bcb7f0@desktop.copernicus.org.uk>
References: <[🔎] 20042018201750.130d9143617e@desktop.copernicus.org.uk> <[🔎] 20180421163605.GA8694@alum> <[🔎] 21042018185805.6d8f2ce1c3ab@desktop.copernicus.org.uk> <[🔎] 20180421185403.GB9661@alum> <[🔎] 21042018195951.26d5b9bcb7f0@desktop.copernicus.org.uk>

On 04/21/18 12:10, Brian wrote:

On Sat 21 Apr 2018 at 13:54:03 -0500, David Wright wrote:

On Sat 21 Apr 2018 at 19:14:06 (+0100), Brian wrote:

On Sat 21 Apr 2018 at 11:36:05 -0500, David Wright wrote:

On Fri 20 Apr 2018 at 20:38:48 (+0100), Brian wrote:

T have a script. It contains an important password.


If you   cat /usr/local/bin/myscript   do you see your important
password on the screen?


With the unencrypted file - yes. With the encrypted file -no.

I have encrypted the script with

   scrypt [enc] -t 10 /usr/local/bin/myscript

I can, of course, decrypt it with

   scrypt dec /usr/local/bin/myscript

and then execute the script.

The two last steps have been combined into

   DECRYPT=$(scrypt dec /usr/local/bin/myscript) && eval "$DECRYPT"

Should I have any more concerns with this command than I have with the
two-step process?


If so, then won't the password be revealed by ps while eval is
evaluating it?


I do not know the most efficacious way to see the ps output in real time
as eval runs. With a bit of trial and error (scrypt is slow enough to
switch to another console and use ps) I captured

23266 pts/7    R+     0:00 mpw -q -F     -M                                       -t     railcard

in its output. mpw is the basic command executed by myscript. Switches
are shown but not parameters. -M is the very important one. The gap
would be occupied by the passphrase.

Is it possible that ps output does not show parameters to switches?


Not AFAIK. Here, I can see lines in the list such as:

Then I do not understand why paramters are not shown.


Probably because you did not provide the -f option to ps(1).

When discussing console commands, it is best to cut and paste completeconsole sessions into your post -- prompts, commands entered, and alloutput produced. Redact sensitive information as needed.

Maybe they come
later in the output? I can forsee a few sleepness nights trying to
figure this out. :)


Type:

$ man ps


See the section 'OUTPUT FORMAT CONTROL'

At this juncture it appears I should have no worries about ps revealing
the secret.

Incorrect. If a password is passed via a command-line option, 'ps -f'will reveal the password.

ccrypt(1) provides the -E (--envvar) option for providing the name of anenvironment variable containing the keyword to prevent this vulnerability:


https://manpages.debian.org/stretch/ccrypt/ccrypt.1.en.html

https://packages.debian.org/search?suite=all&section=all&arch=any&searchon=names&keywords=ccrypt


David

Reply to:

References:
- encryption
  - From: Brian <ad44@cityscape.co.uk>
- Re: encryption
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: encryption
  - From: Brian <ad44@cityscape.co.uk>
- Re: encryption
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: encryption
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Network-related Chicken and Egg Issue, attempting Install of Debian 9.4
Next by Date: Re: Network-related Chicken and Egg Issue, attempting Install of Debian 9.4
Previous by thread: Re: encryption
Next by thread: Re: encryption
Index(es):
- Date
- Thread