Encrypting shell script

Question

We have a few shell scripts for backup/database dump purpose which have username/password info in them. Is there any way do this other than SHC which appears to be having some issues.

score 2 · Answer 1 · answered Aug 20 '10 at 06:19

2

Encryption will never help for this on its own, as every user who has to run it also needs to be able to decrypt it.

If you need non-admin users to run a backup script, you should use something like sudo to give them the rights to run that script but not the rights to read the passwords (i.e. make sure the permissions are set such that the user can't read them).

answered Aug 20 '10 at 06:19

JanC

398
2
5

+½ for pointing out the pitfall, though the solution requires the script to be non-exploitable which usually no software is ^^ – Oskar Duveborn Sep 17 '10 at 08:15

score 1 · Answer 2 · answered Aug 19 '10 at 07:29

I don't know any encryption solution.

But you might consider another approach by filling your login information into a file with appropriate access rights. (MySQL = .my.cnf, PostgresSQL = .pgpass etc).

That way you can avoid encrypting your shell scripts which doesn't sound secure to me anyway.

score 0 · Answer 3 · answered Aug 19 '10 at 07:50

Do normal users need to be able to run these scripts? Presumably you could have a backup user and set the permissions on the script to 700. If you really needed to let other people to run the script you could use sudo. You have very little chance of hiding the passwords from the root user.

score 0 · Accepted Answer · answered Sep 17 '10 at 07:02

0

Found a good solution using GPG

http://ubuntuforums.org/showthread.php?t=396591&page=2

answered Sep 17 '10 at 07:02

nitins

2,579
15
44
68

1

How is that secure? Where and how do you store the key? – Oskar Duveborn Sep 17 '10 at 08:13
I read that post and they do point out the weakness. – Allen Aug 22 '11 at 00:26

Encrypting shell script

4 Answers4