How to handle passwords in a script: in-memory VS on-file

Question

I have a script that runs on a VPS in a cheap cloud provider. The scenario is: I trust my provider, but I prefer to make his life hard if he ever wants to steal my key. All the interested folders in the hard disk are encrypted (truecrypt or similar), in clear only when the machine is up (everytime, but if they take out the hhd, they will not be able to look at my data)

Which is the best solution to handle a Dropbox API Key inside a script?

Note: the script will get files from FTP, upload them to Dropbox and delete them from the disk.

I was thinking to store an encrypted file (openssl/pgp) and as I launch the script (with the decrypting key, typed manually) it will decrypt the key, store it as a variable and use it when needed (the script will remain alive forever)

Any ideas/comments?

Answer 1

You could use something like python-gnupg to have a file encrypted with gnupg. To achieve "real" security you need to put a passphrase to the private key, otherwise you have the encrypted file containing the password and the private key in the same server, so decrypting the file would be trivial. The bad thing of having a passphrase everytime you start your script you would need to type the passphrase, but that could be minimized using gpg-agent and only typing the password while booting the machine.

Answer 2

This would be security through obscurity, but there is hardly any other option. If you want to make life hard for the potential thief, I would suggest embedding the key inside the script, and later converting the script into an executable using shc. You might also want to obfuscate the elf itself (Methods to obfuscate an elf.) Keep in mind however, that whatever you do, it can still be disassembled and studied.