-
First, you can NOT hide command line arguments. They will still be visible to other users via
ps aux
andcat /proc/$YOUR_PROCESS_PID/cmdline
at the time of launching the program (before the program has a chance to do run-time changes to arguments). Good news is that you can still have a secret by using alternatives: -
Use standard input:
mySecret="hello-neo" printenv mySecret | myCommand
-
Use a dedicated file if you want to keep the secret detached from the main script (note that you’d be recommended to use full disc encryption and make sure the file has correct
chmod
permissions):cat /my/secret | myCommand
-
Use environment variables (with caveats). If your program can read them, do this:
mySecret="hello-neo" myCommand
-
Use temporary file descriptor:
myCommand <( mySecret="hello-neo" printenv mySecret )
In the last case your program will be launched like myCommand /dev/fd/67
, where the contents of /dev/fd/67
is your secret (hello-neo
in this example).
In all of the above approaches, be wary of leaving the command in bash command history (~/.bash_history
). You can avoid this by either running the command from a script (file), or by interactively prompting yourself for password each time:
read -s secret
s=$secret printenv s | myCommand # approach 2
myCommand <( s=$secret printenv s ) # approach 3
secret=$secret myCommand # approach 4
export secret && myCommand # another variation of approach 4