Hiding secret from command line parameter on Unix

by

  1. First, you can NOT hide command line arguments. They will still be visible to other users via ps aux and cat /proc/$YOUR_PROCESS_PID/cmdline at the time of launching the program (before the program has a chance to do run-time changes to arguments). Good news is that you can still have a secret by using alternatives:

  2. Use standard input:

     mySecret="hello-neo" printenv mySecret | myCommand

  3. Use a dedicated file if you want to keep the secret detached from the main script (note that you’d be recommended to use full disc encryption and make sure the file has correct chmod permissions):

     cat /my/secret | myCommand

  4. Use environment variables (with caveats). If your program can read them, do this:

     mySecret="hello-neo" myCommand

  5. Use temporary file descriptor:

     myCommand <( mySecret="hello-neo" printenv mySecret )

In the last case your program will be launched like myCommand /dev/fd/67, where the contents of /dev/fd/67 is your secret (hello-neo in this example).

In all of the above approaches, be wary of leaving the command in bash command history (~/.bash_history). You can avoid this by either running the command from a script (file), or by interactively prompting yourself for password each time:

read -s secret
s=$secret printenv s | myCommand  # approach 2
myCommand <( s=$secret printenv s )  # approach 3
secret=$secret myCommand  # approach 4
export secret && myCommand  # another variation of approach 4

More Related Contents:

  1. How can I check if a directory exists in a Bash shell script?
  2. In the shell, what does ” 2>&1 ” mean?
  3. An efficient way to transpose a file in Bash
  4. Can I export a variable to the environment from a Bash script without sourcing it?
  5. Bash tool to get nth line from a file
  6. How can I split a large text file into smaller files with an equal number of lines?
  7. Which characters need to be escaped when using Bash?
  8. How to run the sftp command with a password from Bash script?
  9. “~/Desktop/test.txt: No such file or directory”
  10. How to merge two files line by line in Bash
  11. How to represent multiple conditions in a shell if statement?
  12. How to provide password to a command that prompts for one in bash?
  13. Delete files older than 10 days using shell script in Unix [duplicate]
  14. “Invalid Arithmetic Operator” when doing floating-point math in bash
  15. What do double-asterisk (**) wildcards mean?
  16. How does this bash fork bomb work? [duplicate]
  17. Creating a string variable name from the value of another string
  18. What is a unix command for deleting the first N characters of a line?
  19. Get the date (a day before current time) in Bash
  20. Reading filenames into an array
  21. Is there a way to make bash job control quiet?
  22. What does the double-asterisk (**) wildcard mean?
  23. Bash regex =~ operator
  24. Fastest possible grep
  25. Bash script to receive and repass quoted parameters
  26. Convert Unix timestamp to a date string
  27. File content into unix variable with newlines
  28. Using Bash to display a progress indicator (spinner) [duplicate]
  29. Extract version number from a string
  30. Left side of pipe is the subshell?

Leave a Comment