I started using openssl and my public/private keypair to do some basic
password encryption deciption for use with expect to test production
servers. I found myself first using expect and hard coding my password and then
when I shared the script with someone I start freaking out wondering if
I shared my password by accident. This solves things.
Encrypt your password using your public key and put it as a binary file
somewhere safe like ~/.ssh/.encpass - you have access to decrypt it and
you probably have your public/private key pairs there, but you are not
likely to send that off when you share your cool bash/expect script.
In your bash script, you can simply run the decrypt function:
pass=$(openssl rsautl -decrypt -inkey ~/.ssh/id_rsa.pem -in ~/.ssh/.encpass)
Now pass has whatever you encrypted and you can use it in your script.
Here's what you do to pull this off. First, create a pem file of your
public private key pair and then encrypt your password. Steps:
> cd ~/.ssh
> openssl rsa -in id_rsa -outform pem > id_rsa.pem
> openssl rsa -in id_rsa -pubout -outform pem > id_rsa.pub.pem
> echo "my safe password" > .secret
> openssl rsautl -encrypt -inkey id_rsa.pub.pem -pubin -in .secret -out .encpass
> rm -f .secret
That's it. No need to keep the raw password around, just the encrypted
value. There's other variants you could do, you could create the .encpass
when you need and delete it after, whatever your comfortable with.
No comments:
Post a Comment