[CALUG] Encrypting Passwords for Shell Scripts

Michael Orlitzky michael at orlitzky.com
Mon Nov 9 17:58:57 EST 2015


On 11/09/2015 04:27 PM, Rajiv Gunja wrote:
> Hello,
> I have used Oracle Wallet in the past to store password for Shell
> Scripts, that need to connect to a Database.
> 
> A current project requires to store password in an encrypted fashion,
> but Oracle Wallet is not available.
> 
> Let me know how I can achieve this.
> 

We'll need to know more about the project. The most common case of "I
need to encrypt passwords" is when you're storing user credentials for
an application (like a website).

In that case, you should hash the user's password with a "salt" value
before storing it in the database. The bcrypt algorithm was the best
choice for this a few years ago and probably still is. It's built into
PHP for example:

  php> echo password_hash('secret password', PASSWORD_DEFAULT);
  $2y$10$T2O6zzuaCIWkpAlHYFaSUue/2Qy7gIZsRBakK/QOOpwC.tSnYUCk6

You would store that gobbledygook in the database instead of the user's
real password. Then, to check the password (when he tries to log in),
you would hash the thing he typed using the same salt. PHP makes this
easy if you used password_hash():

  php > $hash = password_hash('secret password', PASSWORD_DEFAULT);
  php> echo password_verify('secret password', $hash) == TRUE;
  1
  php> echo password_verify('wrong password', $hash) == FALSE;
  1

For other languages, hit Google and look for "ruby bcrypt" or "haskell
bcrypt" or whatever.

If, on the other hand, you're being asked to encrypt the credentials
that are needed for shell scripts again, I have bad news: it's not
possible. You can pretend to do it to make management happy, but it's
not going to be any better than storing the credentials in plaintext and
making them chmod 400. In that case do whatever they'll fall for.




More information about the CALUG mailing list