通过stdin安全地将密码传递给openssl [英] Securely passing password to openssl via stdin

问题描述

我们知道我们可以使用以下命令使用openssl加密文件:

openssl aes-256-cbc -a -salt -in twitterpost.txt -out foo.enc -pass stdin

将从标准输入中读取密码.因此，要预先提供密码，我们需要做的只是添加前缀

echo "someGoodPassword" |

以上命令.我的问题是:如何才能更安全地执行此操作?上面的方法看起来不够安全.

我希望对此发表一些评论，这样我才能更好地理解这个问题.

解决方案

几乎所有您使用的机制都可以被root监听，因此请记住这一点.

echo选项将显示在"ps"列表中，使其易于受到普通用户的监视和查找密码的攻击.<​​/p>

您可以使用-pass file:filename来使用文件，因此可以使用:

sumask=$(umask)
umask 077
rm -f passfile
cat >passfile <<EOM
someGoodPassword
EOM
umask $sumask

这将创建文件，其他帐户不可读(但根用户仍然可以读取).有人假定该脚本仅用于创建密码文件，就像您重复该过程一样，它通常位于文件中，因此您需要chmod go-rwx该文件以使其他用户无法读取该文件.

然后使用:

openssl aes-256-cbc -a -salt -in twitterpost.txt -out foo.enc -pass file:passfile

使用预先创建的密码文件执行加密.

其他机制是-pass env:ENVVAR使用环境变量的方法(再次将其放入该环境而没有发现窍门)

We know we can encrypt a file with openssl using this command:

openssl aes-256-cbc -a -salt -in twitterpost.txt -out foo.enc -pass stdin

The password will be read from stdin. As such, to provide the password beforehand, all we need do is prepend

echo "someGoodPassword" |

to the above command. My question is: How can I do this more securely? The above method doesn't look secure enough.

I'd appreciate some comments about this so I can understand this issue better.

解决方案

pretty much any mechanism you use will be snoopable by root, so bear this in mind.

The echo option, will display in the 'ps' listings, making it vulnerable to ordinary users snooping and finding the password.

You can use -pass file:filename to use a file, so you can use:

sumask=$(umask)
umask 077
rm -f passfile
cat >passfile <<EOM
someGoodPassword
EOM
umask $sumask

this creates the file, unreadable by other accounts (but still readable by root). One assumes that the script is being used once only to create the passfile, as if you repeat the process, it tends to be in a file, and therefore you need to chmod go-rwx the file to make it unreadable by other users.

then you use:

openssl aes-256-cbc -a -salt -in twitterpost.txt -out foo.enc -pass file:passfile

to perform the encryption, using the pre-created password file.

Other mechanisms are -pass env:ENVVAR for using an environment variable (again getting it in there without revealing it is the trick)

这篇关于通过stdin安全地将密码传递给openssl的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！