通过标准输入将密码安全地传递给 openssl [英] Securely passing password to openssl via stdin

问题描述

我们知道我们可以使用以下命令使用 openssl 加密文件:

We know we can encrypt a file with openssl using this command:

openssl aes-256-cbc -a -salt -in twitterpost.txt -out foo.enc -pass stdin

密码将从标准输入中读取.因此，要预先提供密码，我们需要做的就是添加

The password will be read from stdin. As such, to provide the password beforehand, all we need do is prepend

echo "someGoodPassword" |

到上面的命令.我的问题是:我怎样才能更安全地做到这一点?上面的方法看起来不够安全.

to the above command. My question is: How can I do this more securely? The above method doesn't look secure enough.

感谢您对此提出一些意见，以便我能更好地理解这个问题.

I'd appreciate some comments about this so I can understand this issue better.

推荐答案

您使用的几乎任何机制都可以被 root 监听，所以请记住这一点.

pretty much any mechanism you use will be snoopable by root, so bear this in mind.

echo 选项将显示在ps"列表中，使其容易被普通用户窥探和找到密码.

The echo option, will display in the 'ps' listings, making it vulnerable to ordinary users snooping and finding the password.

你可以使用-pass file:filename来使用一个文件，所以你可以使用:

You can use -pass file:filename to use a file, so you can use:

sumask=$(umask)
umask 077
rm -f passfile
cat >passfile <<EOM
someGoodPassword
EOM
umask $sumask

这会创建文件，其他帐户无法读取(但 root 仍然可以读取).假设脚本只被使用一次来创建密码文件，就好像你重复这个过程一样，它往往在一个文件中，因此你需要 chmod go-rwx 该文件来制作其他用户无法读取.

this creates the file, unreadable by other accounts (but still readable by root). One assumes that the script is being used once only to create the passfile, as if you repeat the process, it tends to be in a file, and therefore you need to chmod go-rwx the file to make it unreadable by other users.

然后你使用:

openssl aes-256-cbc -a -salt -in twitterpost.txt -out foo.enc -pass file:passfile

使用预先创建的密码文件执行加密.

to perform the encryption, using the pre-created password file.

其他机制是 -pass env:ENVVAR 用于使用环境变量(再次将其放入其中而不透露它是诀窍)

Other mechanisms are -pass env:ENVVAR for using an environment variable (again getting it in there without revealing it is the trick)

这篇关于通过标准输入将密码安全地传递给 openssl的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！