tags:

views:

76

answers:

2
+1  Q: 

encrypting/decrypting password stored in config file

I have a simple Bash script automating tasks which require password-based authentication. Currently I store the credentials in plain text:

$ cat ~/.myconfig
username=foo
password=bar

Obviously that's bad - so I wonder whether there's a simple way to encrypt/decrypt the password using my public/private key pair. Using Yet Another Password for the encryption wouldn't gain much, so I want it to happen pretty much automatically.

I've done some research (around here and elsewhere), but am way out of my depth on this one...

A: 

If you simply want to hide the password then store its SHA1 hash. The compare the hash of the entered password with your stored hash.

Visage  2010-08-17 09:32:57
And change file permissions `chmod go-rw myconfig` against dictionary attacks.
Eike  2010-08-17 09:46:20
'Automated' means there is no entered password. There's nobody to enter it.
GregS  2010-08-17 10:44:48
GregS is right - if I automate entering the actual password by requiring the user to enter another password, there's not much point in storing the actual password in the first place.
AnC  2010-08-17 10:51:10
+1  A: 

To automate your task means providing the password; it won't make a difference is you encrypt/obfuscate the password, you'll need to provide the decrypting too.
The only way around this dilemma is an agent-like program, as for example ssh-agent, which stores your passwords for you.

(edit: corrected link)

pavel  2010-08-18 10:38:55
ssh-agent sounds like what I'm looking for - however, I can't quite figure out how exactly I should employ it. a) Assuming I load the encrypted password from the file, how do I then decrypt it? b) What do I use to encrypt the password in the first place? (I expect this to be a separate, manual step.)
AnC  2010-08-18 13:53:12
ssh-agent was given as an example for how it could be implemented. However, this is a specific solution for ssh-related connections. For your specific situation something similar could be created, but the how depends on your application.
pavel  2010-08-18 14:17:46
I guess I was thinking of a keyring/keychain manager to determine and access the respective keypair - but there might not be a portable solution for that. (My application is just a Bash script dispatching some commands - think HTTP basic auth with curl.)
AnC  2010-08-18 14:42:24

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords