How to Use Encrypted Passwords in Shell Scripts on Linux
Bash scripts are an important part of a system administrator’s job. They allow you to automate both mundane and critical tasks.
One of the best things about scripts is that they can run independently without human intervention, but sometimes it can be difficult to automate tasks that require user passwords. Let’s look at how you can safely automate scripts that require passwords without compromising security.
Creating a simple script
Let’s say you want to create a simple script that will backup your Linux home folder to a remote location so you can easily restore your data in case of data loss.
First, create a bash script file in your home folder using the touch command or some other method and name it backup_home.sh. Feel free to use any name and directory of your choice.
The script uses the rsync Command, a powerful file copy tool to backup all files in your local home directory to a remote server.
Copy and paste the contents of the following script into your bash file. Remember to replace the user john with the correct name of your local home user. Also, provide the correct username and IP address for the remote server.
#!/bin/bash
rsync -avl --mkpath /home/john user_name@remote_server/home/BackupIf you don’t have a remote server to test with, you can just install VirtualBox and set up a VM on your local machine. Use the VM guest as your remote server.
Save the file. To run the script, you must grant it execute permission with the command sudo chmod 755. All users can run the script, but only the sudo users can modify the file.
Finally, run the bash script from the terminal with the following command:
./backup_home.shWhenever you run this script, you will be prompted for the remote server’s password. This is not ideal if you want to run the script without human intervention, e.g. B. when using cron.
Automate password login
To install sshpassa non-interactive password provider, on your local PC or the PC from which you run the script.
On Debian-based distributions
If you are using a Debian based distribution such as Ubuntu, Pop!_OS and Lubuntu:
sudo apt update && sudo apt install sshpassOn RHEL and Fedora
dnf install sshpassAfter installing sshpass, change the script to look like the following.
#!/bin/bash
sshpass -p "yourpassword" rsync -avl --mkpath /home/john user_name@remote_server/home/BackupEnter the password in plain text here. Obviously this is not the ideal way as it is not safe and not good practice. If the script ever gets into the wrong hands, you’re in big trouble.
To make this more secure we use GnuPG, a secure and open source encryption tool.
Encrypt your password
GnuPG is installed by default on most Linux systems, but in case you don’t have it installed on your system, you can install GnuPG as follows.
Create a hidden file named secrets with the command Touch .Secrets. Since we’ve hidden the file by default as an extra security measure, here’s how to view hidden files on Linux.
In the Secrets file, enter and save your remote PC’s password.
Next, encrypt the file with the gpg Command.
sudo gpg .secretsYou will be asked to enter a secure and strong passphrase to open the encrypted file.
GnuPG creates a new file with the extension .gpg appended to the old filename. Your new filename should now be Secrets.gpgassuming you used those secrets filename.
If you merge the contents of secrets.gpg with the Cat command, you will be presented with gibberish text to show that your password is encrypted.
To view the contents of the file in plain text, you need to decrypt it with the following command (you will be prompted to enter the password you set during encryption):
gpg -dq secrect.gpgUsing an encrypted password in your script
To use the encrypted password in the script, update the script as follows:
#!/bin/bash
gpg -dq secrets.gpg | sshpass rsync -avl --mkpath /home/john user_name@remote_server/home/BackupRun the backup scripts again and this time you will not be prompted for a password.
Automate tasks with bash scripts
Commonly used for securing sensitive files and data on your PC, GnuGP is also a great tool for securing passwords in automated bash scripts on Linux.
You can do a lot with bash scripts. Bash is a powerful tool that you can use to automate many things on Linux, and learning to write bash scripts is a worthwhile investment.