I have stored the password as plain text in a txt file. Now I want to write the script which will read the plain text from the txt file and after that it should encrypt that and decrypt that.
Asked
Active
Viewed 4.9k times
8
-
What is "that"? Why won't you use a tool like GnuPG to do this? – Kusalananda Jun 22 '16 at 07:27
2 Answers
14
Encrypting a password is useless when you can't keep it encrypted. The instant you decrypt it, it's vulnerable again.
No matter how cryptographically hard they are, the encryption and decryption methods are right there for anyone to see and copy-paste anyway. That just makes it sillier.
chmod will be a much better defense against snooping than a rube goldberg machine, but with some work you might be able to avoid using stored passwords at all, which would be a very good thing. Because : Retrievably stored passwords are security hot potatoes and to be avoided. They're such a bad idea that sudo, su, ssh, scp, and sftp don't just avoid them, they're all specifically designed to stop you from using them too.
If you plan on having it prompt you for a password, which has limited use, but I'll entertain the possibility for operations automation or something, you can use a utility like openssl.
$ echo foobar | openssl enc -aes-128-cbc -a -salt -pass pass:asdffdsa
U2FsdGVkX1/lXSnI4Uplc6DwDPPUQ/WjHULJoKypTO8=
$ echo U2FsdGVkX1/lXSnI4Uplc6DwDPPUQ/WjHULJoKypTO8= | openssl enc -aes-128-cbc -a -d -salt -pass pass:asdffdsa
foobar
Alternatively you can do this,
$ touch pass.txt && echo foobar > pass.txt
$ openssl bf -a -salt -in pass.txt -out secret && rm -f pass.txt
enter bf-cbc encryption password:
Verifying - enter bf-cbc encryption password:
$ openssl bf -d -a -in secret -out pass.txt
enter bf-cbc decryption password:
$ cat pass.txt
foobar
Rahul
- 13,589
-
1It not generally a good idea to keep encrypted passwords around. It is better to store the ashes, and when comparing a string to the password, you encrypt it again with the same algorithm, and compare the ashes. Granted, it is not what the OP asks, but would be my recommendation. – Rui F Ribeiro Jun 22 '16 at 13:08
-
1@RuiFRibeiro that's what I said Encrypting a password is useless when you can't keep it encrypted. The instant you decrypt it, it's vulnerable again. Initially I had thought of writing that, but anyway thanks for reminding me, I will update it soon. – Rahul Jun 22 '16 at 13:11
-
Thanks for the code. I wonder how strong aes-128 is. What is the strongest cipher the current openssl can provide that I can use it here? Thanks. – user180574 Jul 28 '17 at 17:37
5
Sounds like you may want to reinvent the wheel. My personal suggestion would be to create a text file with your desired passwords in it, arranged in an aesthetically pleasing way for you (unique username, password, and site it belongs to on each line?).
Generate a 4096-bit RSA key using gpg --full-gen-key picking "RSA and RSA". Or, hell, 2048-bit is still safe to use technically. Just don't go lower than 2048-bit.
gpg -e passwords.txt to encrypt the file with the passwords in it.
Type the name of the recipient (which would be you). Then once it's finished, verify that password.txt.gpg exists. Then delete the original (unencrypted) passwords.txt.
Now the easy part.
When you want one of the passwords in the file, run
gpg -d passwords.txt.gpg
All you have to remember is the one password you picked when generating the RSA key, and the unencrypted contents will be dumped out to stdout (the terminal you're using). Easy squeezy lemon peazy.
An alternative to RSA would be to use this key generation method:
gpg --full-gen-key --expert
then chose Option 9 - "ECC and ECC". for the Algorithm, pick Brainpool P-512. Much faster key generation than RSA, and just as secure with a smaller key size. Personal preference really. The rest of my reply (encryption/decryption of password file) still applies.
Alternatively, you could go the super duper easy route and just use premade software like KeePassX to store passwords encrypted.
Rui F Ribeiro
- 56,709
- 26
- 150
- 232
