Re: [PLUG] Server credential storage best practices

[Julien Vehent <julien@linuxwall.info>]

I use 2 bash scripts and a credential file encrypted in AES256 via openssl. 
Eventually, I keep the credential file in dropbox and my servers.

# To create a new credential file, use:
echo "credential file created on $(date +%Y%m%d)" |openssl aes-256-ecb -e -a 
-salt -out credential_file.encrypted


To get a password from the credential file:

# =======================================
#!/usr/bin/env bash
# --- getpassword.sh
# opens the credential file and display it in the terminal
if [[ -x "$1" || ! -r "$1" ]]; then
echo "usage: $0 <ciphered file>"
    exit 1
fi
SECFILE=$1
CLEARTEXT=$(openssl aes-256-ecb -d -a -salt -in $SECFILE)
if [ $? -gt 0 ]; then
echo "Wrong password, cannot decrypt"
    exit $?
else
echo "$CLEARTEXT"
fi


And to store a password in the credential file:

# =======================================
#!/usr/bin/env bash
# --- storepassword.sh
# store a password in the credential file
if [[ $1 = "" || ! -r $1 ]]; then
echo "usage: $0 <ciphered file>"
    exit 1
fi
SECFILE=$1

# decipher access file
echo -n "enter crypto password > "
read -s CRYPTOPASSWD
echo
CLEARTEXT=$(openssl aes-256-ecb -d -a -salt -in $SECFILE -pass 
pass:$CRYPTOPASSWD)
if [ $? -gt 0 ]; then
echo "Wrong password, cannot decrypt"
    exit $?
fi
# get new value to store
echo "enter value to append (1 line)"
echo -n "> "
read PASSWD
UPDATED_CLEARTEXT=$(echo -e "$CLEARTEXT\n$PASSWD")
# cipher access file and delete temporary file
echo "$UPDATED_CLEARTEXT"| openssl aes-256-ecb -e -a -salt -out 
$SECFILE.updated -pass pass:$CRYPTOPASSWD
if [ $? -gt 0 ]
then
echo "Password encryption failed, password not stored in $SECFILE"
exit $?
else
mv $SECFILE.updated $SECFILE
    echo "information successfully encrypted and store in $SECFILE"
fi


--
Julien Vehent - http://1nw.eu/!j


On 2012-04-17 6:52, Eric at Lucii.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I started using Lastpass several months ago.  It's actually working
> very well for web site passwords on two different browsers on two
> different computers.  Very handy!
>
> I still keep database and server credentials in Keepassx.
>
> Eric
>
> On 04/15/2012 10:13 PM, Rich Freeman wrote:
> > On Sun, Apr 15, 2012 at 8:11 PM, Eric at Lucii.org <eric@lucii.org> 
> > wrote:
> > > I use KeepassX - on Linux, Windows, and Mac and I can keep the encrypted 
> > > database file in my dropbox folder.
> >
> > I've been using Lastpass.  It is the only synced solution I've found that 
> > works on every OS I use (including Android and ChromeOS - though Android 
> > support could be better (more an Android limitation than anything else)).  
> > Everything is supposed to be encrypted client-side. Obviously most useful 
> > for websites, but you can keep secure notes in it.
> >
> > Rich
>
> - --
> #  Eric Lucas
> #
> #                "Oh, I have slipped the surly bond of earth
> #                 And danced the skies on laughter-silvered wings...
> #                                        -- John Gillespie Magee Jr
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk+NS2IACgkQ2sGpvXQrZ/59SQCffgYxX5kiJ9ZCC9MXCIwKN9S6
> L40AoIYHuT6AMSJSiE5NNGNgpsRrZOOX
> =JGoW
> -----END PGP SIGNATURE-----
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        
> http://www.phillylinux.org
> Announcements - 
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   
> http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug