Encrypt the password in Openssl Command
Currently, I am supplying the password in plaintext format as below:
openssl genrsa -aes128 -passout pass:foobar 3072
Where foobar is the password supplied in plaintext format .
I want to supply the password using some encrypted format or any other way such that its not easily readable .
ssl openssl ssl-certificate
edited Nov 24 '18 at 17:54
Jay
15.1k2163121
asked Nov 24 '18 at 14:42
soumyasoumya
72
add a comment |
Currently, I am supplying the password in plaintext format as below:
openssl genrsa -aes128 -passout pass:foobar 3072
Where foobar is the password supplied in plaintext format .
I want to supply the password using some encrypted format or any other way such that its not easily readable .
ssl openssl ssl-certificate
edited Nov 24 '18 at 17:54
Jay
15.1k2163121
asked Nov 24 '18 at 14:42
soumyasoumya
72
As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.
– dave_thompson_085
Nov 24 '18 at 23:52
add a comment |
Currently, I am supplying the password in plaintext format as below:
openssl genrsa -aes128 -passout pass:foobar 3072
Where foobar is the password supplied in plaintext format .
I want to supply the password using some encrypted format or any other way such that its not easily readable .
ssl openssl ssl-certificate
edited Nov 24 '18 at 17:54
Jay
15.1k2163121
asked Nov 24 '18 at 14:42
soumyasoumya
72
Currently, I am supplying the password in plaintext format as below:
openssl genrsa -aes128 -passout pass:foobar 3072
Where foobar is the password supplied in plaintext format .
I want to supply the password using some encrypted format or any other way such that its not easily readable .
ssl openssl ssl-certificate
ssl openssl ssl-certificate
edited Nov 24 '18 at 17:54
Jay
15.1k2163121
asked Nov 24 '18 at 14:42
soumyasoumya
72
edited Nov 24 '18 at 17:54
Jay
15.1k2163121
asked Nov 24 '18 at 14:42
soumyasoumya
72
edited Nov 24 '18 at 17:54
Jay
15.1k2163121
edited Nov 24 '18 at 17:54
Jay
15.1k2163121
edited Nov 24 '18 at 17:54
Jay
15.1k2163121
15.1k2163121
asked Nov 24 '18 at 14:42
soumyasoumya
72
asked Nov 24 '18 at 14:42
soumyasoumya
72
asked Nov 24 '18 at 14:42
soumyasoumya
72
72
As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.
– dave_thompson_085
Nov 24 '18 at 23:52
add a comment |
As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.
– dave_thompson_085
Nov 24 '18 at 23:52
As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.
– dave_thompson_085
Nov 24 '18 at 23:52
As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.
– dave_thompson_085
Nov 24 '18 at 23:52
add a comment |
2 Answers
2
active
oldest
votes
If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?
The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.
If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.
answered Nov 24 '18 at 18:05
JayJay
15.1k2163121
add a comment |
Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).
If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:
echo -n Password:
read -s PASS
openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
opnessl req -new -key keypair.pem -passin pass:${PASS}
However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.
Create a script (e.g.: auto_key_gen.sh) containing the code bellow:
PASS=`openssl rand -hex 16`
openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin
Generate a personal keypair and extract the public key:
openssl genrsa -out mykeypair.pem -aes128
openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout
Keep the personal keypair somewhere safe. The personal public key, you use to run the script:
chmod +x auto_key_gen.sh
./auto_key_gen.sh mypubkey.pem
The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).
The script can keep the password in "memory" to use with other openssl commands.
You can retrieve the encrypted password using your personal keypair:
openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex
Both the script and the public key must be protected against unauthorized modification.
answered Nov 24 '18 at 23:16
Lucas MartinsLucas Martins
586
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53459282%2fencrypt-the-password-in-openssl-command%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?
The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.
If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.
answered Nov 24 '18 at 18:05
JayJay
15.1k2163121
add a comment |
If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?
The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.
If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.
answered Nov 24 '18 at 18:05
JayJay
15.1k2163121
add a comment |
If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?
The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.
If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.
answered Nov 24 '18 at 18:05
JayJay
15.1k2163121
If you indeed did supply the password in an encrypted format as you are requesting, how will provide the encryption key which was used to encrypt the said password to OpenSSL so that OpenSSL can decrypt it and use the correct password?
The password which you are providing to OpenSSL, I assume, is used by OpenSSL to encrypt the RSA Private Key which will be generated. If this is indeed the password which you want OpenSSL to use, then it has to be given in plaintext.
If you are worried that it might be seen by someone, you need to ensure that it is entered in a secure way. But, "encrypted password" is not the solution, as you might end up with a complication of protecting the encryption key for the password itself.
answered Nov 24 '18 at 18:05
JayJay
15.1k2163121
answered Nov 24 '18 at 18:05
JayJay
15.1k2163121
answered Nov 24 '18 at 18:05
JayJay
15.1k2163121
answered Nov 24 '18 at 18:05
JayJay
15.1k2163121
15.1k2163121
add a comment |
add a comment |
Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).
If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:
echo -n Password:
read -s PASS
openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
opnessl req -new -key keypair.pem -passin pass:${PASS}
However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.
Create a script (e.g.: auto_key_gen.sh) containing the code bellow:
PASS=`openssl rand -hex 16`
openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin
Generate a personal keypair and extract the public key:
openssl genrsa -out mykeypair.pem -aes128
openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout
Keep the personal keypair somewhere safe. The personal public key, you use to run the script:
chmod +x auto_key_gen.sh
./auto_key_gen.sh mypubkey.pem
The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).
The script can keep the password in "memory" to use with other openssl commands.
You can retrieve the encrypted password using your personal keypair:
openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex
Both the script and the public key must be protected against unauthorized modification.
answered Nov 24 '18 at 23:16
Lucas MartinsLucas Martins
586
add a comment |
Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).
If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:
echo -n Password:
read -s PASS
openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
opnessl req -new -key keypair.pem -passin pass:${PASS}
However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.
Create a script (e.g.: auto_key_gen.sh) containing the code bellow:
PASS=`openssl rand -hex 16`
openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin
Generate a personal keypair and extract the public key:
openssl genrsa -out mykeypair.pem -aes128
openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout
Keep the personal keypair somewhere safe. The personal public key, you use to run the script:
chmod +x auto_key_gen.sh
./auto_key_gen.sh mypubkey.pem
The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).
The script can keep the password in "memory" to use with other openssl commands.
You can retrieve the encrypted password using your personal keypair:
openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex
Both the script and the public key must be protected against unauthorized modification.
answered Nov 24 '18 at 23:16
Lucas MartinsLucas Martins
586
add a comment |
Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).
If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:
echo -n Password:
read -s PASS
openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
opnessl req -new -key keypair.pem -passin pass:${PASS}
However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.
Create a script (e.g.: auto_key_gen.sh) containing the code bellow:
PASS=`openssl rand -hex 16`
openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin
Generate a personal keypair and extract the public key:
openssl genrsa -out mykeypair.pem -aes128
openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout
Keep the personal keypair somewhere safe. The personal public key, you use to run the script:
chmod +x auto_key_gen.sh
./auto_key_gen.sh mypubkey.pem
The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).
The script can keep the password in "memory" to use with other openssl commands.
You can retrieve the encrypted password using your personal keypair:
openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex
Both the script and the public key must be protected against unauthorized modification.
answered Nov 24 '18 at 23:16
Lucas MartinsLucas Martins
586
Usually, the password should be passed via openssl prompt (i.e.: removing the -passout pass:foobar argument).
If you're passing the password via command line because you have to use it in another part of the script, you can use the example below:
echo -n Password:
read -s PASS
openssl genrsa -out keypair.pem -aes128 -passout pass:${PASS}
opnessl req -new -key keypair.pem -passin pass:${PASS}
However, if you really need to generate keys without user interaction, you can use the example bellow, but I wouldn't recommend it for any production environment.
Create a script (e.g.: auto_key_gen.sh) containing the code bellow:
PASS=`openssl rand -hex 16`
openssl genrsa -out auto_keypair.pem -aes128 -passout pass:${PASS}
echo -n ${PASS} | openssl rsautl -encrypt -pubin -inkey $1 -out encrypted_pass.bin
Generate a personal keypair and extract the public key:
openssl genrsa -out mykeypair.pem -aes128
openssl rsa -in mykeypair.pem -out mypubkey.pem -pubout
Keep the personal keypair somewhere safe. The personal public key, you use to run the script:
chmod +x auto_key_gen.sh
./auto_key_gen.sh mypubkey.pem
The script generates a random password and uses it to encrypt the generated key pair (auto_keypair.pem). The password is encrypted with your personal public key and saved in a file (encrypted_pass.bin).
The script can keep the password in "memory" to use with other openssl commands.
You can retrieve the encrypted password using your personal keypair:
openssl rsautl -decrypt -inkey mykeypair.pem -in encrypted_pass.bin -out decrypted_pass.hex
Both the script and the public key must be protected against unauthorized modification.
answered Nov 24 '18 at 23:16
Lucas MartinsLucas Martins
586
edited Nov 25 '18 at 0:14
answered Nov 24 '18 at 23:16
Lucas MartinsLucas Martins
586
answered Nov 24 '18 at 23:16
Lucas MartinsLucas Martins
586
answered Nov 24 '18 at 23:16
Lucas MartinsLucas Martins
586
586
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53459282%2fencrypt-the-password-in-openssl-command%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
As Jay correctly says, you can't encrypt the passphrase. There are several ways of having it not readable, depending on exactly which kind(s) of readable you care about, but they are described in the man pages which you read before asking, and obviously they were unsuitable for some reason(s) you don't explain, making it impossible to try to help.
– dave_thompson_085
Nov 24 '18 at 23:52