I know that this topic has answers here, but I've got some problems and I would like to start from scratch.
First step is to create a key file:
openssl rand -base64 512 | tr -d '\r\n' > encrypted_data_bag_secret
but how to run this command on Windows? The tr command is not recognised.
I generated an openssl key and copied it to a txt file, then I was doing step by step like in Chef Docs but it doesn't work - a data bag isn't encrypted. I think I have to run this command above, but I don't know why to do this on windows
An equivalent in pure Ruby would be:
C:\chef\embedded\bin\ruby -e 'require "securerandom"; STDOUT.write(SecureRandom.base64(512))' > C:\chef\encrypted_data_bag_secret
Tweak the C:\chef path as appropriate, I don't have a Windows box handy to check the current default paths.
Related
I am unable to install sdkman on my macos. I referred sdkman install and Can't install sdkman on Mac OS. Still, I am missing something. Can someone please help me ? I am new to MacOS and sdkman.
When I go to bash terminal and type curl -s "https://get.sdkman.io" | bash , it prints message failed to write body on terminal and opens my bash profile. What is that I am supposed to do next? I tried to follow steps mentioned at above urls, even used source as suggessted but I guess something is missing. I actually never write anything in bash profile, so source would not even do anything. I did multiple attempts using what I found online but sdk version never gives any output, it kept saying sdk command not found. I found online that I needed to upgrade curl, I even did that still no success. Can someone please write / explain steps for me that I am missing? I would appreciate it. I did search online, but either steps are not clear or I am not getting something right. Thanks.
It looks more likely that the piped bash closes the read pipe before the previous curl finishes writing the whole page. When you issue curl -s "https://get.sdkman.io" | bash, as soon as the piped bash has what it wants, it will right away close the input stream from the previous curl. But the cURL doesn’t really expect this and throws a “failed writing body” error. You might want to try piping the stream through an intermediary program that always reads the whole page before feeding to bash. For instance, you can try something like this (running tac twice before piping to bash):
curl -s "https://get.sdkman.io" | tac | tac | bash
tac is a Unix program that can concatenate and print files in reverse. In this case, it reads the entire input page and reverses the line order (hence we run it twice). Because it has to read the whole input to find the last line, it will not output anything to bash until cURL is finished. bash will still close the read stream when it gets what it needs, but it will only affect tac, which doesn't throw an error.
I am just learning PGP as this has become a critical process at my job. I am currently manually encrypting/decrypting files with PGP and I would like to script this out but I am not seeing too much documentation on that type of process.
I got the command line to encrypt the files but it puts the files with a .gpg and I need it to be .pgp.
Here is what I have tried so far.
gpg -e -v -r name --output c:\temp\test*.txt.pgp c:\temp\test*.txt
This fails, but if I do gpg -e -v -r name --output c:\temp\test\test.txt.pgp c:\temp\test\test.txt, it works as designed.
The issue here is that I will have multiple files with different names but the same file extension so knowing the exact name is not going to happen until that file is created. As we are building out automation these files can range in the hundreds in the coming weeks. I am using Kleopatra and set the settings on there to pgp instead of gpg but it appears that setting does not apply to the command line.
Can anyone provide any suggestions? This is driving me nuts!
Nevermind, I figured it out. I am not sure why I didn't think of it sooner, perhaps I was focused in the gpg commandline. Anyhow, this can be done with PowerShell.
$files = Get-ChildItem "C:\temp\test"
ForEach($file in $files)
{
gpg -e -v -r great-west --output c:\temp\test\$file.pgp c:\temp\test\$file
}
The openssl man page says the "-pass pass:[password]" option for the openssl command is not secure because it's visible to utilities like ps, but is it secure through bash?
Like this:
#!/bin/bash
read -s psword
openssl enc -pass pass:$psword -aes-256-cbc -in text.plaintext -out text.encrypted
I've run a program like this on my computer and all ps seems to see is "openssl". Will other utilities be able to see the password?
The command line is normally easy in any operating system to get from any process normally. See this answer to getting a command line for a process. So it doesn't really matter what "starts" the process, be it bash or some custom application. This is the reason that that advise is given.
With any of these things it comes down to risk. If you accept the risk that it's not that secure then there is no reason not to use the command line (i.e. it's your machine and you are the only one using it). If lots of people can see your process sessions and possibility see a sensitive password then the risk may not be worth it. It's up to you to determine if the risk is acceptable.
if you want to secure the password, then its better to write it to a file that only your process has access to, and read the password from that file in your command. This will hide the plain password in the command line and make it invisible to other processes.
You can check the following answer. It is related to generating openssl keys but is similar to this topic:
How to generate an openSSL key using a passphrase from the command line?
Is there a short one-liner to get a file checksum, which works on both macos and ubuntu? It doesn't matter what algorithm or program, as long as I don't have to install or setup anything.
You could use OpenSSL, and the commands should be the same:
openssl sha256 filename | awk -F'= ' '{print $2}' # optional
Use whatever hashing algorithm you want, sha256, sha1, md5, etc.
Just try both of them:
md5 file 2>/dev/null; md5sum file 2>/dev/null;
That line will work on both OSs, running both commands and discarding the one that gives an error, it will print only the valid result.
With a quick OS check you can use either md5 (mac) or md5sum (ubuntu), alternatively you could alias one of them so you'd be using the same command on either OS.
On Linux, you can use md5sum file; on macOS, just md5 file. Both are default at a clean install, AFAIK. If you require that the command be the same, you can create an alias.
May I be so impertinent as to suggest writing your own?
python -c 'import sys, hashlib;
m = hashlib.sha256();
m.update(open(sys.argv[1]).read());
print("\t".join([m.hexdigest(), sys.argv[1]]))' file
The semicolons are gratuitous here, but necessary if you really want to force the issue and make this a literal one-liner.
I have a bash script which uses a text file containing a list of logins:
LOGINLIST=/home/user/logins.txt
while read line
do
echo $line
done < $LOGINLIST
I'd rather not store the list of logins as plain text, but I don't want to have to manually decrypt it every time time I run the script. (Having the script prompt for a password would be OK.)
One way I could do this would be to include a line in the script where e.g openssl decrypts the file before it gets read. Unfortunately, if the script stalled (perhaps one of the sites it's logging in to isn't responding) this would leave the file unprotected for an indeterminate period of time.
So I'd rather keep the plaintext in memory only.
This post on LinuxQuestions ( http://www.linuxquestions.org/questions/programming-9/can-we-hide-the-code-of-a-shell-script-370328/#post1887648 ) suggests that sending the plaintext to a FIFO might do the trick, but that's wholly unfamiliar territory for me. Is there a better / simpler way? How do I wipe the memory when the script is done?
...and is there a way to edit the encrypted login list while also keeping the plaintext in memory?
You can do that with openssl and process substitution without changing the structure of your code.
To encrypt the file, use something like:
openssl blowfish -in plaint_text_file -out encrytped_file
(Choose the cipher you want, it will prompt you for a password.)
Then you can use the encrypted file with:
LOGINLIST=/path/to/encrypted/file
while read line
do
echo $line
done < <(openssl blowfish -d -in $LOGINLIST)
This will prompt you for the password. No temporary file generated.
(Careful with the spaces in the last command, it really is < <(.)
You can open an existing encrypted file named encrytped_file in vim with:
openssl blowfish -d -in encrytped_file | vim -
You can create or modify/overwrite an encrypted file named encrytped_file via vim with:
:w !openssl blowfish -in /dev/stdin -out encrytped_file
Just look for the password prompts. They will get obscured a bit by vim's ui.
Here are the tricks used in this answer. You should learn them rather than copy and paste them so that you can use them in other cases.
vim reads from a pipe (aka: stdin or standard input) when an argument of bare hyphen is given.
vim can pipe its buffer to a command with :w !command
It is very common for unix commands to interpret a bare hyphen as "read from standard input" but not all commands do. In this case, you can often use /dev/stdin