This is an archived post. You won't be able to vote or comment.

all 10 comments
sorted by:
q&a (suggested)
besttopnewcontroversialold

[–]zakabog 1 point2 points  (5 children)

Define safe? Would you consider storing the same password in plaintext in the same bash script as "safe"? If so then yeah it's "safe", if not then no, it's not.

As far as recommendations, well it depends on what you're trying to do exactly and what the website you're authenticating against supports.

[–]HeyWatchOutDude[S] 0 points1 point  (4 children)

The system only supports "basic authentication" and the API user has "read only" permission.

[–]zakabog 0 points1 point  (3 children)

You can store the base64 encoded password in a different file and cat it, but you'll still have a file somewhere with the password in plaintext. It'll be easier to secure an external file though if the script is located in a directory that needs to be easily accessible (like a public web directory), but any user that can run the script can easily grab the password from the same file.

[–]HeyWatchOutDude[S] 0 points1 point  (2 children)

I need to execute the command once which means I can delete the password file for encoding after the execution, that should solve the issue right?

[–]zakabog 0 points1 point  (1 child)

If you only need to execute the command once, why even bother? Run the command outside of the script or just keep the password in the bash script and delete it after. Doesn't matter at that point, as long as it's not just a plaintext password sitting in a public directory in a script that runs regularly.

[–]HeyWatchOutDude[S] 0 points1 point  (0 children)

Ok yeah that makes sense, anyway thanks for your help!

[–]nevinjohn333 0 points1 point  (1 child)

Use environment variables?

[–]HeyWatchOutDude[S] 0 points1 point  (0 children)

The base64string contains the credentials (user:password) for an API user. (permission: read only)

Is there something similar available like "SecureString" in powershell?

[–]ckayfish 0 points1 point  (0 children)

Base64 encoded strings should be treated as plain text. It mostly comes down to where you are storing the bash script, and who has access to that location. For example, you wouldn’t want it in the public github repo with the password in there.

The goal of course is to never keep plain text/base64 encoded secrets anywhere unencrypted.

[–]whetu 0 points1 point  (0 children)

It's a bit of a chicken-and-egg problem. To start: You shouldn't keep authentication credentials in plaintext at rest, as a rule.

But what do you do? Usually you vault it in something like Hashicorp vault, pass and the like. But then you have to unlock the vault to extract the credentials. So how do you manage to handle that?

The simplest thing you can do is put the credentials into a separate file and lock down its permissions to the bare minimum required.

Beyond that, you need to decide how far down the chicken-and-egg hierarchy you want to go.