One of the best things with scripts is that they can run independently without human intervention, but sometimes it can be challenging to automate tasks that require user passwords. Let’s look at how you can securely automate scripts that require passwords without compromising security.
Creating a Simple Script
Let’s assume that you want to create a simple script that backups up your Linux home folder to a remote location so that you can easily restore your data in case of data loss.
Start by creating a Bash script file in your home folder, using the touch command or any other method, and name it backup_home.sh. Feel free to use any name and directory of your liking.
The script uses the rsync command, a powerful file copying tool, in order to back up all files in your local home directory to a remote server.
Copy the content of the following script and paste it into your Bash file. Remember to replace the user john with the correct name of your local home user. Also provide the correct username and IP address for the remote server.
If you do not have a remote server to test with, you can simply install VirtualBox and set up a VM on your local machine. Use the VM guest as your remote server.
Save the file. To execute the script you need to grant it the execute permission using the command sudo chmod 755. All users can execute the script but only the sudo users can modify the file.
Finally, execute the Bash script from the terminal using the command:
Whenever you run this script, you’ll be prompted to enter the remote server password. This is not ideal if you want to run the script without human intervention, such as when using Cron.
Automating Password Login
Install sshpass, a non-interactive password provider, on your local PC or the PC from which you will run the script from.
On Debian-based distros
If you are on a Debian-based distro such as Ubuntu, Pop!_OS, and Lubuntu:
On RHEL and Fedora
After installing sshpass modify the script so that it looks as follows.
Here you provide the password in plain text. Obviously, this is not the ideal way, since it’s not secure and not good practice. If the script ever lands in the wrong hands, you are in deep trouble.
To make this more secure, we’ll use GnuPG, a secure and open-source encryption tool.
Encrypting Your Password
GnuPG is installed by default on most Linux systems, but in case it is not installed on your system, here’s how to install GnuPG.
Create a hidden file named secrets using the command touch .secrets. Since we’ve made the file hidden by default as an extra security measure, here’s how you can view hidden files on Linux.
In the secrets file, enter the password of your remote PC and save it.
Next, encrypt the file using the gpg command.
You’ll be prompted to enter a secure and strong passphrase for opening the encrypted file.
GnuPG will create a new file with the extension .gpg appended to the old file name. Your new file name should now be secrets.gpg, assuming you used the secrets filename.
If you view the content of secrets.gpg using the cat command, you’ll be presented with some gibberish text to show that your password is encrypted.
To view the contents of the file in plain text, you’ll need to decrypt it using the following command (you’ll be prompted to enter the password you set during encryption):
Using an Encrypted Password in Your Script
To use the encrypted password in the script, update the script as follows:
Run the backup scripts again, and this time you’ll not be prompted for a password.
Automate Tasks With Bash Scripts
GnuGP is frequently used for securing sensitive files and data on your PC and is also a great tool for securing passwords in automated Bash scripts on Linux.
There’s a lot you can do with Bash scripts. Bash is a powerful tool that can help you automate a lot of stuff on Linux and learning to write Bash scripts is a worthwhile investment.
