Skip to content
Lightweight solution for using encrypted passwords in shell scripts
Shell Makefile Dockerfile
Branch: master
Clone or download
Pull request Compare This branch is 13 commits behind plyint:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
Makefile provides a lightweight solution for using encrypted passwords in shell scripts using OpenSSL. It allows a user to encrypt a password (or any other secret) at runtime and then use it, decrypted, within another script. This prevents shoulder surfing passwords and avoids storing the password in plain text, which could inadvertently be sent to or discovered by an individual at a later date.

This script generates an AES 256 bit symmetric key for each script (or user-defined label) that stores secrets. This key will then be used to encrypt all secrets for that script or label.

Subsequent calls to retrieve a secret will not prompt for a secret to be entered as the file with the encrypted value already exists.

Note: sets up a directory (.encpass) under the user's home directory where keys and secrets will be stored.

~/.encpass will contain the following subdirectories:

  • keys (Holds the private key for each script or user-defined label)
  • secrets (Holds the secrets stored for each script or user-defined label)

Requirements requires the following software to be installed:

  • POSIX compliant shell
  • OpenSSL


Download the script and install it to a directory in your path.

Example: curl the script to /usr/local/bin

$ curl -o /usr/local/bin/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3085  100  3085    0     0   5184      0 --:--:-- --:--:-- --:--:--  5193


Source in your script and call the get_secret function.

See the example...

# Call it specifying a named secret
#password=$(get_secret password)
# Call it specifying a named secret for a specific label
#password=$(get_secret password)
echo $password

Testing with Docker

Run unit tests for shell interpreters SH, BASH, ZSH, KSH in Docker

make test


Important Security Information

While the password is stored encrypted, once the password is decrypted within a script, the script author must take care not to inadvertently expose the password. For example, if you invoke another process from within a script that is using the decrypted password AND you pass the decrypted password to that process, then it would be visible to ps.

Imagine a script like the following...

. ./
watch --pass=$password &
ps -A

Upon executing you should see the password in the ps output...

97349 ??         9:56.30 watch --pass=P@$$w0rd


Ideally this script can be used in all POSIX compliant shells, but it has only been extensively tested in BASH. If you encounter an issue using it in another shell please log an issue and/or submit a pull request for a fix.

You can’t perform that action at this time.