Avoiding plain-text password in http_proxy
I've found a solution: adding openssl enc -aes-128-cbc -a -d
to the mix. However, as mentioned in the accepted answer, this option is probably not very secure.
First, put the username password combo (or base64 encoded equivalent) into here,
echo "<put it here>" | openssl enc -aes-128-cbc -a
It will prompt for a password twice. This password is the password you'll have to input each time http_proxy
is set.
Then, in .babunrc
(or whereever you put it),
export http_proxy="http://`echo "<output from above command>" | openssl enc -aes-128-cbc -a -d`@20.20.20.20:20/"
If the input was base64 encoded, you'll need this instead:
export http_proxy="http://`echo "<output from above command>" | openssl enc -aes-128-cbc -a -d | base64 -d`@20.20.20.20:20/"
If the <output from above command>
had a new line, \n
will work for it.
Using base64 is useless, it's just a simple transformation. Using encryption with a key that's stored alongside the encrypted data is also useless because it's still just a simple transformation. If you're worried about someone getting access to your configuration files, then you need to encrypt with a key that isn't in your configuration files, and that means you'll have to type a password¹ when you log in.
Rather than make your own, use an existing encryption mechanism.
On Linux, if you go with file encryption, encrypt your home directory with eCryptfs, or encrypt the whole disk with Linux's disk encryption layer (dm-crypt, cryptsetup
command), or create a small per-file encrypted filesystem with encfs. In the latter case, have a script that mounts the encfs filesystem and then runs a script stored there.
On Windows, put the file on a TrueCrypt/VeraCrypt.
Alternatively, use a password manager (set a master password, of course). Gnome's password manager (gnome-keyring) can be queried from the command line with the secret-tool
utility. Seahorse provides a convenient GUI for exploring and modifying the keyring and setting a master password.
secret-tool store --label='Corporate web proxy password' purpose http_proxy location work.example.com
export http_proxy="http://cman:$(secret-tool lookup purpose http_proxy location work.example.com)@192.0.2.3/"
This required D-Bus, which is normally available by default under Linux (most modern desktop environments require it) but needs to be started manually under Cygwin (I don't know exactly how).
¹ or otherwise supply secret material, e.g. stored on a smartcard.