Hiding secret from command line parameter on Unix

  1. First, you can NOT hide command line arguments. They will still be visible to other users via ps aux and cat /proc/$YOUR_PROCESS_PID/cmdline at the time of launching the program (before the program has a chance to do run-time changes to arguments). Good news is that you can still have a secret by using alternatives:

  2. Use standard input:

     mySecret="hello-neo" printenv mySecret | myCommand
  3. Use a dedicated file if you want to keep the secret detached from the main script (note that you’d be recommended to use full disc encryption and make sure the file has correct chmod permissions):

     cat /my/secret | myCommand
  4. Use environment variables (with caveats). If your program can read them, do this:

     mySecret="hello-neo" myCommand
  5. Use temporary file descriptor:

     myCommand <( mySecret="hello-neo" printenv mySecret )

In the last case your program will be launched like myCommand /dev/fd/67, where the contents of /dev/fd/67 is your secret (hello-neo in this example).

In all of the above approaches, be wary of leaving the command in bash command history (~/.bash_history). You can avoid this by either running the command from a script (file), or by interactively prompting yourself for password each time:

read -s secret
s=$secret printenv s | myCommand  # approach 2
myCommand <( s=$secret printenv s )  # approach 3
secret=$secret myCommand  # approach 4
export secret && myCommand  # another variation of approach 4

Leave a Comment