Automating Passphrase in a Bash Script (steghide, gpg, etc.)

Question

I've been working on a series of bash scripts and I need to automate password entry for batch processing of files and actions.

This isn't for just one program, for example, sometimes it needs to be done for GPG, other times, steghide.

There is a specific reason this is being done and I understand the security elements behind it. This is considered and is negated by how the scripts are stored and working.

The passwords or passphrases are passed via command line arguments to the script and the password/phrase must be repeated many times programmatically.

Here is an example of what I am working with inside the script:

for f in $dir
do
    steghide embed -cf $f -ef /path/to/secret.txt
done

This simply interactively asked this for every image however: Enter Passphrase: Re-enter Passphrase:

For every image in a directory, this password will be requested and so the password should be able to be stored in a variable and reused.

I have been working with steghide most recently but there will also be a need to automate passphrases with GPG at a later date, although there is no need for the methods to be the same.

Answer 1

It's untested publicly, rough around the edges, and can be improved... but here's a preview of some of my research scripts that haven't been merged into one of the GitHub projects I'm writing... definitely run shellcheck against the below script to catch any typos.

#/usr/bin/env bash
Var_stego_out_dir="${1}"
Var_stego_in_dir="${2}"
Var_stego_cover_dir="${3}"
Var_passphrase_file="${4}"
Var_passphrase="${5}"
Var_auto_pass_length="${6:-64}"
Func_build_array_of_paths(){
    _dir="${1}"
    _arr="${2}"
    _file_extension_list="${3}"
    if [ -d "${_dir}" ] && [ "${#${_arr}[@]}" = "0" ]; then
        find "${_dir}" -xtype f | while read _path; do
            case "${_path##*.}" in
                ${_file_extension_list//,/|})
                    declare -ag "${_arr}+=( ${_path} )"
                ;;
            esac
        done
    fi
}
Func_enc_stego(){
     _cover_file="${1}"
     _enc_file="${2}"
     _pass_file="${3}"
     _output_file="${Var_stego_out_dir}/${_cover_file##*/}"
    if [ -f "${_cover_file}" ] && [ -f "${_enc_file}" ]; then
        _auto_passphrase="${Var_passphrase:-$(base64 /dev/random | tr -cd '[:print:]' head -c${Var_auto_pass_length})}"
         if ! [ -f "${_output_file}" ]; then
             steghide -p ${_auto_passphrase} -ef ${_enc_file} -cf ${_cover_file} -sf ${_output_file}
             cat <<<"### ${_output_file} ### ${_auto_passphrase}" >> "${_pass_file}"
         else
            steghide -p ${_auto_passphrase} -ef ${_enc_file} -cf ${_cover_file} -sf ${_output_file}_$(date -u +%s)
             cat <<<"### ${_output_file}_$(date -u +%s) ### ${_auto_passphrase}" >> "${_pass_file}"
        fi
    fi
}
Func_main(){
    ## Build array of file paths for cover file use
    Func_build_array_of_paths "${Var_stego_cover_dir}" "Arr_cover_list" "au,AU,bmp,BMP,jpeg,JPEG,wav,WAV"
    ## Build array of file paths for embed file use
    Func_build_array_of_paths "${Var_stego_in_dir}" "Arr_input_list" "gpg,GPG,txt,TXT"
    let _arr_input_count=0
    let _arr_cover_count=0
    until [ "${_arr_input_count}" = "${#Arr_input_list}" ]; do
        if [ -f "${Arr_cover_list[${_arr_cover_count}]}" ]; then
            Func_enc_stego "${Arr_cover_list[${_arr_cover_count}]}" "${Arr_input_list[${_arr_input_count}]}" "${Var_passphrase_file}"
            let _arr_cover_count++
            let _arr_input_count++
        elif  [ -f "${Arr_cover_list[$((${_arr_cover_count}-1))]}" ]; then
            Func_enc_stego "${Arr_cover_list[$((${_arr_cover_count}-1))]}" "${Arr_input_list[${_arr_input_count}]}" "${Var_passphrase_file}"
            let _arr_input_count++
            _arr_cover_count="$((${_arr_cover_count}-1))"
        if

    done
}
Func_main

Run above with the following portions filled-in

script.sh "/path/to/stego_out_dir" "/path/to/stego_in_dir" "/path/to/stego_cover_dir" "/path/to/passphrase_file"
## or define static passphrase
#script.sh "/path/to/stego_out_dir" "/path/to/stego_in_dir" "/path/to/stego_cover_dir" "/path/to/passphrase_file" "passphrase"

Note saving the passphrase and file in plain-text like the above does is very bad practice, and because the OP stated that they also where looking at GnuPG automation too, readers and the OP"s author should look-up Perinoid_Pipes; and for specifically the GnuPG_Gen_Key.sh script and functions starting with Func_dec_* within the Paranoid_Pipes.sh for working/tested examples of automation involving GnuPG passphrases; and for protecting the passphrases written by the above script look-up functions starting with Func_enc_* within the Paranoid_Pipes.sh script for how the mkfifo command and resulting named pipe is used to automate encryption of most data types. Hint the fourth example argument "/path/to/passphrase_file" would point to an encrypting named pipe made by the linked script to keep things a bit more secure ;-)

Answer 2

man steghide:

   -p, --passphrase
          Use  the  string  following  this  argument  as the
          passphrase. If your passphrase contains whitespace,
          you  have  to enclose it in quotes, for example: -p
          "a very long passphrase".

man gpg:

   --passphrase string
          Use  string  as  the  passphrase. This can only be used if only one
          passphrase is supplied. Obviously, this  is  of  very  questionable
          security  on  a multi-user system. Don't use this option if you can
          avoid it.