Encrypt keystore password in bash scripts

Question

I have a use case wherein I am using keytool command in a bash script in which I have inputted the Keystore password in cleartext format. Something similar to this:

test.sh

#!/bin/bash
keytool -keystore <PATH-TO-KEYSTORE> -storepass <CLEARTEXT-PASSWORD> ...

Now the requirement is to encrypt this cleartext password in the script so one may not know the actual Keystore password. I tried OpenSSL to encrypt the default password, store it in another hidden file and decrypt the password on the go when running the script but anyone who has access to the script could look at what algorithm is being used and use the same OpenSSL command to decrypt the password.

I know that keytool need the decrypted password at any cost so even if password is encrypted by any way had to be decrypted before passing in to keytool, I need to know if there is any way through which I can allow only my script to decrypt the password and not any legitimate hacker.

Answer 1

Unless there's some way to make information available to the running script that wouldn't also be available to a hacker, this is inherently impossible. Whatever you put in the script, a hacker can simply run it with tracing turned on, emulate the script it by hand, or otherwise simply do what the script does and find out what resulting key the script will come up with.

Securing keys like this requires that you have some information store that a hacker cannot get access to. Often this takes the form of a hardware security module (HSM), with its interface set up so it can perform the necessary operations but the keying material cannot be extracted from it. This may not be possible or relevant in your situation, but you need something that a hacker cannot get access to.