Securely Reading and Passing Passwords on Commandline in Bash Scripts
Publish date: Jun 19, 2019
Passwords should not be read from commandline arguments. Instead you should read them interactively via stdin.
read -s PASSWORD
Passwords should not be passed to other scripts/cli verbatim on commandline or via printf/echo commands. It can be passed via builtin echo command if it is in a variable already (e.g. read from a file earlier), as echo won’t show up in list of running processes. cat with here-document can be used as well if a variable is used for password. Another way is to use file descriptor as shown below.
( exec 3<<<"$PASSWORD"; cat /proc/$BASHPID/fd/3 | cli-that-takes-password-on-stdin )
Some applications accept filedescriptors directly. For example, if you are passing password to openssl, you can just pass
fd:3 in place of password.