I have to execute psql command and after sqoop command using shell for that I need to give password. is there any option which I can place password and give that to both commands.
First off, you should never store plain text password in files.
Store the passport in a encrypted file and then decrypt and use it when required.
Encrypt the password::
openssl das3 -salt -in file.txt -out file.des3
Decrypt the password::
dec_pwd=openssl das3 -salt -in file.des3 -out file1.txt
Here use the dec_pwd variable to pass it in sqoop and postgres commands.
NOTE: Please overwrite the variable dec_pwd later on, to not to be used anywhere else for security reasons.
Related
I want to write a script that will check whether replication is on or not, so I wrote the command in a script:- PGPASSWORD='********' psql -U user_name -p 54032 -c "select * from pg_stat_replication" -d postgres
but I want to encrypt the password for security purposes so I did MD5 encryption and put the hash of it.
PGPASSWORD='a67a4e657061eac2036a88ec523dbbbb' psql -U user_name -p 54032 -c "select * from pg_stat_replication" -d postgres
It's not working Please help me.
There is no way to avoid having a clear text password somewhere, either on the command line or in the environment or in a password file.
If you want to authenticate without a clear text password anywhere, use certificate authentication with a client certificate.
I wish to encrypt gigabytes of data with OpenSSL (multiple files), securely.
I use this command (openSSL 1.0.2p-i386-win32):
openssl.exe enc -e -aes-256-ctr -in secret.txt -out encrypted.txt -salt -pass pass:AsIDHnd19!&###!#lJglG1f31!
My questions are:
What mode to use? CTR or CBC? (CTR for speed?)
How to generate random IVs? For example in a PowerShell script. (I am using Pshell v2.0)
Is the command I provided secure enough?
Can I use the same salt for every file, for better encryption speed?
Does a 20-30 char truly random password compensate for the lack of
IV?
EDIT:
I downloaded a newer version, with ability to use PBKDF2 (openSSL 1.1.1-win32-mingw):
openssl.exe enc -e -aes-256-ctr -in secret.txt -out encrypted.txt -salt -pass pass:AsIDHnd19!&###!#lJglG1f31! -pbkdf2 -p
With -p I can see the salt, key and IV that's used to encrypt the file. All 3 parameters change every time I run openssl, even if on the same file and with the same pass.
Does that mean I'm safe now and IV is random?
CBC and CTR should have same speed around.
If not specified IV is generated from your password with pbkdf2.
CTR is recommended to CBC.
Using the same salt is not adviced. Salt used to prevent attacks for the password, from OpenSSL documentation.
Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
IV is not lack of. OpenSLL generates is for you if not given.
Given the following powershell function:
function CreateRootCertificate($certificateName, $path, $certificatePassword){
makecert -r -pe -n "CN=$certificateName" -sky exchange $path\$certificateName.cer -sv $path\$certificateName.pvk
pvk2pfx.exe -pvk $path\$certificateName.pvk -spc $path\$certificateName.cer -pfx $path\$certificateName.pfx -po $certificatePassword
}
makecert is prompting me to enter the certificate password. From what I understand it wont do this, if the *.pvk file already exists, and has a password set upon it.
SO my question is, how do I split my single makecert command in two separate commands, one to create the *.pvk and another to create the *.cer?
Many Thanks
“Makecert.exe” will always prompt for password when creating a private key.
One way around this prompt may be to write code/macro, to find the password input window and enter your password in it.
The other is to use OpenSSL. In OpenSSL use
openssl genrsa -aes128 -passout pass:password -out $certificateName.pvk 2048
to generate a private key with passphrase.
If you do work with certificates a lot, I would recomend to forget “makecert.exe” altogether and use OpenSSL instead.
I need to encrypt an XML file with a x509 certificate on one computer and be able to decrypt it with the same certificate on another computer. It doesn't seem to work for me like Microsoft suggests:
http://msdn.microsoft.com/en-us/library/ms229744.aspx
The decryption process always fails on another computer!
I create a certificate by using the following command:
makecert -r -pe -n "CN=DEEP_201X" -b 01/01/2011 -e 01/01/2014 -sky exchange -ss my deep.cer
Then I install it by using:
certmgr /add deep.cer /s root
And try to get its private key with the FindPrivateKey.exe utility:
FindPrivateKey My CurrentUser -n "CN=DEEP_201X"
Works great. However, when I perform all the same actions to install the certificate on another computer FindPrivateKey will fail with
No certificates with key 'CN=DEEP_201X' found in the store.
when I use
certmgr /add deep.cer /s my
the error message will be like this:
Unable to obtain private key file name
Could someone please give me a piece of advice on how to make it work?
I suspect that you only need the private key on the decrypting computer.
However...
If you really need the private key on both computers, be aware that The .cer file does not include the private key.
(I think) makecert adds it to the local machine when it generates the cert. You can write it out using the -sv option. Then build a pfx container for the certificate that contains it.
makecert -r -pe -sv myprivatekey.pvk -n "CN=DEEP_201X" -b 01/01/2011 -e 01/01/2014 -sky exchange -ss my deep.cer
pvk2pfx -pvk myprivatekey.pvk -spc deep.cr -pfx deep_private.pfx
I haven't been able to convince certmgr to import private keys from the commandline. Use it in gui mode or use the certmgr.msc snap-in.
I need to make two certificates: CA sert and Server cert.
I use this commands.
makecert -r -pe -n "CN=CACert" -a sha1 -sky signature -cy authority -sv CACert.pvk CACert.cer
certutil -addstore Root TGCA.cer
makecert -pe -n "CN=ServerCert" -a sha1 -sky exchange -ic CACert.cer -iv CACert.pvk -sv ServerCert.pvk ServerCert.cer
pvk2pfx -pvk ServerCert.pvk -spc ServerCert.cer -pfx ServerCert.pfx
Then I import ServerCert.pfx to certificate storage.
Why they do not contain private key in storage?
Why don't you try to generate pfx file by passing the private key password as an argument?
Try it this way
pvk2pfx -pvk ServerCert.pvk -spc ServerCert.cer -pfx ServerCert.pfx -pi password
As the documentation says:
/pi pvkpassword
Specifies the password for the .pvk file.
Source: http://msdn.microsoft.com/en-us/library/windows/hardware/ff550672(v=vs.85).aspx
So, after a long dance with a tambourine I found a solution. Problem was in UI. My goal was to import pfx to localmachine storage. It's impossible to do by starting pxf file from folder.
When pxf imports wihout pvk pass, the internal private key do not imports. Password do not requests when importing to localmachine storage by MMC.
What I made:
Import pxf-file from file explorer to CurrentUser "My" strorage (entering pvk password).
Export certificate from storage to new pxf with password.
Import new pxf to localmachine "My" storage with MMC.
I don't know other ways.