First off this is not about storing the passwords inside the script file but more about inside the script asking the user for a password and storing it inside that variable. For example:
read -p 'Password : ' password
and then using $password variable in the script. I have three main questions:
Is this secure?
If it is how can I make the variable forgotten after?
Using a password manager in cli and using commands to extract the needed passwords to run in a script (after introducing the master password manually) is this secure?
Write a function that asks for the password and directly uses it inside that function. That way the variable will go out of scope and not hang around.
My guess is, it’s as secure as it gets with scripts like this, even when using a cli password manager. You need to somehow have the password if you want to use it.
edit: Also maybe use the flag -s. That way the password characters won’t be echoed when typing.
Not really. You are storing your password in plain text in memory.
It is hard to say if this is secure without understanding your implementation.
In a situation like this, it is better to tell us what you are trying to do, specifically. There might be a more secure method that is specific to your application.
My purpose is to decrypt my main drive and my backup drive. I use actual passwords not the keyfiles. Using this no files are in plain text they are taken from the bitwarden cli directly.
Why aren’t you using keyfiles? That would be much more conventional.
That being said as long as you have unique passwords that you don’t use anywhere else the risk of storing disk decryption passwords temporarily in memory is relatively low.
You have to tell us how they are encrypted, not how they aren’t encrypted.
Alternatively, now that we know the passwords are only for disk decryption, just go ahead and use your method above. The risk is low since disk decryption protects you against physical loss, leaking a password via a memory attack and having physical access to your machine is pretty unlikely. Any attack that could do that could probably also access your keyfile.
Ok sorry not my best at reading questions today. I don’t know how it is encrypted just that its with the default veracrypt and that therefore it is not LUKS.
Using read to input a password is about as safe as using clipboard to copy passwords. So moderately safe. A malware could read your memory and discover the password, but then again, a keylogger could read what you type on your keyboard.
Assuming there is no malware on your computer, it should be safe. Once the shell session terminates, the memory will be freed, and there should be no trace of your password in it.
Also, if you don’t want the read command to echo what you type, use the option -s to silence it.
Using unset in unnecessary, but it cannot hurt. Variables are not retained when the shell session closes. And script runs in a separate shell session. Just make sure never to source the script to a current shell session, i.e. run it with . script.sh.