Encrypt password without storing the password in a file

I found some good solutions to encrypting passwords in Unix to login to an Oracle database, however, they all suggested storing the password in a secured directory.  I was told that the policy is not to store any passwords in a file at all.  How would I do this without doing that?  Is there a way to encrypt and decrypt a password during runtime???  Please help!!!!
psmall57Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
any password to be checked needs to be stored anywhere. In your case Oracle is the store and you can use it just out of your fingertips (without store).
So your question is abit vage about which "store" you mean, could you please explain.
0
chris_calabreseCommented:
This is a chicken and egg problem.

You can store the password in an encrypted file, but then you have to store the encryption key in another file.

You can encrypt the encryption key to protect it, but then you need to store the encryption key for the encryption key for another file.

The bottom line is either a) don't use passwords for this (I believe you can set Oracle to accept the Unix ID as the database ID), or b) tell the people telling you not to store the passwords that they don't know what they're talking about (but use nicer words...).
0
psmall57Author Commented:
I mean that I would Oracle is the store, however, I am playing by Unix (AIX) rules.  They want no passwords in files.  

Would I set up the encrypt key like this:

setenv key `key name`
crypt $key<encrypted_program_file_name> encrypt
crypt $key<encrypt> decrypt

I will write either another program, either shell, C, or perl to store the password in an array of some sort.  

How would I call the program from my shell scripts that contain the Oracle connection and sql programs.  Instead of the connect clauses, do I just put these encrypted file names like such:

connect username/$key@database

@query.sql
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

chris_calabreseCommented:
OK, now I'm even more confused then before.

What is the actual problem you are trying to solve?
0
ahoffmannCommented:
> connect username/$key@database

here $key has to contain the plain password (means whatever Oracle requires as "secret" here)

AFAIK there is no secrue way to login to Oracle except using your fingertips, anything else is unsecure by definition (see chris_calabrese's comment)
You suggestion using the secret in the shell environment makes it more unsecure.
0
psmall57Author Commented:
I have never encrypted a password before.  That is the main source of the problem and need to find how to login to the DB through my shell scripts without hardcoding in the password?  That is the MAIN problem.  Sorry to be so confusing.  Maybe, I am going about it wrong. I wrote a program in C obfuscated.  I guess I am going about this the wrong way.  I just have no other way to do this because I cannot put it in a file.  
0
chris_calabreseCommented:
You store the password in a file that only your shell scripts have permission to read.
Your shell scripts then read the password from the file and pass to sql (but not on the command-line, on stdin).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
psmall57Author Commented:
Yeah, that is what I recommended the whole time before I even put this question online.

My policy states that I cannot even do that.

I guess my only way is to fight that and get an exception.  Thanks a lot.
0
chris_calabreseCommented:
There are non-password authentication mechanisms supproted by Oracle, and you could possibly use one of those.

One is "unix authentication" or "host authentication" or something like that. This is essentially where Oracle trusts that any client running as <user>@<server> is allowed to access some Oracle account.

Another is X.509 certificates. Of course, you still have to store the cert in a file and have your script read the file. You could password protect the cert, but........
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.