Sensitive inputs
There are certain instances whereby Klayr Commander requires sensitive inputs such as passphrases or secret messages, which you may not wish to include directly as command line arguments due to the fact that they will be visible. For example, in the bash history or process managers. This section describes the various options available for securely including sensitive inputs within Klayr Commander commands. The format for providing Klayr Commander with sensitive inputs is loosely based on the OpenSSL format.
The message:encrypt
command is used for the given examples with a secret passphrase as a sensitive input, however the same pattern applies to other commands which also accept sensitive inputs.
Via a password prompt
If a passphrase is required for a command, and no source is provided via the --passphrase
option, Klayr Commander will initiate a prompt for a password input, so the required passphrase can be typed in directly.
Please note that this approach is only available for passphrases, and not other kinds of sensitive inputs.
klayr message:encrypt bba7e2e6a4639c431b68e31115a71ffefcb4e025a4d1656405dfdcd8384719e0 'Hello world'
Please enter your secret passphrase: ****************************************************************
Please re-enter your secret passphrase: ****************************************************************
Via an environmental variable
If your passphrase is stored in an environmental variable, it is possible to specify the variable name using the –passphrase
option.
Please be aware that this approach is only available for passphrases, and not other kinds of sensitive inputs.
klayr message:encrypt bba7e2e6a4639c431b68e31115a71ffefcb4e025a4d1656405dfdcd8384719e0 'Hello world' --passphrase env:PASSPHRASE
Via a file
If your passphrase is stored in a file, it is possible to specify the path using the –passphrase option, and Klayr Commander will read the passphrase from the first line. If other types of data are stored in a file, it is possible to specify the path using the –data option, and Klayr Commander will read the entire contents of the file.
klayr message:encrypt bba7e2e6a4639c431b68e31115a71ffefcb4e025a4d1656405dfdcd8384719e0 --data file:./secret_data.txt --passphrase file:./passphrase.txt
Via stdin
Klayr Commander will read a passphrase from the first line of stdin via the –passphrase
option, or multiple lines for other sorts of data via the –data
option.
If stdin is specified as the source of both the passphrase and other additional data, then the passphrase is assumed to be the first line, and the data will follow.
Please note that the actual use of echo with plaintext strings shown in the example below is not recommended:
echo 'my secret passphrase on the first line\Followed by\nsome data that\nspans multiple lines' | klayr message:encrypt bba7e2e6a4639c431b68e31115a71ffefcb4e025a4d1656405dfdcd8384719e0 --data stdin --passphrase stdin
Via a plaintext option
For convenience, Klayr Commander also supports providing a plaintext passphrase via the |
klayr message:encrypt bba7e2e6a4639c431b68e31115a71ffefcb4e025a4d1656405dfdcd8384719e0 'Hello world' --passphrase 'pass:my secret passphrase'