A simple bash gpg “password safe”

This is definitely not military quality – but if you need a simple way to manage a GPG-encrypted file containing info you want to protect this works pretty well for me. I use this to manage a set of passwords on a trusted machine that I can ssh to.

It assumes you’re using a bash-like shell and have a trusted private key available in the account you’re running it on.



if [ ! -e "$HOME/private" ]
    mkdir -m 700 "$HOME/private"
    umask 77 "$HOME/private/"

# Always delete the unencrypted file at the end of the session. We DO NOT want this hanging around.
trap "rm -f \"$HOME/private/${USER}_private_store.txt\"; chmod 600 \"$HOME/private/${USER}_private_store.txt\"*; exit" INT TERM EXIT

touch "$HOME/private/${USER}_private_store.txt"
chmod 600 "$HOME/private/${USER}_private_store.txt"

gpg --decrypt "$HOME/private/${USER}_private_store.txt.asc" > "$HOME/private/${USER}_private_store.txt"
vim "$HOME/private/${USER}_private_store.txt"

md5sum  "$HOME/private/${USER}_private_store.txt.md5sum.new"

if [ -e "$HOME/private/${USER}_private_store.txt.md5sum" ]
    if [ "`cmp "$HOME/private/${USER}_private_store.txt.md5sum.new" "$HOME/private/${USER}_private_store.txt.md5sum"`" == "" ]
        rm -f "$HOME/private/${USER}_private_store.txt.md5sum.new"
        echo 'No changes, not re-encrypting'

mv "$HOME/private/${USER}_private_store.txt.md5sum.new" "$HOME/private/${USER}_private_store.txt.md5sum"

echo 'File has changed. Re-encrypting. . .'
gpg -a --encrypt -r $KEYS "$HOME/private/${USER}_private_store.txt"

First time it runs it’ll create a private directory, start vim, and encrypt the text you enter into vim. On subsequent runs it’ll prompt you for your private key passphrase and repeat the cycle. It won’t re-encrypt if there haven’t been any changes.

I’m betting wordpress messes up the code, so here’s the text file: edit_password_safe.sh.

“Secure” http connections over untrusted networks

Oh, ssh. How I love thee.

So I wanted to log in to wordpress blog with a login page NOT behind an HTTPS connection from an “insecure” network – in this case, it was the MBTA’s commuter rail wifi.

SSH supports SOCKS proxy connections and makes this STUPIDLY simple:

ssh -C -D 8000 name-of-your-proxy-ssh-server.com

“-C” turns on compression, “-D 8000” makes the SOCKS proxy connection on localhost’s port 8000.

Then you need to set your local firefox to use “localhost”, port 8000 as a SOCKS proxy. And bang! You’re proxying securely over an insecure network.

Yeah, yeah, the best solution would be to have the target wordpress use SSL, but not every blog can have a dedicated IP.

mod_passenger error page includes external stylesheet.

No sir, I don’t like it. Not at all.

The default mod_passenger “this app wouldn’t start” page includes an external CSS file:


which is odd, considering there’s a bunch of inline CSS. I guess it’s to include the images. . . but it also amounts to disclosing something unintentionally. Yuck.