On Wed, 25 May 2016 12:50:50 +0200 Christophe-Marie Duquesne <c...@chmd.fr> wrote:
> Hi, > > I am trying to write a runit script that would require a passphrase > when starting. This passphrase must not exist in clear on the > filesystem, and it would require user interaction. You can use the various implementations of ssh-askpass or gnupg's pinentry. You will need to maintain a TTY (perhaps in tmux) or X11 instance for that to work. Still, as others pointed out, non-restartable services are peculiar. > I tried to have runit read the passphrase into the environment of the > script: > > read -s PASSPHRASE > exec prog # reads PASSPHRASE from the environment That does not store the passphrase in the environment. That stores it in a shell variable (specification calls it parameter). You need to add: export PASSPHRASE for it to get "exported" to the process environment. But be aware that the environment is generally freely readable by any other process and thus it's pretty useless for secret passphrases. Better approach might be to give your service a command to call to obtain the passphrase, which then may be implemented in variety of ways. One such way is http://www.passwordstore.org/ which stores passphrases in gnupg-encrypted files and you would be able to grant access to it to the service via gpg-agent.