Converting scripts to C that contain phrases

[cds60601]

This isn't a question but more of a here's what I did as a possible way of using a password within a script.
In my case, my croned backups that run and encrypt tarball backup that I'll use a password to decrypt.

While it is possible to to place a password within the script, it's not a good idea for obvious reason.
What I have done in the past (and probably the recommended way) was to create a directory in /etc and chmod the directory so that only root can access the file within that contains the password for gpg to use.
I wanted to get away from that so my solution was to rewrite the script to a C program. Perhaps a bit out of the ordinary and of course, I save the source file off system.
Yes I know, then can be decompiled but that would mean someone taking the time to do all that. In the end, this is turning out to be a good working scenario for me.
This idea won't be for everyone but more of a possible way of using scripts that contain passwords on the system.

I would be curious on other ways folks are getting around the use of password within scripts.

[CwF]

a possible way of using a password within a script.

https://packages.debian.org/bookworm/shc

[cds60601]

a possible way of using a password within a script.

https://packages.debian.org/bookworm/shc

Awe what the hell!!
lol, all the time I put in to actually write and test the C programs... and all along, there was this....

[Aki]

Hello,

Compiling passwords or passphrases into a binary executable does not make it secure. Outputting the binary contents of the file (searching for character arrays in plain text) or using a debugger will allow an authorised user to access them if he/she can access the executable.

—
note: replaced “contian” with “contain” in the subject of the first post.

[cds60601]

While it is possible to to place a password within the script, it's not a good idea for obvious reason.
What I have done in the past (and probably the recommended way) was to create a directory in /etc and chmod the directory so that only root can access the file within that contains the password for gpg to use.
Yes I know, then can be decompiled but that would mean someone taking the time to do all that. In the end, this is turning out to be a good working scenario for me.
This idea won't be for everyone but more of a possible way of using scripts that contain passwords on the system.

@AKI - I do believe I covered that with the above.

[steve_v]

...can be decompiled but that would mean someone taking the time to do all that.
...
I do believe I covered that with the above.

Extracting strings from compiled C doesn't require any decompiling at all, or access to the source for that matter. A simple 'strings <binary>' will dump any plaintext, and anything more complex is but a minute with a hex editor away.
shc might be secure enough for your needs, as it apparently encrypts the embedded shell script... But I doubt it, since the key for said encryption would have to be in the C binary as well, and unless some other trickery is going on the above will work just fine to to retrieve it.

What you're talking about with compiled code vs. shell isn't security, it's obfuscation. Trivially weak obfuscation at that.
The real answer is the same as it has always been: Don't hardcode credentials. Whether it's in bash or C is irrelevant.

[cds60601]

...can be decompiled but that would mean someone taking the time to do all that.
...
I do believe I covered that with the above.

Extracting strings from compiled C doesn't require any decompiling at all, or access to the source for that matter. A simple 'strings <binary>' will dump any plaintext, and anything more complex is but a minute with a hex editor away.
shc might be secure enough for your needs, as it apparently encrypts the embedded shell script... But I doubt it, since the key for said encryption would have to be in the C binary as well, and unless some other trickery is going on the above will work just fine to to retrieve it.

What you're talking about with compiled code vs. shell isn't security, it's obfuscation. Trivially weak obfuscation at that.
The real answer is the same as it has always been: Don't hardcode credentials. Whether it's in bash or C is irrelevant.

While I agree 100%, in my case, this is simply running a nightly cron that creates a tarball that gets piped though gpg (along with the phrase) to encrypted the tarball.
Nothing of serious importance nor related to actual credentials are being used.
So perhaps I failed to disclose that in the beginning, and in my case, I find this to be perfectly exceptable for a home user, which I am using this process on my home systems and certainly not in a business environment.
But you are correct, passwords should not used within any type of script unless you are willing to except the consequences of your actions.
In the end, the user must make that determination what is best for them and the scenario they choose to use it for.

Note: I changed the initial subject to actually reflect my use case.

[CwF]

maybe look into keychain and if it can be called from a script?
https://packages.debian.org/bookworm/keychain