openssl hmac and key on the command line

Francois rigault.francois at gmail.com
Sun Aug 7 16:20:56 UTC 2022


Greetings

I am reading some doc instructing me to run

    printf '%s' "${challenge}" | openssl dgst -sha1 -hmac ${APP_TOKEN}

Doing so would leak the APP_TOKEN on the command line arguments (so a
user running a "ps" at the right time would see the APP_TOKEN in
clear). Due to my machine setup,  programs started and their arguments
also end up in an audit log.

I am reading the documentation on
https://www.openssl.org/docs/manmaster/man1/openssl-dgst.html, that
points at the preferred
https://www.openssl.org/docs/manmaster/man1/openssl-mac.html
, and all
the examples have the key in clear text on the command line.

Is there an equivalent command I can run that will not leak the key?

Best regards
Francois


More information about the openssl-users mailing list