Isn't that exactly what you want to do - encrypt some clear text into something unreadable to the world that can be retrieved only if the password is known? Don't copy and paste the result; save it in a file immediately. That file can be decrypted by applying crypt "tom" again.
So, what do you want it to do overall? (not just the one line)
I would expect that echo "mypassword" | crypt "tom" > encrypted_file will write your encrypted password into a file just fine, from where you can read it back, but what is the purpose?
The display you see will depend on a combination of a number of factors, such as locale, character sets for the terminal type defined, character set of the display you are using etc. You cannot reliably use the screen to just copy & paste the display for use elsewhere. You would need to copy the file of get it into a variable to use somehow.
If your script to retrieve it has the decryption password tom , the source file name and the method to extract it, then anyone who can read the code can get the password.
It's a common conundrum - how do you encrypt something and automate the decryption without just sharing the decryption.
If you can share a little more about the overall plan of your code, then we might be able to suggest something suitable.
By carefully reading the man page of "base64", until, upon chance, stumbling upon the description of the secret "-d" (decode) command line option and subsequently applying this arcane knowledge to your command line.
What would be the point of storing an encrypted password? Is this so that it can be checked against user input?
A possible better way might be:-
Read a password from the user in to a file
Use sum or md5sum on the file and compare it to a stored value.
Obviously you would have to store the output from a previous sum or md5sum in your script, but that is less likely to be cracked.
Would that help, OR is everyone going to shoot me down for doing something really daft. I hope it's helpful but I would like to be corrected if necessary.
First off: this is perhaps the most ingenious way of being most secure in employing insecure methods in general. Sorry for this rather double-edged compliment, but you have to be aware that there are secure methods and there are other (not secure) methods. If you decide against secure methods you will always be able to move farther up the security scale, but only to some extent - principally insecure will always remain principally insecure, regardless of what you do.
Your method suffers from the fact that scripts are readable. I can extract the necessary md5sum from it, create a fitting PW offline (using all sorts of methods: dictionary attacks, ...) and then feed that PW into the script.
Still, your method is better than many others i have seen suggested in similar threads here and elsewhere.
Note that a user's encrypted login password is created using crypt() exactly as you suggested and the system used to store the encrypted string in plain text in /etc/passwd (which is readable by everyone so tools like ls can decode the user-IDs and group-IDs returned by stat() into user and group names in long listings). Many, many moons ago, the actual encrypted passwords were moved into /etc/shadow which is readable only by root to avoid the problem bakunin mentioned in post #11.
I quite agree that this is not a great solution, but hopefully it's better than some. I would always prefer to use the tool designed for the job, (e.g. SSH keys) but as we still don't know the real purpose I'm not sure what the best tool is.
Now use value above in your script to prompt and test for the correct PASS:
export KEY=testing
read -s -p "Enter Password: " PASS
if ! [ "5o24HujBi30BYD8=" = $(openssl enc -a -e -aes-128-ctr -nopad -nosalt -pass env:KEY <<< "$PASS") ]
then
echo "Incorrect password"
exit 1
fi
As mentioned before the encrypted PASS is visible in the script and so is open to "brute force" attacks. Avoid dictionary words or easily guessed strings.