Previous: , Up: Encryption   [Contents][Index]


13.3 Decrypting Data

The contents of confidential fields can be read using the -s (--password) command line option to recsel. When used, any selected record containing encrypted fields will try to decrypt them with the given password. If the operation succeeds then the output will include the unencrypted data. Otherwise the ASCII-encoded encrypted data will be emitted.

If recsel is invoked interactively and no password is specified with -s, the user will be asked for a password in case one is needed. No echo of the password will appear in the screen. The provided password will be used to decrypt all confidential fields as if it was specified with -s.

For example, consider the following database storing information about the user accounts of some online service. Each entry stores a login, a full name, email and a password. The password is declared as confidential:

%rec: Account
%key: Login
%confidential: Password

Login: foo
Name: Mr. Foo
Email: foo@foo.com
Password: encrypted-AAABBBCCCDDD

Login: bar
Name: Ms. Bar
Email: bar@bar.org
Password: encrypted-XXXYYYZZZUUU

If we use recsel to get a list of records of type Account without specifying a password, or if the wrong password was specified in interactive mode, then we would get the following output with the encrypted values:

$ cat accounts.rec | recsel -t Account -p Login,Password
Login: foo
Password: encrypted-AAABBBCCCDDD

Login: bar
Password: encrypted-XXXYYYZZZUUU

If we specify a password and both entries were encrypted using that password, we would get the unencrypted values:

$ recsel -t Account -s secret -p Login,Password accounts.rec
Login: foo
Password: foosecret

Login: bar
Password: barsecret

As mentioned above, a confidential field may be encrypted with different passwords in different records (see Confidential Fields). For example, we may have an entry in our database with data about the account of the administrator of the online service. In that case we might want to store the password associated with that account using a different password than that for users. In that case the output of the last command would have been:

$ recsel -t Account -s secret -p Login,Password accounts.rec
Login: foo
Password: foosecret

Login: bar
Password: barsecret

Login: admin
Password: encrypted-TTTVVVBBBNNN

We would need to invoke recsel with the password used to encrypt the admin entry in order to read it back unencrypted.


Previous: , Up: Encryption   [Contents][Index]