The contents of confidential fields can be read using the -s|--password command line option to recsel. When used, any selected record containing encrypted fields will try to decrypt them with the given password. If the operation succeeds then the output will include the unencrypted data. Otherwise the ASCII-encoded encrypted data will be emitted.
If recsel is invoked interactively and no password is specified with -s, the user will be asked for a password in case one is needed. No echo of the password will appear in the screen. The provided password will be used to decrypt all confidential fields as if it was specified with -s.
For example, consider the following database storing information about the user accounts of some online service. Each entry stores a login, a full name, email and a password. The password is declared as confidential:
%rec: Account %key: Login %confidential: Password Login: foo Name: Mr. Foo Email: firstname.lastname@example.org Password: encrypted-AAABBBCCCDDD Login: bar Name: Ms. Bar Email: email@example.com Password: encrypted-XXXYYYZZZUUU
If we use recsel to get a list of records of type
Account without specifying a password, or if the wrong password
was specified in interactive mode, then we would get the following
output with the encrypted values:
$ cat accounts.rec | recsel -t Account -p Login,Password Login: foo Password: encrypted-AAABBBCCCDDD Login: bar Password: encrypted-XXXYYYZZZUUU
If we specify a password and both entries were encrypted using that password, we would get the unencrypted values:
$ recsel -t Account -s secret -p Login,Password accounts.rec Login: foo Password: foosecret Login: bar Password: barsecret
Note that nothing prevents to have confidential fields encrypted with different passwords. As discussed in see %confidential this can be useful to implement several “levels” of security. For example, we may have an entry in our database with data about the account of the administrator of the online service. In that case we could want to store the password associated with that account using a differentiated password. In that case the output of the last command would have been:
$ recsel -t Account -s secret -p Login,Password accounts.rec Login: foo Password: foosecret Login: bar Password: barsecret Login: admin Password: encrypted-TTTVVVBBBNNN
We would need to invoke recsel with the password used to encrypt the admin entry in order to read it back unencrypted.