Passphrase in "non-clear-text" in my bashrc?


I often use this bash-alias for compressing and encrypting folders, for uploading them to the cloud:

alias zzz="7z a -mhe=on -mmt=on -t7z -p9IpxHulB3tJWqxINeSbs5Ojeju -mx=9"

So I type for example:

zzz ~/myuploadfoder/documents.7z ~/Documents

In this case my passphrase stands in “clear text” in my bashrc file.

Is there any way to “kind of hash” this passphrase, so that it is not readable (so that I could even public this bashrc file on gitlab or so, just an example) ?

I hope I could make clear what I am looking for…

Thank you already for your input and help

Kind regards

What you use as a password manager will influence this.

You can use $(passwordmanager IDEntry) and this will expand the stdout in that command to replace that part of the string

such as
alias zzz="7z a -mhe=on -mmt=on -t7z -p$(pass cloud-key) -mx=9"

1 Like

+1 rwaltr

Just if you want a quick password prompt till you’ve set up a manager:

alias zzz="7z a -mhe=on -mmt=on -t7z -p$(read -sp "Password:" _pass; echo $_pass) -mx=9;"


wow… I never heard of this solution… using a passwordmanager…

Would keepassxx work for this?
Because I use it anyhow…

It might, you would need to test it. generally as long as it responds on STDOUT it would work

Any idea how to get the passphrase of an keepassxc entry into a variable?

I just found that KeepassXC has “uuids”:

I did some sniffing around and it looks like KeyPassXC has a CLI:

This looks like the parameter you’re looking for:

show [options] <database> <entry>
Shows the title, username, password, URL and notes of a database entry. Can also show the current TOTP. Regarding the occurrence of multiple entries with the same name in different groups, everything stated in the clip command section also applies here.

So something like: $(keepassxc-cli show [options] <database> <entry>) but you’d need to see if there’s an option to put out just the password.

If not you’ll need to parse it with something like awk. If you can post the output (change the password first) I can assist with parsing.

Perhaps a solution I use for my local setup might help. I encrypt my passwords with gpg in a local hidden file. Then I use a one-liner to call gpg to fetch the target password from the list as needed. Within the script, gpg prompts me for the cipher passphrase which must be successfully submitted before the password is displayed.

Here are the steps to set this up:

  1. create a text based file using the format [site] [password] with one set per line. example: letmein pass1234 theOldDayz

  2. Name the file something like .access_list.txt and put it in your home directory

  3. Encrypt .access_list.txt with gpg using a cipher passphrase
    gpg -c .access_list.txt

  4. You will be prompted for the passphrase twice for confirmation
    A new file will be created that is now named .access_list.txt.gpg

  5. Delete the plain text file .access_list.txt (we don’t want the plain text file laying around)

  6. Write a script to decipher the file and grep the target password. Put the following one-liner in your path and name it something like and make it executable.
    gpg -d ~/.access_list.txt.gpg | grep -i “$1”

  7. When you need the password for aol, open a terminal, enter aol

You will be prompted to enter your passphrase and when done successfully, the password for “aol” will be shown on the command line. From there it could be manipulated to be used in other scripts as necessary.

If you need to modify the file in the future just enter gpg .access_list.txt.gpg and the original text file will be restored. Modify it. Encrypt it as above. Rinse and Repeat.

1 Like

So like Pass?


+1 as there’s no stage where the password file is unencrypted on disk.

Good seeing these answers.

Perhaps. I don’t know what Pass does; so I’ll have to look into it. Pass doesn’t come preinstalled on my current distro (Ubuntu Studio 20.04) as gpg did. But I see that Pass is in the PPA. Thanks for the tip.

Pass is in the official Ubuntu repo, simply called pass.
It is also just a single bash file (with additional files if you want auto completion or to import from other password managers), so you can just place that file anywhere in your PATH, make it executable and run it.

I can highly recommend Pass and it seems like it fits into your use case perfectly, since you are already gpg encrypting simple text files containing passwords.
Also, Pass has builtin support for git, so you can version control your password files.

There are also browser plugins and a nice standalone GUI called QtPass.
This project looks interesting for a Terminal UI.

1 Like