File encryption in a bash script without explicity providing password

I want to automate the following manual process.

Currently, I am encryptying a set of files using openssl as follows:

Encrypt file.txt to file.out using 256-bit AES in CBC mode

$ openssl enc -aes-256-cbc -salt -in file1 -out file1.enc

I am then prompted for a password, which is then used to encrypt the file

When decrypting, I type

$ openssl enc -d -aes-256-cbc -in file1.enc -out file

I am then prompted for the password - which again, I manually type.

I want to automate this process of en/decryption - so I need to find a way of providing openssh with the password.

My first thought is whether it is possible to read the password from a file (say)? Or is there a better way of doing this?

Also, I suppose that I will have to place restriction on who can view the password file - otherwise, that defeats the whole objective of using a password. I am thinking to run the bash script as a specific user, and then give only that user read rights to the contents of that file.

Is this the way its done - or is there a better way?

Ofcourse all of this leads to yet another question - which is, how to run a bash script as another user - without having to type the user pwd at the terminal...?

BTW, I am running on Linux Ubuntu 10.0.4


Solution 1:

reading man openssl (especially the section PASS PHRASE ARGUMENTS):

Several commands accept password arguments, typically using -passin 
and -passout for input and output passwords respectively. These allow
the password to be obtained from a variety of sources. Both of these
options take a single argument whose format is described below. If no
password argument is given and a password is required then the user is
prompted to enter one: this will typically be read from the current
terminal with echoing turned off.

   pass:password
             the actual password is password. Since the password is visible
             to utilities (like 'ps' under Unix) this form
             should only be used where security is not important.

   env:var   obtain the password from the environment variable var. Since 
             the environment of other processes is visible on
             certain platforms (e.g. ps under certain Unix OSes)
             this option should be used with caution.

   file:pathname
             the first line of pathname is the password. If the same 
             pathname argument is supplied to -passin and -passout
             arguments then the first line will be used for the input 
             password and the next line for the output password.
             pathname need not refer to a regular file: it could for 
             example refer to a device or named pipe.

   fd:number read the password from the file descriptor number. This 
             can be used to send the data via a pipe for example.

   stdin     read the password from standard input.

openssl enc accepts -pass <arg> ... so, pick your arg from the list given above. eg:

 echo -n "secret" | openssl enc -aes-256-cbc -salt \
        -in file1 -out file1.enc \
        -pass stdin