2
\$\begingroup\$

I wrote a small script to get around the issue when using pdfencrypt on the command line the password is always echoed as well as being saved to the 'history'. 

#!/bin/bash

 export LC_ALL=de_DE.latin1

 while true; do
     echo "please select Pdf input file:"
     read -e -r infile
     if file --mime-type "$infile" | grep -q pdf$; then
         echo
         break
     else
         printf "\nis not a PDF file :-(\n\n"
     fi
 done

 echo "please type in Pdf output filename"
 echo "without extension (.pdf):"
 read -e -r outfile

 if [ -f "${outfile}.pdf" ]; then
     echo
     echo "File allready exists!";
     echo "please enter a new filename, or the same to override: "
     read -e -r outfile
 fi

 echo "please type in Password"
 echo "(only ASCII chracters recommended)"
 read -r -s

 pdfencrypt "$infile" -p "$READ" -o "${outfile}.pdf" \
  && echo "success, ${outfile}.pdf is encrypted :-)" \
  || echo "failed, did you use non ASCII characters for Password?"

exit

I had the problem with following non ASCII-Characters in the password: § ä ö ü etc. When I used any of those for encryption I got the following error:

Encoding::CompatibilityError: incompatible character encodings: UTF-8 and ASCII-8BIT

I solved this by including export LC_ALL=de_DE.latin1 in the script. Though there still are some compatibility problems when using any of those characters, therefore I added a recommendation not to use non ASCII in the password.

(I know that PDF encryption itself is pretty low-level security but I sometimes like to add this level when sending files via e-mail etc...)

\$\endgroup\$
4
  • 2
    \$\begingroup\$ Using bash (or any other shell) in an attempt to mask passwords is insecure: any(!) process or user on this machine can do a ps -ax and have a look at all processes... and all of their command line parameters. In some regard a password is more visible that way, and get an even wider audience, compared to only "on screen and in history". \$\endgroup\$ Commented Aug 5, 2017 at 13:37
  • \$\begingroup\$ thanks for this information @jvb I did not know this! \$\endgroup\$ Commented Aug 5, 2017 at 13:40
  • \$\begingroup\$ Few know ;) I've got no pdfencrypt on my machine (and thus, no man page), but the usual workaround for this is to check if the program in question can read the password from a file (with a different argument). If so, you could set an appropriate umask, write the password into a file using the built-in echo (which isn't a separate process and doesn't show up with ps), and rm the file after encryption. Files can be better protected than process information. - This might even be a workaround for the UTF-8 problem. \$\endgroup\$ Commented Aug 5, 2017 at 15:58
  • \$\begingroup\$ @jvb I was just checking for a man page of pdfencrypt unfortunately there isn't any, at least not installed with my package, got to check on github later... if I go for --helpI get about six option where reading the password from file is not supported. Maybe I'll make a feature request, when I visit the githup page later... :-) \$\endgroup\$ Commented Aug 5, 2017 at 17:44

1 Answer 1

Reset to default
1
\$\begingroup\$

Usability

Typing filenames on standard input is extremely annoying. It would be better if the script took the input filename as command line argument. That way users can benefit from path completion in the shell.

Simplify

Instead of this:

 while true; do
     echo "please select Pdf input file:"
     read -e -r infile
     if file --mime-type "$infile" | grep -q pdf$; then
         echo
         break
     else
         printf "\nis not a PDF file :-(\n\n"
     fi
 done

I would eliminate the else statement, and also simplify the echo-ing:

 while true; do
     echo "please select Pdf input file:"
     read -e -r infile
     echo
     file --mime-type "$infile" | grep -q pdf$ && break
     echo "is not a PDF file :-("
     echo
 done

Redundant exit

The exit at the end of the script is redundant, I suggest to remove it.

\$\endgroup\$

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.