From fe5c75b1424ce29c4a1733bd822c4165222792d9 Mon Sep 17 00:00:00 2001
From: Marc Beninca <git@marc.beninca.link>
Date: Tue, 12 Nov 2024 09:28:08 +0100
Subject: [PATCH] passphrase

---
 bash/rescue-hetzner.sh | 10 ++++++----
 bash/rescue-ovh.sh     | 10 ++++++----
 bash/util.sh           | 14 ++++++++++++++
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/bash/rescue-hetzner.sh b/bash/rescue-hetzner.sh
index bbbf94a..f2e6d34 100644
--- a/bash/rescue-hetzner.sh
+++ b/bash/rescue-hetzner.sh
@@ -9,8 +9,7 @@ rescue_wipe_0_init_hetzner_8_8() {
 	local passphrase
 	local unit='mib'
 	# read passphrase
-	echo -n 'PassPhrase: '
-	read -r -s passphrase
+	passphrase="$(read_passphrase)"
 	#
 	lsblk
 	echo -n 'WIPE' "${devices[@]}" '/?\ OR CANCEL /!\'
@@ -149,6 +148,8 @@ rescue_wipe_0_init_hetzner_8_8() {
 	# open
 	echo "${passphrase}" |
 		cryptsetup luksOpen '/dev/md/crypt' 'crypt'
+	# passphrase
+	unset passphrase
 }
 
 rescue_wipe_2_make_hetzner_8_8() {
@@ -156,8 +157,7 @@ rescue_wipe_2_make_hetzner_8_8() {
 	# close
 	cryptsetup luksClose 'crypt'
 	# read passphrase
-	echo -n 'PassPhrase: '
-	read -r -s passphrase
+	passphrase="$(read_passphrase)"
 	# encrypt
 	echo "${passphrase}" |
 		cryptsetup \
@@ -175,6 +175,8 @@ rescue_wipe_2_make_hetzner_8_8() {
 	# open
 	echo "${passphrase}" |
 		cryptsetup luksOpen '/dev/md/crypt' 'crypt'
+	# passphrase
+	unset passphrase
 	# format crypt
 	mkfs.btrfs --force \
 		--checksum 'sha256' \
diff --git a/bash/rescue-ovh.sh b/bash/rescue-ovh.sh
index 314d452..ea71bcf 100644
--- a/bash/rescue-ovh.sh
+++ b/bash/rescue-ovh.sh
@@ -3,8 +3,7 @@ rescue_wipe_0_init_ovh_vle2() {
 	local passphrase
 	local unit="mib"
 	# read passphrase
-	printf "PassPhrase: "
-	read -r -s passphrase
+	passphrase="$(read_passphrase)"
 	# warn
 	lsblk
 	printf "%s" "WIPE ${device} /?\\ OR CANCEL /!\\"
@@ -78,6 +77,8 @@ rescue_wipe_0_init_ovh_vle2() {
 	# crypt / open
 	echo "${passphrase}" |
 		cryptsetup luksOpen "${device}1" "crypt"
+	# passphrase
+	unset passphrase
 }
 
 rescue_wipe_2_make_ovh_vle2() {
@@ -86,8 +87,7 @@ rescue_wipe_2_make_ovh_vle2() {
 	# crypt / close
 	cryptsetup luksClose "crypt"
 	# read passphrase
-	printf "PassPhrase: "
-	read -r -s passphrase
+	passphrase="$(read_passphrase)"
 	# crypt / encrypt
 	echo "${passphrase}" |
 		cryptsetup \
@@ -105,6 +105,8 @@ rescue_wipe_2_make_ovh_vle2() {
 	# crypt / open
 	echo "${passphrase}" |
 		cryptsetup luksOpen "${device}1" "crypt"
+	# passphrase
+	unset passphrase
 	# crypt / format
 	mkfs.btrfs --force \
 		--checksum "sha256" \
diff --git a/bash/util.sh b/bash/util.sh
index e3781a7..2711b03 100644
--- a/bash/util.sh
+++ b/bash/util.sh
@@ -5,3 +5,17 @@ not() {
 	*) ;;
 	esac
 }
+
+read_passphrase() {
+	read_secret "PassPhrase: "
+}
+
+read_secret() {
+	local prompt="${1}"
+	local secret
+	printf "${prompt}" 1>&2
+	read -r -s secret
+	echo >&2
+	echo "${secret}"
+	unset secret
+}