Lisk Commander Sensitive Inputs

There are certain instances whereby Lisk Commander requires sensitive inputs such as passphrases or secret messages, which you may not wish to include directly as command line arguments due to the fact that they will be visible. For example, in the bash history or process managers. This section describes the various options available for securely including sensitive inputs within Lisk Commander commands. The format for providing Lisk Commander with sensitive inputs is loosely based on the OpenSSL format.

The message:encrypt command is used for the given examples with a secret passphrase as a sensitive input, however the same pattern applies to other commands which also accept sensitive inputs.

Via a password prompt

If a passphrase is required for a command, and no source is provided via the --passphrase option, Lisk Commander will initiate a prompt for a password input, so the required passphrase can be typed in directly. Please note that this approach is only available for passphrases, and not other kinds of sensitive inputs.

$ lisk message:encrypt bba7e2e6a4639c431b68e31115a71ffefcb4e025a4d1656405dfdcd8384719e0 'Hello world'
Please enter your secret passphrase: ****************************************************************
Please re-enter your secret passphrase: ****************************************************************

In the case whereby commands which may or may not involve a second passphrase, a prompt can be triggered using --second-passphrase prompt:

$ lisk transaction:create --type=0 100 9397838105554816361L --second-passphrase prompt
Please enter your secret passphrase: ****************************************************************
Please re-enter your secret passphrase: ****************************************************************
Please enter your second secret passphrase: ****************************************************************
Please re-enter your second secret passphrase: ****************************************************************

Via an environmental variable

If your passphrase is stored in an environmental variable, it is possible to specify the variable name using the –passphrase option. Please be aware that this approach is only available for passphrases, and not other kinds of sensitive inputs.

 lisk message:encrypt bba7e2e6a4639c431b68e31115a71ffefcb4e025a4d1656405dfdcd8384719e0 'Hello world' --passphrase env:PASSPHRASE

Via a file

If your passphrase is stored in a file, it is possible to specify the path using the –passphrase option, and Lisk Commander will read the passphrase from the first line. If other types of data are stored in a file, it is possible to specify the path using the –data option, and Lisk Commander will read the entire contents of the file.

 lisk message:encrypt bba7e2e6a4639c431b68e31115a71ffefcb4e025a4d1656405dfdcd8384719e0 --data file:./secret_data.txt --passphrase file:./passphrase.txt

Via stdin

Lisk Commander will read a passphrase from the first line of stdin via the –passphrase option, or multiple lines for other sorts of data via the –data option. If stdin is specified as the source of both the passphrase and other additional data, then the passphrase is assumed to be the first line, and the data will follow. Please note that the actual use of echo with plaintext strings shown in the example below is not recommended:

 $ echo 'my secret passphrase on the first line\Followed by\nsome data that\nspans multiple lines' | lisk message:encrypt bba7e2e6a4639c431b68e31115a71ffefcb4e025a4d1656405dfdcd8384719e0 --data stdin --passphrase stdin

Via a plaintext option

For convenience, Lisk Commander also supports providing a plaintext passphrase via the –passphrase option. This can be useful for prototyping or testing, (for example on the testnet). However, this should never be used when security is a concern. Please note that this approach is only available for passphrases, and not other kinds of sensitive inputs.

 lisk message:encrypt bba7e2e6a4639c431b68e31115a71ffefcb4e025a4d1656405dfdcd8384719e0 'Hello world' --passphrase 'pass:my secret passphrase'