0

Hi I have winrar batch in server. it is working perfectly. I want to be able to encrypt password section of this file. if anyone can help me about this.

Either way Is okay with me a) encrypt password section of winrar command line or b) encrypt whole backup.bat file so unreadable anything by others.

My batch this.

@ECHO OFF
ForFiles /p "G:\GoogleDrive\My Drive\my-Backup" /s /d -10 /c "cmd /c del @file"
rar a -r -v51G -phMYPASSWORD "G:\GoogleDrive\My Drive\my-Backup\server1-D-.rar" -agdd-MM-yyyy D:\
rar a -r -v51G -phMYPASSWORD "G:\GoogleDrive\My Drive\my-Backup\server1-C-.rar" -agdd-MM-yyyy C:\
danone
  • 158
  • 9
  • Maybe you'll find something [here](https://stackoverflow.com/questions/37046771/base64-encode-string-command-line-windows) – Gerhard Feb 25 '20 at 05:46

2 Answers2

0

How I've solved this problem is to download a bat to exe program called "Advanced bat to exe converter" and I use command line below. I import also all winrar program files in program by using import "Embed Files" function.

My exe file Deletes everything more than 10 days in google drive then zips C and D drive of Server and copy to Google drive encrypted with a password. 

ForFiles /p "G:\My Drive\My-Backup-External" /s /d -10 /c "cmd /c del @file"
start /B /WAIT %MYFILES%\rar.exe -hppassword a -r -v51G "G:\My Drive\My-Backup-External\Mybackup-D-.rar" -agdd-MM-yyyy D:\
start /B %MYFILES%\rar.exe -hppassword a -r -v51G "G:\My Drive\My-Backup-External\Mybackup-C-.rar" -agdd-MM-yyyy C:\
danone
  • 158
  • 9
  • You could have created also a self-extracting RAR archive instead of using *Advanced bat to exe converter* as the result would be exactly the same, an executable which extracts the files compressed into the self-extracting archive file to a temporary folder in `%TEMP%`, execute one of the files, and finally delete the temporary folder with all files inside. So there is no real password security with your solution. There is just one more step necessary for everybody with access to the executable in comparison to the pure batch file solution. That's it. – Mofi Feb 25 '20 at 18:06
  • I checked temp since I execute my exe. There is only winrar file in temp. not any batch file is there this is bat to exe website https://www.battoexeconverter.com/ I did what you say it is not even on screen while I execute exe file. Is it something you missing ? – danone Feb 27 '20 at 02:49
  • I will not analyze how this "bat to exe converter" works in detail, but the executable must write the batch file to disk so that `cmd.exe` can interpret it line by line. It is impossible to run a batch file with Windows command processor without having a file. The extracted batch file may have different name (generic string) and the produced executable could execute `cmd.exe` in background to make it more difficult for others to grab the batch file, but it is definitely written temporarily to hard disk. – Mofi Feb 27 '20 at 05:58
  • The folder `%TEMP%` could be cleaned up before execution an executable to easier see the files and directories created by an executable temporarily. It is also possible to open a command prompt, execute `md C:\MyTemp` and `set TEMP=C:\MyTemp` and `set TMP=C:\MyTemp` and `cd /D C:\MyTemp` and next run the executable from within the command prompt window. But I would use honestly simply [Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) to find out what is going on during execution of an executable in file system and registry. – Mofi Feb 27 '20 at 06:04
  • It is possible with Process Monitor to open the properties of a process like `rar.exe` and look on the command line used to start this process. So I would not really need to get access to the batch file to get knowledge about the password passed to `rar.exe` on starting it with the batch file currently used by you. [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) is another useful Sysinternals tool which can display the command line used to start a process and all the environment variables. So usage of environment variable `RAR` would not help. – Mofi Feb 27 '20 at 06:10
  • Hi Mofi, thanks so much yes I tracked down file with process explorer C:\Users\Administrator\AppData\Local\Temp\ytmp\tmp6986.bat secret bat created and yes all password that I use there luckly it is under administrator password so no one hack it. It is terminal server so no one has right to install or execute anything other than administrator. is there any other solution like It will take my administrator password from AD or something ? I need to use password. – danone Feb 27 '20 at 13:31
  • I have some troubles to understand why it is a problem that the batch file is stored on your server with a readable password inside. Who has access to the server and who of this group or users has read access to the batch file? There is no problem with a password stored in a batch file if there is only one person (user account) which can read this batch file. For example it is possible to create on a Windows machine a user account from command line with a password which never expires or never changes. Then a scheduled task is configured to run a batch file with this special user account. – Mofi Feb 28 '20 at 12:02
  • The password of the special user account must be entered on saving the scheduled task which stores Windows encrypted as also done for the user account on creating it with the password. The scheduled task runs the batch file which is stored together with `rar.exe` in a directory. The NTFS permissions for this directory and its two files are configured that the owner is the special local account and only this special account can read files in this directory or modify the owner. All other accounts including the accounts of local administrators group don't have access to this directory. – Mofi Feb 28 '20 at 12:07
  • The special user account is now the only account with access to the directory with the batch file and `rar.exe` and only you creating this account with the password knows the user account password. So nobody than you and the scheduled task created by you with the special user account and the password entered by you and saved encrypted by Windows can read the batch file and its password. But it should be also configured that nobody than you has access to the server during execution of the batch file as otherwise the password used by `rar.exe` could be find out while `rar.exe` is running. – Mofi Feb 28 '20 at 12:12
  • let me explain, only administrator account have access read and write the batch file. Administrator account have access to make a task scheduler or run it. I have never been hacked or any kind but I want to think unthinkable things like you never been hacked last 15 years doesn't mean your administrator account bullet proof. whole argument is to make it everything even more secure. If I able to inject md5 password in, I would have like to do it but unfortunately not possible. – danone Mar 03 '20 at 13:15
  • Okay, I understand now the environment. So my advice in my comments above is a good one. The local system account and the accounts of local administrator group don't have access to the batch file containing the password and `rar.exe` used to create the archive, only a special user account has read and write access for these two files. Most hackers try to get the privileges of an account which belongs to local administrator group to access all files as possible by default. But if the administrator accounts don't have access to these two files, the password is very safe stored in the batch file. – Mofi Mar 03 '20 at 17:12
0

As already said, you can't store a password in secure way in a batch file.
Even if you convert it to an .exe it's trivial to reccover the password.

If you don't trust the server security it's a bad idea to use a password at all.

But you can solve it easily in an absolute secure way.

Use asymetric encryption

Create your backup with rar, but without a password.

Asymetrical encrypt the rar with openssl

openssl rsautl -encrypt -pubin -inkey public.key -in backup.rar -out backup.rar.enc

With the public.key it's not possible to decrypt the backup.rar.enc

For decrypt, you need the private.key (obviously not stored on the server).

openssl rsautl -decrypt -inkey private.key -in backup.rar.enc -out backup.rar
Community
  • 1
  • 1
jeb
  • 78,592
  • 17
  • 171
  • 225
  • Even if you convert it to an .exe it's trivial to reccover the password. Could you tell me how ? I checked temp since I execute my exe. There is only winrar file in temp. not any batch file is there this is bat to exe website https://www.battoexeconverter.com/ – danone Feb 27 '20 at 02:48
  • If you don't trust the server security it's a bad idea to use a password at all. I have no problem what soever with server security. Never have been hacked any of my server. I want to encrypt file because I am sending them to cloud. Solution you gave me not what I like because I might need file (public.key) 5-10 years later when I need these backups. Who knows where it is very risky I prefer long combination of password and this password will be known by person you most trust in case if you are dead your customers data can still be accessible. – danone Feb 27 '20 at 03:13