How to run script at startup that requires a password?

Question

I am running ubutu on a raspbery pi 3

I have a script that runs as root when ubuntu boots. For that script to run correctly I need a password. In other words my script starts like:

#!/bin/bash

myPassword=(cat /root/foo/psw.txt)  # get password from disk
....
... etc

I have protected my password by running:

sudo chown root:root /root/foo/psw.txt
sudo chmod 700 /root/foo/psw.txt

Thanks to that command only the root user can read the file /root/foo/psw.txt.

But according to this question:

Does root ownership and exclusive access imply encryption?

that means that if someone where to take the sd card and read from the disk they will find the password on plain text!

So my question is how can I pass the password to my script securely so that if someone where to read from the sd card they will not find the password?

From reading and researching on the internet everyone says to not store the password.

So is the solution to download the password? If I download the password that means someone else can download the password. Lets say I download the password and it is encrypted. I will have to store another password to unencrypt that file and I will be left with another password.

Answer 1

I have a server A and my raspberry pi B. People have access to B but not to A. In other words server A is on the cloud whereas the raspberry pi is on an office building. This are the steps to solve the problem:

1. Generate a public and private key on server A.

   ssh-keygen -t rsa -b 4096

2. Install SSH on rapberry pi B and place the public key generated on step 1 (id_rsa.pub) into

   /root/.ssh/authorized_keys

   (not that authorized_keys is a file NOT a directory and it contains the public key)

3. Permit ssh login ONLY using RSA on B

   PasswordAuthentication no RSAAuthentication yes AuthorizedKeysFile /root/.ssh/authorized_keys

4. Now A can access B without storing any passwords on B

   ssh -i </path/to/privateKey> root@raspberryPiIpAddress

5. So when B boots it will send a notification to A. A then will crate a secure ssh connection into B. A will send the commands that needs to be executed by B through ssh.