The contents of confidential fields can be read using the
-s (--password) command line option to recsel. When
used, any selected record containing encrypted fields will try to
decrypt them with the given password. If the operation succeeds then
the output will include the unencrypted data. Otherwise the
ASCII-encoded encrypted data will be emitted.
If recsel is invoked interactively and no password is
specified with -s, the user will be asked for a password in
case one is needed. No echo of the password will appear in the screen.
The provided password will be used to decrypt all confidential fields
as if it was specified with -s.
For example, consider the following database storing information about the user accounts of some online service. Each entry stores a login, a full name, email and a password. The password is declared as confidential:
%rec: Account %key: Login %confidential: Password Login: foo Name: Mr. Foo Email: foo@foo.com Password: encrypted-AAABBBCCCDDD Login: bar Name: Ms. Bar Email: bar@bar.org Password: encrypted-XXXYYYZZZUUU
If we use recsel to get a list of records of type
Account without specifying a password, or if the wrong password
was specified in interactive mode, then we would get the following
output with the encrypted values:
$ cat accounts.rec | recsel -t Account -p Login,Password Login: foo Password: encrypted-AAABBBCCCDDD Login: bar Password: encrypted-XXXYYYZZZUUU
If we specify a password and both entries were encrypted using that password, we would get the unencrypted values:
$ recsel -t Account -s secret -p Login,Password accounts.rec Login: foo Password: foosecret Login: bar Password: barsecret
As mentioned above, a confidential field may be encrypted with different passwords in different records (see Confidential Fields). For example, we may have an entry in our database with data about the account of the administrator of the online service. In that case we might want to store the password associated with that account using a different password than that for users. In that case the output of the last command would have been:
$ recsel -t Account -s secret -p Login,Password accounts.rec Login: foo Password: foosecret Login: bar Password: barsecret Login: admin Password: encrypted-TTTVVVBBBNNN
We would need to invoke recsel with the password used to
encrypt the admin entry in order to read it back unencrypted.