Securely share dynamic secrets between Linux computers

I needed to set up password-less ssh access between a cluster of AWS Linux computers via CloudFormation.  Although ssh-copy-id was designed to help with this, it still presumes you have a login password which complicates things with design-time scripting, like CloudFormation.

Here was the solution I came up with (using a generic example of a random secret file):

On first server:


CURLIO=$( ( gpg --cipher-algo AES256 --symmetric --yes --batch --passphrase=${PRIVATEPASSWORD} -c ${PRIVATEFILE} && curl -F "file=@${PRIVATEFILE}.gpg"${PUBLICCURLIOTOKEN} ) 2>&1 | grep '^https' )

test -n ${CURLIO} && ( curl -s "${PUBLICTOKEN}&url=${CURLIO}" > /dev/null ) && rm "${PRIVATEFILE}.gpg"

On some other server(s):


curl -s $( curl -s "${PUBLICTOKEN}" | grep -oh 'https.*"' | head -1 | sed -e 's/"$//' ) | gpg --quiet --no-use-agent --yes --batch --passphrase=${PRIVATEPASSWORD} -o ${PRIVATEFILE}


  1. This is obviously best for sharing dynamic secrets that aren't known ahead of time when creating the CloudFormation script (like ssh keys).  Static secrets could have been simply hard-coded into the CloudFormation script directly.
  2. You'll want to protect your CloudFormation script since it will have the gpg password hard-coded.
  3. The space in front of the PRIVATEPASSWORD environment variable is to avoid saving it in the bash history.  Feel free to avoid the environment variable altogether and just insert the password into the commands where referenced.
  4. The PUBLICCURLIOTOKEN is randomly generated when you visit (right after "send/" in the example code snippet on the homepage).  Feel free to use the one in my example above -- I don't think it ever expires.
  5. For PUBLICTOKEN I recommend using the GUID from


Post a Comment

Keep it clean and professional...

Topic revision: r2 - 2016.02.08 - PaulReiber
Copyright © is by author. All material on this collaboration platform is the property of its contributing author.