We're usually careful not to store secrets in places easily accessible to others. We even do chmod 600 on our keys in ~/.ssh to prevent other users from reading it. There's one place, however, that we often forget to be careful about: our shell history files. Luckily, there are ways to prevent our commands that set or use secrets from entering our shell history. The following are instructions for how to go "incognito" for individual commands and prevent them from being logged in our shell history files.
Zsh
zsh has an option that's perfect for this: HIST_IGNORE_SPACE. It even keeps the command around in-memory so you can execute it again if you need to while never writing it to disk.
The manpage has this to say about the option:
HIST_IGNORE_SPACE (-g)
Remove command lines from the history list when the first character
on the line is a space, or when one of the expanded aliases
contains a leading space. Only normal aliases (not global or
suffix aliases) have this behaviour. Note that the command lingers
in the internal history until the next command is entered before it
vanishes, allowing you to briefly reuse or edit the line. If you
want to make it vanish right away without entering another command,
type a space and press return.
To begin using this you can call setopt HIST_IGNORE_SPACE in your shell. To have this enabled by default for your shell you can add it to ~/.zshrc.
You can see this option and more using man zshoptions.
Bash
bash also has an option for this: HISTCONTROL. Here's the manpage entry for that option:
HISTCONTROL
A colon-separated list of values controlling how commands are saved
on the history list. If the list of values includes ignorespace,
lines which begin with a space character are not saved in the
history list. A value of ignoredups causes lines matching the
previous history entry to not be saved. A value of ignoreboth is
shorthand for ignorespace and ignoredups. A value of erasedups
causes all previous lines matching the current line to be removed
from the history list before that line is saved. Any value not in
the above list is ignored. If HISTCONTROL is unset, or does not
include a valid value, all lines read by the shell parser are saved
on the history list, subject to the value of HISTIGNORE. The
second and subsequent lines of a multi-line compound command are
not tested, and are added to the history regardless of the value of
HISTCONTROL.
You should check what the current value for HISTCONTROL is using echo $HISTCONTROL. You can keep the current value or modify it to your liking and add it to your ~/.bash_profile using export HISTCONTROL=ignorespace.
Note that there are other possible values for this and you should read the manpage entry above (or man bash) for more details.
Top comments (0)