Can you provide an example of this? How would the password show up in ps output?

. ./encpass.sh

password=$(get_password)

watch whatever.sh --pass=$password & # I'm using encpass.sh - security is magic pixie dust, therefore password is secured!

ps f # oh look, there's "watch whatever.sh --pass=hunter2"

I see, so basically if you invoke another process from within the script you are using the decrypted password AND you pass the decrypted password to that process, then it would be visible to ps. That makes sense as you are passing the decrypted password as an argument to the other process. This is similar to doing something like...

echo "password" | whatever.sh

To prevent this from happening the other process should just source encpass.sh directly. I think it is probably worth mentioning this in the README as I could see someone doing that inadvertently. Thanks for the example.

Echo is a builtin; you won't see that in the process list (not sure this method doesn't have a different weakness).

Yes, that's true. It would show up in your command history though. Even though it's probably not readable by anyone else except root, it's still probably not a good idea to have it persisted to disk.

If it's inside a script, it won't go into command history, either.

Yeah, I was just giving an example of passing it into a script. Similarly, if encpass.sh is included in whatever.sh script the password won't show up in ps.