How to Execute Bash Commands Without Storing in History for Privacy and Security


2 views

Every Linux administrator knows bash maintains command history in ~/.bash_history. While useful for productivity, this becomes problematic when:

  • Executing commands containing sensitive credentials
  • Running temporary diagnostic commands that clutter history
  • Working in shared environments where history gets audited

The simplest solution many don't know about:

 command_containing_secrets

Notice the leading space before the command. This requires:

export HISTCONTROL=ignorespace

In your ~/.bashrc. The space tells bash not to record this command.

For multiple sensitive commands:

set +o history
# Your private commands here
set -o history

This toggles history recording off/on without affecting other shell behavior.

If you forgot to prevent recording:

history -d $(history 1)

Deletes the last command. Combine with history -w to write changes immediately.

For sensitive operations:

bash --norc --noprofile
# Commands execute without loading history config
exit

For recurring sensitive patterns:

export HISTIGNORE="*secret*:*password*"

Add to ~/.bashrc to automatically filter matching commands.

For remote sessions, combine techniques:

ssh server.example.com 'bash -c "set +o history; mysql -uadmin -p$PASSWORD"'

For enterprise environments, configure /etc/profile with:

readonly HISTFILE
readonly HISTSIZE
readonly HISTFILESIZE
readonly HISTCONTROL
readonly HISTIGNORE

This prevents users from modifying history settings.

By default, Bash records every executed command in ~/.bash_history, which can pose security risks when handling sensitive operations or credentials. Here are common scenarios where you'd want to bypass history:

  • Running commands with passwords or API keys
  • Testing potentially destructive operations
  • Maintaining clean history for auditing

Method 1: Leading Space Trick

Bash ignores commands preceded by a space when HISTCONTROL includes ignorespace or ignoreboth:

# First verify your HISTCONTROL setting
echo $HISTCONTROL

# If not set, configure it:
export HISTCONTROL=ignorespace

# Then run commands with leading space:
 secret_command --api-key "12345"

Method 2: Disable History Temporarily

# Disable history for current session
set +o history

# Run your sensitive commands
export SECRET_KEY="value"
rm -rf /tmp/sensitive_data

# Re-enable history
set -o history

Method 3: History Substitution

# Execute command without recording
: $(secret_command)

# Alternative syntax
: ${secret_command}

Method 4: Direct History Manipulation

# Run command normally
dangerous_operation

# Then immediately delete last entry
history -d $(history 1 | awk '{print $1}')

For persistent settings, add these to your ~/.bashrc:

# Always ignore space-prefixed commands
HISTCONTROL=ignoreboth

# Exclude specific commands from history
export HISTIGNORE="passwd*:mysql*:git_push*"

For remote commands via SSH, use this pattern:

ssh user@host "DISABLE_HISTORY=1 && your_command && unset DISABLE_HISTORY"

Consider using shells with better privacy controls:

  • Zsh: setopt HIST_IGNORE_SPACE
  • Fish: Built-in session isolation