dice wrote:

i still need to figure out how to treat file extensions in and out hence trying to use ${@%.*}" which will probably work in my shell as i think sh is linked to bash in devuan?

No, /bin/sh is linked to dash in Devuan. If you want to use bashisms then don't use a /bin/sh shebang. Fortunately though the ${parameter%word} expansion is POSIX compliant — see section 2.6.2 of the official specification.

dice wrote:

This uses secure-delete

Note that secure-delete is not guaranteed to completely delete files stored on a solid state device thanks to wear-levelling and  over-provisioning. TRIM can help with the former (eventually) but not the latter.

ok thanks.

I was reading the faq at cryptsetup gitlab today and mentioned something similar to ssd drives.

https://gitlab.com/cryptsetup/cryptsetu … dQuestions

i still need to figure out how to treat file extensions in and out hence trying to use ${@%.*}" which will probably work in my shell as i think sh is linked to bash in devuan?

No, /bin/sh is linked to dash in Devuan. If you want to use bashisms then don't use a /bin/sh shebang. Fortunately though the ${parameter%word} expansion is POSIX compliant — see section 2.6.2 of the official specification.

Note that secure-delete is not guaranteed to completely delete files stored on a solid state device thanks to wear-levelling and  over-provisioning. TRIM can help with the former (eventually) but not the latter.

This uses secure-delete so might be a bit slow for large files, could always replace it with rm -rf though.

#!/bin/sh

encrypt_file () {
	openssl enc -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$2" -out "$2".aes -pass file:"$3"
	srm -v "$2"
}

decrypt_file () {
	openssl enc -d -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$2" -out "${2%.*}" -pass file:"$3"

}

encrypt_dirs () {
	tar -cvzf "$2".tar.gz "$2" | openssl enc -aes256 -salt -pbkdf2 -iter 20000 -in "$2".tar.gz -out "$2".tar.gz.aes -pass file:"$3"
	srm -v "$2".tar.gz
}

decrypt_dirs () {
	openssl enc -d -aes256 -salt -pbkdf2 -iter 20000 -in "$2" -out "${2%.*}" -pass file:"$3"
	tar xvf "${2%.*}"
	srm -rv "${2%.*}"
}

usage () {
    cat <<EOM

Usage:
[-e]
enc.sh -e file passfile
encrypts file with chosen passfile and removes with secure delete the file leaving only the encrypted file.aes

[-d]
enc.sh -d file passfile
decrypts file.aes with chosen passfile

[-E]
enc.sh -E directory passfile
encrypts a directory to directory.tar.gz.aes with a chosen passfile and removes with secure delete the unencrypted directory.tar.gz leaving the directory.tar.gz.aes

[-D]
enc.sh -D directory passfile
decrypts directory to directory.tar.gz with chosen passfile and extracts directory.tar.gz in place then removes with secure delete the unencrypted directory.tar.gz leaving the encrypted directory.tar.gz.aes 

EOM
    exit 0
}

while getopts ":edEDh" opt; do
  case ${opt} in
	e ) encrypt_file "$@"
	;;
	d ) decrypt_file "$@"
	;;
	E ) encrypt_dirs "$@"
	;;
	D ) decrypt_dirs "$@"
	;;
	h ) usage
       ;;
       *)
       ;;
  esac
done

I was confused on the positional parameters for what i wanted to achieve.

Below is close to what i want but i still need to figure out how to treat file extensions in and out hence trying to use ${@%.*}" which will probably work in my shell as i think sh is linked to bash in devuan?

#!/bin/sh

encrypt_file () {
	openssl enc -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$2" -out "$2".aes -k "$3"
}

decrypt_file () {
	openssl enc -d -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$2" -out "${2%.*}" -k "$3"
}

while getopts ":ed" opt; do
  case ${opt} in
	e ) encrypt_file "$@"
	;;
	d ) decrypt_file "$@"
	;;
    *)
      ;;
  esac
done

edit: i think i figured out the file extension problem i was having.

decrypt will accept as the -in argument with any file type extension eg; .txt .mp3 etc.., the -out argument with -out "${2%.*}" will bring back the file to its original thus deleting the .aes extension given to it when it was encrypted.

@ Head on a stick, my thinking initially for 2 separate scripts was to establish how to get each one to function independantly of one another and then bring them both into one script?

This works

Not for me:

~$ ./dec foo keyfile                                   
./dec[7]: ${@%.*}": bad substitution
1~$

I am confused as to why you use $3 and $4 when there are only two parameters to be applied and also why you call $@ (which lists all of the positional parameters separated with spaces) three times

These lines in my shell configuration file[0] work for me:

enc () {
   openssl enc -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$1" -out "$1".aes -k "$2"
}

dec () {
   openssl enc -d -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$1".aes -out "$1" -k "$2"
}

Then call them with

enc foo keyfile
dec foo keyfile

No need for separate scripts.

[0] If you use bash as your default interactive shell then put the lines in ~/.bashrc.

If I recall correctly, openssl has a relatively small upper limit of file size it can encrypt. I think it was like 1MB in my very unscientific testing.
The main way people encrypt files in a Linux and filesystem context is with GPG: https://www.howtogeek.com/427982/how-to … -on-linux/

Thanks but i just encrypted a 70mb file with openssl no problem?

Im familiar with gpg. What i am trying to accomplish with openssl is to be able to use random keyfiles for different files and directories just for experimentation.

scenario is to say i have file foo on disk i want to encrypt with a keyfile using openssl all i want to type is the following in code snippet thus reducing keystrokes.

enc.sh foo keyfile

likewise i want to decrypt the same way

dec.sh foo keyfile

the encryption script:

#!/bin/sh
set -x
encrypt_file () {
	openssl enc -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$1" -out "$3".aes -k "$4"
}

encrypt_file "$@" "$@" "$@"

the decryption script

#!/bin/sh
set -x
decrypt_file () {
	openssl enc -d -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$1".aes -out "$3" -k "$4"
}

decrypt_file "$@" "${@%.*}" "$@"

This works but im wondering if this is the right way ?