The officially official Devuan Forum!

You are not logged in.

#1 2021-01-15 14:33:38

dice
Member
Registered: 2020-11-22
Posts: 346  
Website

openssl file encryption scripts

this will probably show my bad lack of understanding but here goes. I have two scripts, one for encryption and another for decryption.

scenario is to say i have file foo on disk i want to encrypt with a keyfile using openssl all i want to type is the following in code snippet thus reducing keystrokes.

enc.sh foo keyfile

likewise i want to decrypt the same way

dec.sh foo keyfile

the encryption script:

#!/bin/sh
set -x
encrypt_file () {
	openssl enc -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$1" -out "$3".aes -k "$4"
}

encrypt_file "$@" "$@" "$@"

the decryption script

#!/bin/sh
set -x
decrypt_file () {
	openssl enc -d -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$1".aes -out "$3" -k "$4"
}

decrypt_file "$@" "${@%.*}" "$@"

This works but im wondering if this is the right way ?

Last edited by dice (2021-01-15 14:35:51)


Do good things.  Share.  Be helpful.  Be decent.  Live large.

Offline

#2 2021-01-15 14:52:20

bgstack15
Member
Registered: 2018-02-04
Posts: 194  

Re: openssl file encryption scripts

If I recall correctly, openssl has a relatively small upper limit of file size it can encrypt. I think it was like 1MB in my very unscientific testing.
The main way people encrypt files in a Linux and filesystem context is with GPG: https://www.howtogeek.com/427982/how-to … -on-linux/


This space intentionally left blank.

Offline

#3 2021-01-15 15:15:52

dice
Member
Registered: 2020-11-22
Posts: 346  
Website

Re: openssl file encryption scripts

bgstack15 wrote:

If I recall correctly, openssl has a relatively small upper limit of file size it can encrypt. I think it was like 1MB in my very unscientific testing.
The main way people encrypt files in a Linux and filesystem context is with GPG: https://www.howtogeek.com/427982/how-to … -on-linux/

Thanks but i just encrypted a 70mb file with openssl no problem?

Im familiar with gpg. What i am trying to accomplish with openssl is to be able to use random keyfiles for different files and directories just for experimentation.

Last edited by dice (2021-01-15 15:16:09)


Do good things.  Share.  Be helpful.  Be decent.  Live large.

Offline

#4 2021-01-15 19:03:44

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 1,530  
Website

Re: openssl file encryption scripts

dice wrote:

This works

Not for me:

~$ ./dec foo keyfile                                   
./dec[7]: ${@%.*}": bad substitution
1~$

I am confused as to why you use $3 and $4 when there are only two parameters to be applied and also why you call $@ (which lists all of the positional parameters separated with spaces) three times hmm

These lines in my shell configuration file[0] work for me:

enc () {
   openssl enc -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$1" -out "$1".aes -k "$2"
}

dec () {
   openssl enc -d -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$1".aes -out "$1" -k "$2"
}

Then call them with

enc foo keyfile
dec foo keyfile

No need for separate scripts.

[0] If you use bash as your default interactive shell then put the lines in ~/.bashrc.

Last edited by Head_on_a_Stick (2021-01-15 19:05:09)


Black Lives Matter

Offline

#5 2021-01-15 23:44:34

dice
Member
Registered: 2020-11-22
Posts: 346  
Website

Re: openssl file encryption scripts

i dont want to put in bashrc as these commands will be part of a larger script that also encrypts directories.

I was confused on the positional parameters for what i wanted to achieve.

Below is close to what i want but i still need to figure out how to treat file extensions in and out hence trying to use ${@%.*}" which will probably work in my shell as i think sh is linked to bash in devuan?

#!/bin/sh

encrypt_file () {
	openssl enc -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$2" -out "$2".aes -k "$3"
}

decrypt_file () {
	openssl enc -d -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$2" -out "${2%.*}" -k "$3"
}

while getopts ":ed" opt; do
  case ${opt} in
	e ) encrypt_file "$@"
	;;
	d ) decrypt_file "$@"
	;;
    *)
      ;;
  esac
done

edit: i think i figured out the file extension problem i was having.

decrypt will accept as the -in argument with any file type extension eg; .txt .mp3 etc.., the -out argument with -out "${2%.*}" will bring back the file to its original thus deleting the .aes extension given to it when it was encrypted.

@ Head on a stick, my thinking initially for 2 separate scripts was to establish how to get each one to function independantly of one another and then bring them both into one script?

Last edited by dice (2021-01-16 03:03:53)


Do good things.  Share.  Be helpful.  Be decent.  Live large.

Offline

#6 2021-01-16 07:44:39

dice
Member
Registered: 2020-11-22
Posts: 346  
Website

Re: openssl file encryption scripts

so here is the final script i have been working on. Usage inside the script.

This uses secure-delete so might be a bit slow for large files, could always replace it with rm -rf though.

#!/bin/sh

encrypt_file () {
	openssl enc -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$2" -out "$2".aes -pass file:"$3"
	srm -v "$2"
}

decrypt_file () {
	openssl enc -d -aes-256-cbc -salt -pbkdf2 -iter 20000 -in "$2" -out "${2%.*}" -pass file:"$3"

}

encrypt_dirs () {
	tar -cvzf "$2".tar.gz "$2" | openssl enc -aes256 -salt -pbkdf2 -iter 20000 -in "$2".tar.gz -out "$2".tar.gz.aes -pass file:"$3"
	srm -v "$2".tar.gz
}

decrypt_dirs () {
	openssl enc -d -aes256 -salt -pbkdf2 -iter 20000 -in "$2" -out "${2%.*}" -pass file:"$3"
	tar xvf "${2%.*}"
	srm -rv "${2%.*}"
}

usage () {
    cat <<EOM

Usage:
[-e]
enc.sh -e file passfile
encrypts file with chosen passfile and removes with secure delete the file leaving only the encrypted file.aes

[-d]
enc.sh -d file passfile
decrypts file.aes with chosen passfile

[-E]
enc.sh -E directory passfile
encrypts a directory to directory.tar.gz.aes with a chosen passfile and removes with secure delete the unencrypted directory.tar.gz leaving the directory.tar.gz.aes

[-D]
enc.sh -D directory passfile
decrypts directory to directory.tar.gz with chosen passfile and extracts directory.tar.gz in place then removes with secure delete the unencrypted directory.tar.gz leaving the encrypted directory.tar.gz.aes 

EOM
    exit 0
}


while getopts ":edEDh" opt; do
  case ${opt} in
	e ) encrypt_file "$@"
	;;
	d ) decrypt_file "$@"
	;;
	E ) encrypt_dirs "$@"
	;;
	D ) decrypt_dirs "$@"
	;;
	h ) usage
       ;;
       *)
       ;;
  esac
done

Last edited by dice (2021-01-16 08:05:06)


Do good things.  Share.  Be helpful.  Be decent.  Live large.

Offline

#7 2021-01-16 11:04:32

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 1,530  
Website

Re: openssl file encryption scripts

dice wrote:

i still need to figure out how to treat file extensions in and out hence trying to use ${@%.*}" which will probably work in my shell as i think sh is linked to bash in devuan?

No, /bin/sh is linked to dash in Devuan. If you want to use bashisms then don't use a /bin/sh shebang. Fortunately though the ${parameter%word} expansion is POSIX compliant — see section 2.6.2 of the official specification.

dice wrote:

This uses secure-delete

Note that secure-delete is not guaranteed to completely delete files stored on a solid state device thanks to wear-levelling and  over-provisioning. TRIM can help with the former (eventually) but not the latter.


Black Lives Matter

Offline

#8 2021-01-16 11:24:38

dice
Member
Registered: 2020-11-22
Posts: 346  
Website

Re: openssl file encryption scripts

Head_on_a_Stick wrote:
dice wrote:

i still need to figure out how to treat file extensions in and out hence trying to use ${@%.*}" which will probably work in my shell as i think sh is linked to bash in devuan?

No, /bin/sh is linked to dash in Devuan. If you want to use bashisms then don't use a /bin/sh shebang. Fortunately though the ${parameter%word} expansion is POSIX compliant — see section 2.6.2 of the official specification.

dice wrote:

This uses secure-delete

Note that secure-delete is not guaranteed to completely delete files stored on a solid state device thanks to wear-levelling and  over-provisioning. TRIM can help with the former (eventually) but not the latter.

ok thanks.

I was reading the faq at cryptsetup gitlab today and mentioned something similar to ssd drives.

https://gitlab.com/cryptsetup/cryptsetu … dQuestions

Also note that SSDs and also some HDDs (SMR and hybrid HDDs, for
example) may not actually overwrite the header and only do that an
unspecified and possibly very long time later.  The only way to be sure
there is physical destruction.  If the situation permits, do both
overwrite and physical destruction.
If you have time, overwrite the whole drive with a single pass of random
data.  This is enough for most HDDs.  For SSDs or FLASH (USB sticks) or
SMR or hybrid drives, you may want to overwrite the whole drive several
times to be sure data is not retained.  This is possibly still insecure
as the respective technologies are not fully understood in this regard.
Still, due to the anti-forensic properties of the LUKS key-slots, a
single overwrite could be enough.  If in doubt, use physical destruction
in addition.  Here is a link to some current research results on erasing
SSDs and FLASH drives: https://www.usenix.org/events/fast11/te … rs/Wei.pdf


Do good things.  Share.  Be helpful.  Be decent.  Live large.

Offline

Board footer