SimpleCommandLineEncryption

18th December 2016 at 6:47pm
TechnicalNotes

If you've ever needed basic command line encryption that is likely to work on most Linux shells, then you may have been looking for the old trusty openssl command.

Sure there are many other tools out there, and many of them may be better suited, but openssl is likely to be installed on pretty much every Linux host you'll meet, and often most *NIX hosts too.

OpenSSL isn't just for x509 certificates.

Here is a skull text file that I want to encrypt with a simple passphrase:

nicolaw@linux:~$ cat skull
                 uuuuuuu
             uu$$$$$$$$$$$uu
          uu$$$$$$$$$$$$$$$$$uu
         u$$$$$$$$$$$$$$$$$$$$$u
        u$$$$$$$$$$$$$$$$$$$$$$$u
       u$$$$$$$$$$$$$$$$$$$$$$$$$u
       u$$$$$$$$$$$$$$$$$$$$$$$$$u
       u$$$$$$"   "$$$"   "$$$$$$u
       "$$$$"      u$u       $$$$"
        $$$u       u$u       u$$$
        $$$u      u$$$u      u$$$
         "$$$$uu$$$   $$$uu$$$$"
          "$$$$$$$"   "$$$$$$$"
            u$$$$$$$u$$$$$$$u
             u$"$"$"$"$"$"$u
  uuu        $$u$ $ $ $ $u$$       uuu
 u$$$$        $$$$$u$u$u$$$       u$$$$
  $$$$$uu      "$$$$$$$$$"     uu$$$$$$
u$$$$$$$$$$$uu    """""    uuuu$$$$$$$$$$
$$$$"""$$$$$$$$$$uuu   uu$$$$$$$$$"""$$$"
 """      ""$$$$$$$$$$$uu ""$"""
           uuuu ""$$$$$$$$$$uuu
  u$$$uuu$$$$$$$$$uu ""$$$$$$$$$$$uuu$$$
  $$$$$$$$$$""""           ""$$$$$$$$$$$"
   "$$$$$"                      ""$$$$""
     $$$"                         $$$$"

I can encrypt and compress it like so:

nicolaw@linux:~$ openssl enc -aes-256-cbc -e -a -in skull -o skull.enc.b64
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
nicolaw@linux:~$ cat skull.enc.b64
/Td6WFoAAATm1rRGAgAhARwAAAAQz1jMAQOvU2FsdGVkX19aXCabwKNmzxVnjuPFkMRMcJ9MPvWl
hzAsIYmFcpzN8+7/EZADZszqTK5gyWoB4WHdKkTtGQ4fPw0OIQHRdYnIzBQJm37PHK5veWfWQU3x
sSUODnw+o3g68pmA0tTUHO3RBxPCD0Mc6uSgzRSFfkf0KK62vPUROXUWcthw+jO/2A02jQ7376H/
s79Q5vsJfuTkV61N+Rjly3iN33lBB4R4uTj7mAeG5dJ5DPnctuMKV5Ue/uKU6DsFwMffRzAlViwt
aVsuysQplU7r55ayVmidYPI7JAYd/ntRIBE6FtRjgVA7L7BQz6aqWdm+R4Yb4YnXbbJVvIsK+Rv/
le86lqsonP3sP18j2kVWrc58Wg0iW1vOLFHVSDJ33/VcLJRq9ScHQmWoBGGaRqpNtUnckyThk0vH
OI8vYSK13LgRFVeIjt7DIiXPJqJsner/qkE2wWBfHTpffJXeVvCvkcSPI/m+8qG2Pm36gm/v3R2d
FJF/Yrtjd99H2g18vyY/74LtOgSJzdh1VzkFBTEHfzBtRxao5Jf5AoSxOR/jl1fto3jM0js5U8gl
/YqCJagQxnxVqSf4SPsR3lo0UMKnSP89SriKiLzP4PIzhUNE4H3mT61mt+Gj1/Bjqqld8o+DwcWM
J56tJD3y45i+4Zmu2D0ckhRWRcCeKLzPnaL0hCH5UQAd674Pk90PhT7kxPDtVJTCnhgV9QJSXVD+
C/J101SBRDImkDVuHTbaWg28PnP8bf0Bi+5NKsEP6cEpH+hAalADOlwcFdf4WXxIGzzCk2x8meu+
f+hqkjghisAO0m4T+8eBqcGyDbzPcqcgZpBSyHHA+V4gPhXe9X+HcTkeVrCgfq0z1RWtEd4krUSm
kMaWNC55twgcFmPIGuuuREKPcgGt9ySiY5o7Mrv8uZoGb3njbZbb+2JUX/isBW6ZaAfF7PrvwIXt
aoxFZAvf5oPV1eRieQTN4ACO+J00kf3OnRptLLdj8LOoWih+/ULVlUkG1uz7a+oLcvwuVWK1ZGya
6/WwhymedUf2jNrgNqlFyMaQTaeKKZXeRYvnNJ3z/MHWysgBZLYpIptD5P0Tu6+b2zT0+IVPawHa
P6gbQbWl3gxcv2+d8MvPpDAbKk4emMzNFe0yuyGiUgGdoBramLW0eUdvrLycvZtII1LhjyTcwYKf
NgSxJgPhmfvSSB6G7aENMb+NU2pycmydknyqvNa2l9qzbEZ9IgEGUVDFZ8XU5Eu066GoV1ihAvTH
FT0A5Aj+GJMhPFUAAcgHsAcAAAvM85SxxGf7AgAAAAAEWVo=

And decrupt it thus:

nicolaw@linux:~$ openssl enc -aes-256-cbc -d -in skull.enc.b64
enter aes-256-cbc decryption password:
                 uuuuuuu
             uu$$$$$$$$$$$uu
          uu$$$$$$$$$$$$$$$$$uu
         u$$$$$$$$$$$$$$$$$$$$$u
        u$$$$$$$$$$$$$$$$$$$$$$$u
       u$$$$$$$$$$$$$$$$$$$$$$$$$u
       u$$$$$$$$$$$$$$$$$$$$$$$$$u
       u$$$$$$"   "$$$"   "$$$$$$u
       "$$$$"      u$u       $$$$"
        $$$u       u$u       u$$$
        $$$u      u$$$u      u$$$
         "$$$$uu$$$   $$$uu$$$$"
          "$$$$$$$"   "$$$$$$$"
            u$$$$$$$u$$$$$$$u
             u$"$"$"$"$"$"$u
  uuu        $$u$ $ $ $ $u$$       uuu
 u$$$$        $$$$$u$u$u$$$       u$$$$
  $$$$$uu      "$$$$$$$$$"     uu$$$$$$
u$$$$$$$$$$$uu    """""    uuuu$$$$$$$$$$
$$$$"""$$$$$$$$$$uuu   uu$$$$$$$$$"""$$$"
 """      ""$$$$$$$$$$$uu ""$"""
           uuuu ""$$$$$$$$$$uuu
  u$$$uuu$$$$$$$$$uu ""$$$$$$$$$$$uuu$$$
  $$$$$$$$$$""""           ""$$$$$$$$$$$"
   "$$$$$"                      ""$$$$""
     $$$"                         $$$$"
nicolaw@linux:~$

The -a argument (which performs an automatic base64 encode or decode) is of course optional, but is almost certianly what you want if you're going to consider embedding any encrypted data in shell scripts.

nicolaw@linux:~$ openssl enc -aes-256-cbc -e -in skull -a > skull.enc.b64
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
nicolaw@linux:~$ openssl enc -aes-256-cbc -e -in skull > skull.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
nicolaw@linux:~$ ls -al *skull*
-rw-rw-r-- 1 nicolaw nicolaw  917 Dec 18 18:28 skull
-rw-rw-r-- 1 nicolaw nicolaw  944 Dec 18 18:41 skull.enc
-rw-rw-r-- 1 nicolaw nicolaw 1280 Dec 18 18:39 skull.enc.b64
nicolaw@linux:~$

Other related tools that you might wish to Google for are: gnupg, bcrypt, ccrypt, zip and 7zip.