Brain Phrye

code cooking diy fiction personal photos politics reviews tools 


SSH Crypt

For some reason a few weeks back I was wondering about using ssh keys to encrypt/decrypt files. Seems like a thing that should be possible, why not? And sure enough, it’s been done.

This won’t be as good as using gpg keys. Specifically without the web of trust it can be hit with MITM attacks, but I think it would be “good enough” for most people in most uses. And in my experience getting people to use gpg is like pulling teeth.

Taking Bjorn’s idea and making it a bit more script friendly I get this.

It generates a number of files however so in the end it might be an idea to make some sort of protobuf or JSON structure. The might be better since it’s easer to parse even if it will be a bit more verbose. Not sure.

Anyway, might play with this for the rest of the week.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
#!/bin/bash

file="$1"
user="$2"

password="$(openssl rand 32 | base64)"
openssl aes-256-cbc -in "$file" -out "$file.ssh-enc" -pass pass:"$password"
curl -sS https://github.com/lyda.keys \
  | grep ssh-rsa \
  | cat -n \
  | while read i p k; do
      openssl rsautl -encrypt -oaep -pubin \
          -inkey <(ssh-keygen -e -f <(echo "$p $k") -m PKCS8) \
          -in <(echo "$password") -out "$file.$user.$i.key-enc"
    done

exit

# Decryption:

for key in ssh-crypt.lyda.*; do openssl rsautl -decrypt -oaep -inkey ~/.ssh/id_rsa -in $key -out secret.key && break; done
openssl aes-256-cbc -d -in ssh-crypt.ssh-enc -out ssh-crypt.ssh-enc.decrypt -pass file:secret.key