diff options
Diffstat (limited to 'bin/crypt')
| -rwxr-xr-x | bin/crypt | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/bin/crypt b/bin/crypt new file mode 100755 index 0000000..01e7a31 --- /dev/null +++ b/bin/crypt @@ -0,0 +1,36 @@ +#!/bin/sh + +# (de)crypt using ssh rsa key. ed25519 not supported. + +tmp="/tmp/enc-$$" +mkdir -p "$tmp" +trap 'rm -rf $tmp' INT TERM EXIT + +# Encrypt stdin to stdout. +encrypt() { + # Generate a random 256 bits one-time key, for symmetric aes encryption. + openssl rand 32 >"$tmp/key" + + # Output the one-time key asymmetrically encrypted with the rsa pubkey. + ssh-keygen -e -f ~/.ssh/id_rsa.pub -m PKCS8 >"$tmp/pk" + openssl pkeyutl -encrypt -pubin -inkey "$tmp/pk" <"$tmp/key" + + # Now encrypt stdin to stdout, using the clear otk. + openssl aes-256-cbc -pbkdf2 -pass "file:$tmp/key" +} + +# Decrypt stdin to stdout. +decrypt() { + # The first 256 input bytes contains the one time key to be decrypted + # with the private rsa key. + dd ibs=256 count=1 iflag=direct | + openssl pkeyutl -decrypt -inkey ~/.ssh/id_rsa -out "$tmp/key" + + # The remaining input is the payload decrypted with the aes key. + openssl aes-256-cbc -d -pbkdf2 -pass "file:$tmp/key" +} + +cmd=encrypt +[ "$1" = "-d" ] && cmd=decrypt && shift +[ "$1" ] && exec 0<"$1" +"$cmd" |