blob: 939f3f5e8e64892d244a52b82e7416c03c2cbcf0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
#!/bin/sh
usage='Usage: crypt [-de] [-o output] [input]
Encrypt or decrypt input (default: stdin) to ouput (default: stdout),
using ssh rsa key.
Options:
-d action is decrypt (default: encrypt)
-e action is encrypt
-o output set ouput (default: stdout)'
key="$(mktemp)"
trap 'rm -f $key' EXIT
# Encrypt stdin to stdout.
encrypt() {
# Generate a random 256 bits one-time key, for symmetric aes encryption.
openssl rand 32 >"$key"
# Convert (only once) the ssh RSA public to PKCS8, for openssl.
[ -f ~/.ssh/id_rsa.pub.pkcs8 ] ||
ssh-keygen -e -f ~/.ssh/id_rsa.pub -m PKCS8 >~/.ssh/id_rsa.pub.pkcs8
# Output the one-time key asymmetrically encrypted with the rsa pubkey.
openssl pkeyutl -encrypt -pubin -inkey ~/.ssh/id_rsa.pub.pkcs8 <"$key"
# Now encrypt stdin to stdout, using the clear otk.
openssl aes-256-cbc -pbkdf2 -pass "file:$key"
}
# Decrypt stdin to stdout.
decrypt() {
# Recover the aes key from the first 256 input bytes.
dd ibs=256 count=1 iflag=direct status=none |
openssl pkeyutl -decrypt -inkey ~/.ssh/id_rsa -out "$key"
# The remaining input is the payload, decrypt it with the aes key.
openssl aes-256-cbc -d -pbkdf2 -pass "file:$key"
}
cmd=encrypt
while getopts :deo: opt; do
case $opt in
d) cmd=decrypt ;;
e) cmd=encrypt ;;
o) exec 1>"$OPTARG" ;;
*) echo "$usage" >&2; exit 1 ;;
esac
done
shift $((OPTIND - 1))
[ "$1" ] && [ "$1" != "-" ] && exec 0<"$1"
"$cmd"
|
