bash script to encrypt data using a users ssh public key https://sshenc.sh
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

110 lines
2.6KB

  1. #!/bin/bash
  2. OPTIND=1 # reset in case getopts has been used previously in the shell.
  3. me=sshenc.sh
  4. show_help() {
  5. cat << EOF
  6. usage: $me [-p <public ssh key> | -s <private ssh key>] [-h]
  7. examples:
  8. - encrypt a file
  9. $me -p ~/.ssh/id_rsa.pub < plain-text-file.txt > encrypted.txt
  10. - decrypt a file
  11. $me -s ~/.ssh/id_rsa < encrypted.txt
  12. $me home page: https://sshenc.sh/
  13. EOF
  14. }
  15. cleanup() {
  16. rm -rf "$temp_dir"
  17. }
  18. while getopts "h?p:s:" opt; do
  19. case "$opt" in
  20. h|\?)
  21. show_help
  22. exit 0
  23. ;;
  24. p) public_key+=("$OPTARG")
  25. ;;
  26. s) private_key=$OPTARG
  27. ;;
  28. esac
  29. done
  30. shift $((OPTIND -1))
  31. [ "$1" = "--" ] && shift
  32. temp_dir="$(mktemp -d -t "$me.XXXXXX")"
  33. temp_file_key="$(mktemp "$temp_dir/$me.XXXXXX.key")"
  34. temp_file="$(mktemp "$temp_dir/$me.XXXXXX.cypher")"
  35. trap cleanup EXIT
  36. #encrypt
  37. if [[ "${#public_key[@]}" > 0 ]]; then
  38. openssl rand 32 > $temp_file_key
  39. echo "-- encrypted with https://sshenc.sh/"
  40. echo "-- keys"
  41. for pubkey in "${public_key[@]}"
  42. do
  43. if [[ -e "$pubkey" ]]; then
  44. convertedpubkey=$temp_dir/$(basename "$pubkey").pem
  45. ssh-keygen -f "$pubkey" -e -m PKCS8 > $convertedpubkey
  46. #encrypt key with public keys
  47. if openssl rsautl -encrypt -pubin -inkey "$convertedpubkey" -in "$temp_file_key" -out $temp_dir/$(basename "$pubkey").key.enc; then
  48. echo "-- key"
  49. openssl base64 -in $temp_dir/$(basename "$pubkey").key.enc
  50. echo "-- /key"
  51. fi
  52. fi
  53. done
  54. echo "-- /keys"
  55. if cat | openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -salt -pass file:"$temp_file_key" > "$temp_file"; then
  56. openssl base64 -A < "$temp_file"
  57. fi
  58. #decrypt
  59. elif [[ -e "$private_key" ]]; then
  60. stdin=`cat`
  61. keys_enc=$(echo "$stdin" | awk '/-- keys/{f=1;next} /-- \/keys/{f=0} f')
  62. cypher=$(echo "$stdin" | sed -e '1,/-- \/keys/d')
  63. i=0
  64. while read line ; do \
  65. if [ "$line" == "-- key" ]; then
  66. i=$(($i + 1))
  67. elif [ "$line" == "-- /key" ]; then
  68. :
  69. else
  70. keys[i]="${keys[$i]}$line"
  71. fi
  72. done <<< "$keys_enc"
  73. decrypted=false
  74. for key in "${keys[@]}"
  75. do
  76. if ((echo "$key" | openssl base64 -d -A | openssl rsautl -decrypt -ssl -inkey "$private_key" > "$temp_file") > /dev/null 2>&1); then
  77. if echo "$cypher" | openssl base64 -d -A | openssl aes-256-cbc -pbkdf2 -iter 100000 -d -pass file:"$temp_file"; then
  78. decrypted=true
  79. fi
  80. fi
  81. done
  82. if [ $decrypted = false ]; then
  83. >&2 echo "no valid decryption key supplied"
  84. exit 1
  85. fi
  86. #help
  87. else
  88. show_help
  89. exit 1
  90. fi