bash script to encrypt data using a users ssh public key https://sshenc.sh
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

164 lines
4.6 KiB

  1. #!/usr/bin/env bash
  2. # --- constants
  3. me=sshenc.sh
  4. show_help() {
  5. cat << EOF
  6. usage: $me [[-p <public ssh key> | -g <github handle>]| -s <private ssh key>] [-h]
  7. examples:
  8. - decrypt a file
  9. $me -s ~/.ssh/id_rsa < encrypted.txt
  10. - encrypt a file
  11. $me -p ~/.ssh/id_rsa.pub < plain-text-file.txt > encrypted.txt
  12. - encrypt using a GitHub users public SSH key (requires curl and bash 3.2)
  13. $me -g foo < plain-text-file.txt > encrypted.txt
  14. - encrypt using multiple public keys (file can be read by any associated private key)
  15. $me -g foo -g bar -p baz -p ~/.ssh/id_rsa.pub < plain-text-file.txt > encrypted.txt
  16. $me home page: https://sshenc.sh/
  17. EOF
  18. }
  19. # --- process option parameters
  20. OPTIND=1 # reset in case getopts has been used previously in the shell
  21. while getopts "h?p:s:g:" opt; do
  22. case "$opt" in
  23. h|\?)
  24. show_help
  25. exit 0
  26. ;;
  27. p) public_key+=("$OPTARG")
  28. ;;
  29. s) private_key=$OPTARG
  30. ;;
  31. g) github_handle+=("$OPTARG")
  32. esac
  33. done
  34. shift $((OPTIND -1)) # pop the processed options off the stack
  35. [ "$1" = "--" ] && shift
  36. # --- setup environment
  37. # data cache files
  38. temp_dir="$(mktemp -d -t "$me.XXXXXX")"
  39. temp_file_key="$(mktemp "$temp_dir/$me.XXXXXX.key")"
  40. temp_file="$(mktemp "$temp_dir/$me.XXXXXX.cypher")"
  41. cleanup() {
  42. rm -rf "$temp_dir"
  43. }
  44. trap cleanup EXIT
  45. # os specific configuration
  46. case "$(uname -s 2>/dev/null)" in
  47. Darwin)
  48. if [[ -n $(openssl version | grep -Eo "LibreSSL [2-9]") ]]; then
  49. openssl_params=''
  50. else
  51. echo >&2 "Install openssl 1.1.1 or higher and add it to your \$PATH"
  52. echo ''
  53. echo ' brew install openssl'
  54. echo ' echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile'
  55. echo ' source ~/.bash_profile'
  56. echo ''
  57. exit 1
  58. fi
  59. ;;
  60. *)
  61. openssl_params='-pbkdf2 -iter 100000'
  62. esac
  63. # --- retrieve ssh keys from github
  64. if [[ "${#github_handle[@]}" -gt 0 ]]; then
  65. if ! which curl >/dev/null ; then
  66. >&2 echo "curl command not found"
  67. exit 1
  68. fi
  69. OLDMASK=$(umask); umask 0266
  70. for handle in "${github_handle[@]}"
  71. do
  72. curl -s "https://github.com/$handle.keys" | grep ssh-rsa > "$temp_dir/$handle"
  73. if [ -s "$temp_dir/$handle" ]; then
  74. key_index=0
  75. while IFS= read -r key; do
  76. printf "%s" "${key}" > "$temp_dir/$handle.$key_index"
  77. public_key+=("$temp_dir/$handle.$key_index")
  78. key_index=$((key_index+1))
  79. done < "$temp_dir/$handle"
  80. fi
  81. done
  82. umask "$OLDMASK"
  83. fi
  84. # --- encrypt stdin
  85. if [[ "${#public_key[@]}" > 0 ]]; then
  86. openssl rand 32 > $temp_file_key
  87. echo "-- encrypted with https://sshenc.sh/"
  88. echo "-- keys"
  89. for pubkey in "${public_key[@]}"
  90. do
  91. if [[ -e "$pubkey" ]]; then
  92. convertedpubkey=$temp_dir/$(basename "$pubkey").pem
  93. ssh-keygen -f "$pubkey" -e -m PKCS8 > $convertedpubkey
  94. #encrypt key with public keys
  95. if openssl rsautl -encrypt -oaep -pubin -inkey "$convertedpubkey" -in "$temp_file_key" -out $temp_dir/$(basename "$pubkey").key.enc; then
  96. echo "-- key"
  97. openssl base64 -in $temp_dir/$(basename "$pubkey").key.enc
  98. echo "-- /key"
  99. fi
  100. fi
  101. done
  102. echo "-- /keys"
  103. if cat | openssl enc -aes-256-cbc -salt $openssl_params -pass file:"$temp_file_key" > "$temp_file"; then
  104. openssl base64 -A < "$temp_file"
  105. fi
  106. # --- decrypt stdin
  107. elif [[ -e "$private_key" ]]; then
  108. stdin=`cat`
  109. keys_enc=$(echo "$stdin" | awk '/-- keys/{f=1;next} /-- \/keys/{f=0} f')
  110. cypher=$(echo "$stdin" | sed -e '1,/-- \/keys/d')
  111. install -m 0600 "$private_key" "$temp_dir/private_key"
  112. ssh-keygen -p -m PEM -N '' -f "$temp_dir/private_key" >/dev/null
  113. i=0
  114. while read line ; do \
  115. if [ "$line" == "-- key" ]; then
  116. i=$(($i + 1))
  117. elif [ "$line" == "-- /key" ]; then
  118. :
  119. else
  120. keys[i]="${keys[$i]}$line"
  121. fi
  122. done <<< "$keys_enc"
  123. decrypted=false
  124. for key in "${keys[@]}"; do
  125. if $(echo "$key" | openssl base64 -d -A | openssl rsautl -decrypt -oaep -inkey "$temp_dir/private_key" >"$temp_file_key" 2>/dev/null); then
  126. if echo "$cypher" | openssl base64 -d -A | openssl aes-256-cbc -d $openssl_params -pass file:"$temp_file_key"; then
  127. decrypted=true
  128. fi
  129. fi
  130. done
  131. if [ $decrypted = false ]; then
  132. >&2 echo "no valid decryption key supplied"
  133. exit 1
  134. fi
  135. # --- help
  136. else
  137. show_help
  138. exit 1
  139. fi