Last active
July 10, 2018 21:22
-
-
Save morgant/9220139 to your computer and use it in GitHub Desktop.
Compress & Encrypt to Disk Using OpenSSL in Bash Without Exposing Password
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This is the simplest and cleanest way I've come up with for securely compressing (gzip, in this example) & encrypting data to disk with OpenSSL from a bash script without exposing the password to inspection of process or environment variable using `ps` and the likes. Naturally, `cat` is just used as an example so the data can come from anywhere. If the compressed data is to be sent via email instead of written to disk, don't use '-out' and use '-a' to base64 encode the compressed data. | |
| # | |
| # References: | |
| # http://www.madboa.com/geek/openssl/#encrypt-simple | |
| # http://unix.stackexchange.com/questions/29111/safe-way-to-pass-password-for-1-programs-in-bash#answer-29186 | |
| # http://stackoverflow.com/questions/6607675/shell-script-password-security-of-command-line-parameters/6607773#6607773 | |
| # https://gist.github.com/philfreo/2321650 | |
| cat "$file" | gzip -c | openssl enc -e -salt -aes-256-cbc -pass fd:3 -out "$file.gz.enc" 3<<<"$password" | |
| # the above can be decrypted with the following (requiring manual password input, but that can be worked around using a file descriptor & here string as above): | |
| openssl enc -d -aes-256-cbc -in "$file.gz.enc" | gunzip -c |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment