encryption and decryption using an openssh-formatted rsa public-private key pair

decrypt_with_privkey.sh

#!/bin/bash
# TODO: this leaks the session key to arguments visible to ps while decrypting
set -euo pipefail

# if an argument was provided, use it as the path to the rsa private key, otherwise assume openssh
keypath=${1:-"$HOME/.ssh/id_rsa"}

# deal with converting openssh special file format to something openssl understands
TMPFILE=$(mktemp)
cp -p "$keypath" $TMPFILE
# if the rsa key was passphrase protected, you will be prompted for it during the below command
ssh-keygen -q -p -m pkcs8 -f $TMPFILE -N '' 1>/dev/null
exec 9<$TMPFILE
exec 8<$TMPFILE
rm $TMPFILE

# extract first 384 bytes from stdin, decrypt them with the RSA private key, and hex encode them
KEYPLUSIV=$(dd status=none bs=$( openssl pkey -in /dev/fd/8 -text | awk '/Private-Key/ { print substr($3, 2) / 8 }') count=1 | openssl rsautl -decrypt -inkey /dev/fd/9 | xxd -p -c0)

# don't need private key anymore
exec 8<&-
exec 9<&-

# run openssl AES decryption on the rest of stdin, using the resulting session key and iv
exec openssl enc -d -aes-256-cbc -K "${KEYPLUSIV:0:64}" -iv "${KEYPLUSIV:64:}"

encrypt_with_pubkey.sh

#!/bin/bash
# TODO: this leaks the session key to arguments visible to ps while encrypting
set -euo pipefail

if (( $# < 1 )); then
    printf "error: must provide path to recipient's id_rsa.pub\n" >&2
    exit 1;
fi

# generate 32+16 bytes of random key and iv, hex encoded
KEYPLUSIV=$(openssl rand -hex 48)

# public-key encrypt the binary representation of key and iv, converting from openssh .pub format
xxd -r -p <<< "$KEYPLUSIV" | openssl pkeyutl -encrypt -pubin -inkey <( ssh-keygen -f $1 -e -m pkcs8 )

# run openssl AES on stdin, using the hex version of the session key and iv
exec openssl enc -aes-256-cbc -K "${KEYPLUSIV:0:64}" -iv "${KEYPLUSIV:64:}"