ssh-crypt: bash function to encrypt using ssh-agent and openssl

ssh-crypt.bash

#!/usr/bin/env bash
#
# ssh-crypt
#
# Bash function to encrypt/decrypt with your ssh-agent private key.
# Requires the commands gzip, ssh-add, ssh-keygen and openssl.
#
# Uses bash-specific extensions like <<<$var to securely pass data.
#
# [email protected] 2021-11-11 - MIT Licensed
#
# Copyright 2021 Wout Mertens
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
# associated documentation files (the "Software"), to deal in the Software without restriction,
# including without limitation the rights to use, copy, modify, merge, publish, distribute,
# sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or substantial
# portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
# LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
# NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ssh-crypt() {
	if [ "$1" != -e ] && [ "$1" != -d ]; then
		echo "Usage: ssh-crypt -<e|d> [seed] [pubkey-match] < infile > outfile" >&2
		echo >&2
		echo "* -e for encrypt, -d for decrypt" >&2
		echo "* seed is used to generate the secret, recommended so you don't use the same secret everywhere" >&2
		echo "* pubkey-match is used to select the first matching pubkey in the ssh-agent" >&2
		echo "* define CRYPT_PUBKEY to provide your own" >&2
		return 2
	fi

	# === Select pubkey
	local pk
	if [ -n "$CRYPT_PUBKEY" ]; then
		pk="$CRYPT_PUBKEY"
	else
		# we can't use ecdsa, it always gives different signatures
		local keys=$(ssh-add -L | grep -v ecdsa)
		if [ -n "$3" ]; then
			keys=$(grep -- "$3" <<<"$keys")
		fi
		read pk <<<"$keys"
	fi
	if [ -z "$pk" ]; then
		echo "!!! Could not select a public key to use - verify ssh-add -L"
		return 1
	fi

	# === Generate secret
	# We pass the pubkey as a file so ssh-keygen will look up the private key in the agent
	local secretText=$(ssh-keygen -Y sign -n hi -q -f /dev/fd/4 4<<<"$pk" <<<"$2")
	if [ $? -ne 0 ] || [ -z "$secretText" ]; then
		echo "!!! Cannot generate secret, is ssh-agent available?" >&2
		return 1
	fi
	# Get it on one line
	local secret=$(openssl dgst -sha512 -r <<<"$secretText")
	if [ $? -ne 0 ] || [ -z "$secret" ]; then
		echo "!!! Cannot generate secret, is openssl available?" >&2
		return 1
	fi

	# === Encrypt/decrypt
	# specify all settings so openssl upgrades don't change encryption
	local opts="-aes-256-cbc -md sha512 -pbkdf2 -iter 239823 -pass fd:4"
	# we use gzip both for compression and detecting bad secrets early
	if [ "$1" = -e ]; then
		gzip | openssl enc -e $opts 4<<<"$secret"
	else
		openssl enc -d $opts 4<<<"$secret" | gzip -d
	fi
}

# When sourcing this file for use in other scripts, use `LOAD_ONLY=true source ssh-crypt.bash`
if [ -z "$LOAD_ONLY" ]; then
	ssh-crypt "$@"
fi

ssh-keygen -Y sign -n hi -q -f /dev/fd/4 4<<<"$pk" <<<"$2"
This is awesome!

@izak-hoot thanks :-)

Hi @wmertens. First of all, thank you, your script was helping me a lot. I think this solution is great for things like API keys in public dot file repositories, hence I took it a step further and build an SSH store system around it, but I also significantly decreased its code size, as I know that I work with id_rsa exclusively. I also noticed a few things that confused me and that I decided to skip over in the rewrite process:

1. I noticed that you hash your signature (secretText) using openssh dgst before using it as symmetrical key via openssl enc (secret). Why? It's not necessary and feels redundant to me. You can just pass the entire signature as -k argument to openssl enc and you are good to go.
2. ssh-keygen sign doesn't require you to feed it with the public key to derive the private key. You can just give it the private key and it will work.
3. As time progresses, so should the encryption level, but you can't update the encryption without making old data unreadable, so I think a versioning system would be nice.
4. The whole file descriptor thing works, but is less portable.

I came up with this function:

sshstore() {
	sign() { echo "$1" | ssh-keygen -Y sign -n store -f "$2" -q; }
	v=1
	identity="$HOME/.ssh/id_rsa"
	if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
		echo "Loads or saves a symmetrically encrypted data from/to the SSH store using $identity."
		echo "Usage: sshstore [-h] [--help] name [-s data] [-s < data] > data"
		echo ''
		echo "The private identity key within the SSH agent is used to sign the given name."
		echo "The resulting signature is used to symmetrically encrypt or decrypt the data."
		echo "Note: This function is backward compatible with older identities and encryption methods."
		return 129
	fi
	store="$HOME/.ssh/store"
	name="$(echo "$1" | tr -cd '[:alnum:]_-')"
	mkdir -p "$store"
	if [ "$2" = "-s" ]; then
		data="$3"
		test -n "$data" || { stdin=$(mktemp) && timeout 1 cat > "$stdin" && data="$(cat "$stdin")"; rm "$stdin"; }
		test -n "$data" || { echo Missing data to encryt. >&2 && return 1; }
		rm "$store/$name.*" 2>/dev/null
		echo "$data" | gzip | openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 69420 -k "$(sign "$name" "$identity")" > "$store/$name.$v"
		data=""
	fi
	test -s "$store/$name.$v" && openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter 69420 -k "$(sign "$name" "$identity")" < "$store/$name.$v" | gzip -d && return 0
	# test -s "$store/$name.1" && openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter 69420 -k "$(sign "$name" "$HOME/.ssh/id_rsa")" < "$store/$name.1" | gzip -d && return 0
	echo "Could not find $name to decrypt." >&2 && return 1
}

Now I can store some sensitive data using echo "DATA" | sshstore my-secret -s or sshstore my-secret -s "DATA" and access it securely via $(sshstore my-secret) where I need it.

I would love to get your personal opinion about this function as I try to get something secure to use confidently.

About the script:

• It is designed to work with secrets like API keys, but should be usable for anything
• The encrypted data is never outputted, but instead stored in $HOME/.ssh/store, the function always outputs unencrypted data
• v=1 is the version of the encryption and key, so if I change either of these, I can out-comment the 2nd openssl enc -d line to fallback to previous versions and so on ... however, new data will always be encrypted with my newest key and method, so I can slowly refresh my secrets with improved methods in the future
• I decreased the -iter by approx. 180k to improve execution time, it still should be sufficient enough against brute force attacks, especially as those secrets will be obsolete and already refreshed to quantum safe methods before quantum is a thing

As a final note: Kudos on using gzip to validate falsy data, that's such a clever way to prevent false positives when decrypting data.

Hi @martin-braun, your changes make a lot of sense to me, thanks!

I think I did the hashing to be sure the input to enc is of reasonable size and doesn't contain weird characters, but indeed I suppose enc already takes care of that.

Hmm looking at the script closer I'm worried about echo "$data", that will show up in the process table, limits the size of the secret, and adds a \n.

@wmertens Great catch, I'm a bit confused now, though: In my testing using echo would work as expected. If I replace echo "$data" | gzip | ... with printf "%s" "$data" | gzip | ... the output of gzip -d would miss the last character. It's almost like gzip removes and adds the the \n for me, but that sounds wrong on many levels.

Hi @wmertens. I really want this to work for me, but I don't know if the ssh-keygen I have will do arbitrary file encryption using "-Y sign". The version I have (on Red Hat Enterprise Linux v7 and v8) doesn't support "-Y". What version of ssh are you using for this? I have v8.0p1 and 7.4p1. I'm hoping my ssh-keygen has alternative options that perform the same function, but I can't find anything useful on the man page related to signing files (only certificates), and there's definitely no mention of a "-Y" option.

@jezzaaa I'm using OpenSSH v9. With such old OSes I'd consider installing Nix so you have access to all the latest and greatest without impacting the system.

Wow, I didn't know Nix was a thing. Thanks. I'll give it a try.

Thanks so much for this recipe!

In case you find it useful, I made a version in perl that stores the public key and the salt into the encrypted file so that there's no ambiguity when decoding it. (like happens if you have multiple keys loaded in the agent, and no environment variable set)

#! /usr/bin/perl
use v5.10;
use strict;
use warnings;
use Pod::Usage;
use Getopt::Long;
use POSIX 'dup2';

our $VERSION= 0.001;

=head1 USAGE

  ssh-crypt [-e|-d] [-s SALT] [-k KEY_PATTERN] <INPUT >OUTPUT
  ssh-crypt [-e|-d] [-s SALT] [-k KEY_PATTERN] INPUT_FILE >OUTPUT
  ssh-encrypt [-s SALT] [-k KEY_PATTERN] <PLAINTEXT >CIPHERTEXT
  ssh-decrypt <CIPHERTEXT >PLAINTEXT

Uses an ssh key from your ssh-agent to encrypt or decrypt a file.  For encryption, you should
specify a SALT value, and if you have more than one key specify -k to select which one you want.

=over

=item -e | -d

Select encryption or decryption mode

=item -s SALT

Specify a string that will be signed to create the encryption key

=item -k KEY_PATTERN

During encryption, if you have multiple keys available, this selects the one you want to use.

=back

=cut

# specify all settings so openssl upgrades don't change encryption
our @enc_opts= qw( -aes-256-cbc -md sha512 -pbkdf2 -iter 239823 );
our $file_signature= sprintf("ssh-crypt %2.3f ", $VERSION);

my $mode;
GetOptions(
  'e'      => sub { $mode= 'encrypt' },
  'd'      => sub { $mode= 'decrypt' },
  's=s'    => \(my $salt= 'ssh-crypt'),
  'k=s'    => \my $key_pattern,
  'help|h' => sub { pod2usage(1) },
) && @ARGV <= 1
   or pod2usage(2);

# They can specify a file to use instead of STDIN
open STDIN, '<', $ARGV[0] or die "open('$ARGV[0]'): $!"
   if @ARGV;

# derive mode from the script name (when symlinked to these names)
$mode ||= ($0 =~ /-(encrypt|decrypt)/)[0]
   || pod2usage(-message => "Require '-e' or '-d' option");

$mode eq 'encrypt'? encrypt() : decrypt();

sub get_ssh_pubkey {
   return $ENV{SSH_CRYPT_PUBKEY} if length $ENV{SSH_CRYPT_PUBKEY};
   my @keys= `ssh-add -L`;
   @keys= grep /$key_pattern/, @keys
      if defined $key_pattern;
   die "No ssh key ".(defined $key_pattern? "found matching pattern '$key_pattern'" : "available")
      unless @keys;
   my @usable= grep $_ !~ /^ecdsa/, @keys;
   die "ecdsa keys cannot be used"
      unless @usable;
   die "More than one ssh_key found".(
         defined $key_pattern? " matching pattern '$key_pattern'"
         : "; use -k option or \$SSH_CRYPT_PUBKEY"
      )."\n@keys"
      if @usable > 1;
   # Trim off the comment, in case it contains sensitive information
   $usable[0] =~ s/^(\S+ \S+).*/$1/;
   $usable[0]
}   

# Create symmetric key by signing $salt with the chosen SSH key.
# Public key is provided, which causes ssh-keygen to consult ssh-agent for signing.
sub create_secret {
   my ($key, $message)= @_;
   my @cmd= ( 'ssh-keygen', -Y => 'sign', -n => 'ssh-crypt', '-q', -f => "/dev/fd/3" );
   my $signed= capture_cmd_with_fds([$message, undef, undef, $key], @cmd);
}

sub encrypt {
   my $key= get_ssh_pubkey;
   my $secret= create_secret($key, $salt);
   # write header
   $key =~ s/\r?\n?\z//;
   my $header= "${file_signature}XXXX\n$key\n@enc_opts\n$salt\n";
   substr($header, length $file_signature, 4, sprintf "%04X", length $header);
   print $header;
   # create a pipe and load it with the file-descriptor-3 data
   $^F= 3; # pass fd 3 to child
   my $fd3= load_string_into_pipe($secret);
   dup2(fileno $fd3, 3);
   # hand off to openssl to run directly on file handles
   exec('openssl', 'enc', -e => @enc_opts, -pass => 'fd:3') or die "exec(openssl): $!";
}

sub decrypt {
   # Attempt to read a precise number of bytes from stdin so that we can pass stdin
   # on to the openssl command without needing to be a middleman.
   my $goal= 4 + length $file_signature;
   my $header= '';
   while ($goal > length $header) {
      sysread(STDIN, $header, $goal - length $header, length $header) > 0
         or die "expected at least $goal bytes of input";
   }
   substr($header, 0, length $file_signature) eq $file_signature
      or die "input does not appear to be encrypted by this tool";
   $goal= hex substr($header, length $file_signature, 4);
   while ($goal > length $header) {
      sysread(STDIN, $header, $goal - length $header, length $header) > 0
         or die "expected at least $goal bytes of input";
   }
   my (undef, $key, $opts, $salt)= split /\n/, $header, 4;
   my $secret= create_secret($key, $salt);
   # create a pipe and load it with the file-descriptor-3 data
   $^F= 3; # pass fd 3 to child
   my $fd3= load_string_into_pipe($secret);
   fileno $fd3 == 3 or die "BUG: pipe got FD ".(fileno $fd3)." instead of 3";
   # hand off to openssl to run directly on file handles
   exec('openssl', 'enc', -d => @enc_opts, -pass => 'fd:3') or die "exec(openssl): $!";
}

sub load_string_into_pipe {
   my $secret= shift;
   # create a pipe and load it with the file-descriptor-3 data
   pipe(my $r, my $w) or die "pipe: $!";
   syswrite($w, $secret) == length $secret or die "write(pipe): $!";
   close $w;
   return $r;
}

# This can be done much nicer with IPC::Run, but that isn't a standard module.
# Could also shell out to bash, but nice to have it work with ash in Alpine.
sub capture_cmd_with_fds {
   my ($fds, @cmd)= @_;
   pipe(my $stdout_r, my $stdout_w) or die "pipe: $!";
   defined(my $pid= fork) or die "fork: $!";
   if ($pid) {
      close $stdout_w;
      # read stdout and return it
      local $/= undef;
      my $msg= <$stdout_r>;
      waitpid($pid, 0);
      $? == 0 or die "$cmd[0] failed";
      return $msg;
   }
   else {
      $^F= $#$fds if $#$fds > 2;
      for (0..$#$fds) {
         if (defined $fds->[$_]) {
            if (!ref $fds->[$_]) {
               my $pipe= load_string_into_pipe($fds->[$_]);
               dup2(fileno($pipe), $_);
            } else {
               dup2(fileno($fds->[$_]), $_);
            }
         }
      }
      dup2(fileno($stdout_w), 1);
      exec @cmd or die "exec('$cmd[0]'): $!";
   }
}

Good idea @nrdvana !