ssh-crypt: bash function to encrypt using ssh-agent and openssl

ssh-crypt.bash

#!/usr/bin/env bash
#
# ssh-crypt
#
# Bash function to encrypt/decrypt with your ssh-agent private key.
# Requires the commands gzip, ssh-add, ssh-keygen and openssl.
#
# Uses bash-specific extensions like <<<$var to securely pass data.
#
# [email protected] 2021-11-11 - MIT Licensed
#
# Copyright 2021 Wout Mertens
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
# associated documentation files (the "Software"), to deal in the Software without restriction,
# including without limitation the rights to use, copy, modify, merge, publish, distribute,
# sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or substantial
# portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
# LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
# NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ssh-crypt() {
	if [ "$1" != -e ] && [ "$1" != -d ]; then
		echo "Usage: ssh-crypt -<e|d> [seed] [pubkey-match] < infile > outfile" >&2
		echo >&2
		echo "* -e for encrypt, -d for decrypt" >&2
		echo "* seed is used to generate the secret, recommended so you don't use the same secret everywhere" >&2
		echo "* pubkey-match is used to select the first matching pubkey in the ssh-agent" >&2
		echo "* define CRYPT_PUBKEY to provide your own" >&2
		return 2
	fi

	# === Select pubkey
	local pk
	if [ -n "$CRYPT_PUBKEY" ]; then
		pk="$CRYPT_PUBKEY"
	else
		# we can't use ecdsa, it always gives different signatures
		local keys=$(ssh-add -L | grep -v ecdsa)
		if [ -n "$3" ]; then
			keys=$(grep -- "$3" <<<"$keys")
		fi
		read pk <<<"$keys"
	fi
	if [ -z "$pk" ]; then
		echo "!!! Could not select a public key to use - verify ssh-add -L"
		return 1
	fi

	# === Generate secret
	# We pass the pubkey as a file so ssh-keygen will look up the private key in the agent
	local secretText=$(ssh-keygen -Y sign -n hi -q -f /dev/fd/4 4<<<"$pk" <<<"$2")
	if [ $? -ne 0 ] || [ -z "$secretText" ]; then
		echo "!!! Cannot generate secret, is ssh-agent available?" >&2
		return 1
	fi
	# Get it on one line
	local secret=$(openssl dgst -sha512 -r <<<"$secretText")
	if [ $? -ne 0 ] || [ -z "$secret" ]; then
		echo "!!! Cannot generate secret, is openssl available?" >&2
		return 1
	fi

	# === Encrypt/decrypt
	# specify all settings so openssl upgrades don't change encryption
	local opts="-aes-256-cbc -md sha512 -pbkdf2 -iter 239823 -pass fd:4"
	# we use gzip both for compression and detecting bad secrets early
	if [ "$1" = -e ]; then
		gzip | openssl enc -e $opts 4<<<"$secret"
	else
		openssl enc -d $opts 4<<<"$secret" | gzip -d
	fi
}

# When sourcing this file for use in other scripts, use `LOAD_ONLY=true source ssh-crypt.bash`
if [ -z "$LOAD_ONLY" ]; then
	ssh-crypt "$@"
fi

Hmm looking at the script closer I'm worried about echo "$data", that will show up in the process table, limits the size of the secret, and adds a \n.

@wmertens Great catch, I'm a bit confused now, though: In my testing using echo would work as expected. If I replace echo "$data" | gzip | ... with printf "%s" "$data" | gzip | ... the output of gzip -d would miss the last character. It's almost like gzip removes and adds the the \n for me, but that sounds wrong on many levels.

Hi @wmertens. I really want this to work for me, but I don't know if the ssh-keygen I have will do arbitrary file encryption using "-Y sign". The version I have (on Red Hat Enterprise Linux v7 and v8) doesn't support "-Y". What version of ssh are you using for this? I have v8.0p1 and 7.4p1. I'm hoping my ssh-keygen has alternative options that perform the same function, but I can't find anything useful on the man page related to signing files (only certificates), and there's definitely no mention of a "-Y" option.

@jezzaaa I'm using OpenSSH v9. With such old OSes I'd consider installing Nix so you have access to all the latest and greatest without impacting the system.

Wow, I didn't know Nix was a thing. Thanks. I'll give it a try.

Thanks so much for this recipe!

In case you find it useful, I made a version in perl that stores the public key and the salt into the encrypted file so that there's no ambiguity when decoding it. (like happens if you have multiple keys loaded in the agent, and no environment variable set)

#! /usr/bin/perl
use v5.10;
use strict;
use warnings;
use Pod::Usage;
use Getopt::Long;
use POSIX 'dup2';

our $VERSION= 0.001;

=head1 USAGE

  ssh-crypt [-e|-d] [-s SALT] [-k KEY_PATTERN] <INPUT >OUTPUT
  ssh-crypt [-e|-d] [-s SALT] [-k KEY_PATTERN] INPUT_FILE >OUTPUT
  ssh-encrypt [-s SALT] [-k KEY_PATTERN] <PLAINTEXT >CIPHERTEXT
  ssh-decrypt <CIPHERTEXT >PLAINTEXT

Uses an ssh key from your ssh-agent to encrypt or decrypt a file.  For encryption, you should
specify a SALT value, and if you have more than one key specify -k to select which one you want.

=over

=item -e | -d

Select encryption or decryption mode

=item -s SALT

Specify a string that will be signed to create the encryption key

=item -k KEY_PATTERN

During encryption, if you have multiple keys available, this selects the one you want to use.

=back

=cut

# specify all settings so openssl upgrades don't change encryption
our @enc_opts= qw( -aes-256-cbc -md sha512 -pbkdf2 -iter 239823 );
our $file_signature= sprintf("ssh-crypt %2.3f ", $VERSION);

my $mode;
GetOptions(
  'e'      => sub { $mode= 'encrypt' },
  'd'      => sub { $mode= 'decrypt' },
  's=s'    => \(my $salt= 'ssh-crypt'),
  'k=s'    => \my $key_pattern,
  'help|h' => sub { pod2usage(1) },
) && @ARGV <= 1
   or pod2usage(2);

# They can specify a file to use instead of STDIN
open STDIN, '<', $ARGV[0] or die "open('$ARGV[0]'): $!"
   if @ARGV;

# derive mode from the script name (when symlinked to these names)
$mode ||= ($0 =~ /-(encrypt|decrypt)/)[0]
   || pod2usage(-message => "Require '-e' or '-d' option");

$mode eq 'encrypt'? encrypt() : decrypt();

sub get_ssh_pubkey {
   return $ENV{SSH_CRYPT_PUBKEY} if length $ENV{SSH_CRYPT_PUBKEY};
   my @keys= `ssh-add -L`;
   @keys= grep /$key_pattern/, @keys
      if defined $key_pattern;
   die "No ssh key ".(defined $key_pattern? "found matching pattern '$key_pattern'" : "available")
      unless @keys;
   my @usable= grep $_ !~ /^ecdsa/, @keys;
   die "ecdsa keys cannot be used"
      unless @usable;
   die "More than one ssh_key found".(
         defined $key_pattern? " matching pattern '$key_pattern'"
         : "; use -k option or \$SSH_CRYPT_PUBKEY"
      )."\n@keys"
      if @usable > 1;
   # Trim off the comment, in case it contains sensitive information
   $usable[0] =~ s/^(\S+ \S+).*/$1/;
   $usable[0]
}   

# Create symmetric key by signing $salt with the chosen SSH key.
# Public key is provided, which causes ssh-keygen to consult ssh-agent for signing.
sub create_secret {
   my ($key, $message)= @_;
   my @cmd= ( 'ssh-keygen', -Y => 'sign', -n => 'ssh-crypt', '-q', -f => "/dev/fd/3" );
   my $signed= capture_cmd_with_fds([$message, undef, undef, $key], @cmd);
}

sub encrypt {
   my $key= get_ssh_pubkey;
   my $secret= create_secret($key, $salt);
   # write header
   $key =~ s/\r?\n?\z//;
   my $header= "${file_signature}XXXX\n$key\n@enc_opts\n$salt\n";
   substr($header, length $file_signature, 4, sprintf "%04X", length $header);
   print $header;
   # create a pipe and load it with the file-descriptor-3 data
   $^F= 3; # pass fd 3 to child
   my $fd3= load_string_into_pipe($secret);
   dup2(fileno $fd3, 3);
   # hand off to openssl to run directly on file handles
   exec('openssl', 'enc', -e => @enc_opts, -pass => 'fd:3') or die "exec(openssl): $!";
}

sub decrypt {
   # Attempt to read a precise number of bytes from stdin so that we can pass stdin
   # on to the openssl command without needing to be a middleman.
   my $goal= 4 + length $file_signature;
   my $header= '';
   while ($goal > length $header) {
      sysread(STDIN, $header, $goal - length $header, length $header) > 0
         or die "expected at least $goal bytes of input";
   }
   substr($header, 0, length $file_signature) eq $file_signature
      or die "input does not appear to be encrypted by this tool";
   $goal= hex substr($header, length $file_signature, 4);
   while ($goal > length $header) {
      sysread(STDIN, $header, $goal - length $header, length $header) > 0
         or die "expected at least $goal bytes of input";
   }
   my (undef, $key, $opts, $salt)= split /\n/, $header, 4;
   my $secret= create_secret($key, $salt);
   # create a pipe and load it with the file-descriptor-3 data
   $^F= 3; # pass fd 3 to child
   my $fd3= load_string_into_pipe($secret);
   fileno $fd3 == 3 or die "BUG: pipe got FD ".(fileno $fd3)." instead of 3";
   # hand off to openssl to run directly on file handles
   exec('openssl', 'enc', -d => @enc_opts, -pass => 'fd:3') or die "exec(openssl): $!";
}

sub load_string_into_pipe {
   my $secret= shift;
   # create a pipe and load it with the file-descriptor-3 data
   pipe(my $r, my $w) or die "pipe: $!";
   syswrite($w, $secret) == length $secret or die "write(pipe): $!";
   close $w;
   return $r;
}

# This can be done much nicer with IPC::Run, but that isn't a standard module.
# Could also shell out to bash, but nice to have it work with ash in Alpine.
sub capture_cmd_with_fds {
   my ($fds, @cmd)= @_;
   pipe(my $stdout_r, my $stdout_w) or die "pipe: $!";
   defined(my $pid= fork) or die "fork: $!";
   if ($pid) {
      close $stdout_w;
      # read stdout and return it
      local $/= undef;
      my $msg= <$stdout_r>;
      waitpid($pid, 0);
      $? == 0 or die "$cmd[0] failed";
      return $msg;
   }
   else {
      $^F= $#$fds if $#$fds > 2;
      for (0..$#$fds) {
         if (defined $fds->[$_]) {
            if (!ref $fds->[$_]) {
               my $pipe= load_string_into_pipe($fds->[$_]);
               dup2(fileno($pipe), $_);
            } else {
               dup2(fileno($fds->[$_]), $_);
            }
         }
      }
      dup2(fileno($stdout_w), 1);
      exec @cmd or die "exec('$cmd[0]'): $!";
   }
}

Good idea @nrdvana !