Shell sshenc.sh

U

unitrunker

I came across this bash script on github.
https://github.com/S2-/sshenc.sh

It is based on this forum post:

https://bjornjohansen.no/encrypt-file-using-ssh-key

The whole idea looked very useful. Near zero dependencies - ssh-keygen and openssl. So I dug a bit deeper. The first problem is the steps in the forum post for decrypting don't work. You can't use ssh-keygen -e to extract a private key. The script on github solves this ... but there's a price.

First the readme markdown suggests this as a way to run the script:

Code: 
bash <(curl -s https://sshenc.sh/sshenc.sh) -s ~/.ssh/id_rsa < file-containing-the-encrypted-text.txt

curl piped straight into your shell? Really? Um, no. Don't ever do that. Looking at how the script solves the ssh-keygen problem, I see this:

Code: 
ssh-keygen -p -m PEM -N '' -f "$temp_dir/private_key" >/dev/null

This takes a copy of your private key file, prompts you for the password, and then re-writes the private key in PEM format without any password protection. It is now sitting on your hard drive in the clear. The private key is needed by openssl - but the file is never cleaned up afterwards.

*sigh*

This started off looking nice and tidy but quickly lands you in a ditch.
 
Sigh. The trouble starts when the blog post puts something very secret into a temporary file. At least in one case, it says that one should remove the file afterwards. But that doesn't make the secret go away, it just makes it somewhat harder to find. That's particular on modern journaling/logging/log-structured file systems.

On the other hand: This is a cute idea, for getting data from your own system (which is presumably quite secure) to another person's system (which is presumably also quite secure) via an insecure channel, with low hassle. Under the assumption that your own system is quite secure, leaving a few files in /tmp/ is not a big deal ... the original of the "secret" file is also on the same system anywy.
 
ralphbsz - yes I run ZFS. Anything written to /tmp is potentially recoverable.

I looked at age - written in lang/go.

FreshPorts -- security/age: Simple, modern and secure file encryption tool

age is a simple, modern and secure encryption tool with small explicit keys, no config options, and UNIX-style composability.
www.freshports.org www.freshports.org

It requires two sets of keys - sender and recipient so the payload is encrypted and signed by the sender.

There's also signify and asignify.

I'm looking for something slightly simpler (eg. poor man's tarsnap style backup / recovery). Leveraging the private/public keys I already have scores points for simplicity. I don't want to use a private key on the encryption side because I want that to happen automatically eg. don't prompt for a password each time the backup job runs. Storing private keys in the clear is a fail.

shkhln - wormhole looks interesting. Heavier on dependencies but interesting.

The base install almost does what I want. The problem is openssl and openssh don't talk to each other very well when it comes to private keys. Maybe libressl with fix that some day.
 
You must log in or register to reply here.
Back
Top