I came across this bash script on github.
https://github.com/S2-/sshenc.sh
It is based on this forum post:
https://bjornjohansen.no/encrypt-file-using-ssh-key
The whole idea looked very useful. Near zero dependencies - ssh-keygen and openssl. So I dug a bit deeper. The first problem is the steps in the forum post for decrypting don't work. You can't use ssh-keygen -e to extract a private key. The script on github solves this ... but there's a price.
First the readme markdown suggests this as a way to run the script:
curl piped straight into your shell? Really? Um, no. Don't ever do that. Looking at how the script solves the ssh-keygen problem, I see this:
This takes a copy of your private key file, prompts you for the password, and then re-writes the private key in PEM format without any password protection. It is now sitting on your hard drive in the clear. The private key is needed by openssl - but the file is never cleaned up afterwards.
*sigh*
This started off looking nice and tidy but quickly lands you in a ditch.
https://github.com/S2-/sshenc.sh
It is based on this forum post:
https://bjornjohansen.no/encrypt-file-using-ssh-key
The whole idea looked very useful. Near zero dependencies - ssh-keygen and openssl. So I dug a bit deeper. The first problem is the steps in the forum post for decrypting don't work. You can't use ssh-keygen -e to extract a private key. The script on github solves this ... but there's a price.
First the readme markdown suggests this as a way to run the script:
Code:
bash <(curl -s https://sshenc.sh/sshenc.sh) -s ~/.ssh/id_rsa < file-containing-the-encrypted-text.txt
curl piped straight into your shell? Really? Um, no. Don't ever do that. Looking at how the script solves the ssh-keygen problem, I see this:
Code:
ssh-keygen -p -m PEM -N '' -f "$temp_dir/private_key" >/dev/null
This takes a copy of your private key file, prompts you for the password, and then re-writes the private key in PEM format without any password protection. It is now sitting on your hard drive in the clear. The private key is needed by openssl - but the file is never cleaned up afterwards.
*sigh*
This started off looking nice and tidy but quickly lands you in a ditch.