I'm using linux and I basically want to encrypt a file using a password.
I've tried using gpg -c myfile for encryption, and that works fine, it asks me for a password and encrypts it. But it only asks for a password when encrypting.
I want a way to encrypt a file and if you want to decrypt it you have to give the same password that it was encrypted with.
If there's a python library that would work too since I can put that on a script.
There are several alternatives to create passowrd protected files under Linux.
GnuPG
GnuPG can be used to encrypt data and create digital signatures.
To encrypt and decrypt a data.txt file, use gpg command as follows:
$ gpg -c data.txt
$ gpg data.txt.gpg
mcrypt
mcrypt allows you to create password protected files similarly to GnuPG
To encrypt and decrypt a data.txt file, use mcrypt command as follows:
$ mcrypt data.txt
$ mcrypt -d data.txt.nc
OpenSSL
The OpenSSl Cryptography Toolkit can also be used to encrypt and decrypt files and messages.
To encrypt and decrypt a data.txt file, use the openssl command as follows:
$ openssl enc -aes-256-cbc -salt -in data.txt -out data.txt.enc
$ openssl enc -aes-256-cbc -d -in data.txt.enc -out data.txt
That's because of gpg-agent, a daemon that manages private keys and which is used as a backend for gpg. It caches your passphrases for some time by default. You can configure that with the following options (from man gpg-agent):
--default-cache-ttl n
Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry's timer is reset. To set an entry's maximum
lifetime, use max-cache-ttl. Note that a cached passphrase may not evicted immediately from memory if no client requests a cache operation. This is due to an internal
housekeeping function which is only run every few seconds.
--max-cache-ttl n
Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-
preset-passphrase. The default is 2 hours (7200 seconds).
One way to clear the cache is to reload the gpg-agent : gpgconf --reload gpg-agent
You can use gpg -c myfile && gpgconf --reload gpg-agent to encrypt your file, after which the password will be asked if you try to decrypt it with gpg myfile.gpg
Related
I have the job of converting some bash scripts to run on Node in an AWS Lambda. The scripts encode and decode some files. As the files are used externally I have to keep the encryption unchanged.
The files are encrypted with the command
openssl -e -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
and decrypted with
openssl -d -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
I've tried just wrapping the openssl calls but openssl is no longer installed in the Node Lambda runtime.
I've tried using the node:crypto module and searching stackoverflow but don't really understand enough about encryption and how openssl works to have a chance of writing any code. For example I can't work out how to get the iv to use when decrypting the file.
So is it possible to reproduce these openssl commands with node?
My backup plan is to build a container or Lambda Layer containing SSL and use one of the SSL wrappers but I'd prefer not to do that if I can help it.
I executed the below command and generated a random key
openssl rand -hex 45
and it generated me
524ec7a76ad9140087232b8e278c03d4bc121fdfd0e4f13a6bd16959a81e2d289b5edcf0848b435fc201fc4c1c
I then encrypted me file with Open ssl using this. When i tried to decrypt i just changed last two characters like this
524ec7a76ad9140087232b8e278c03d4bc121fdfd0e4f13a6bd16959a81e2d289b5edcf0848b435fc201fc4c2d
and now when it tried to decrypt, it still works and decrypt the file... what could be wrong ? Below is my decrypt command
export my_key=524ec7a76ad9140087232b8e278c03d4bc121fdfd0e4f13a6bd16959a81e2d289b5edcf0848b435fc201fc4c2d
openssl enc -aes-256-cbc -d -in my-secret-encrypted.enc -K $my_key -iv 9 > my-secret.txt
I'm trying to encrypt a stdout stream to a file located on a removable drive.
However, as the drive can be removed at an arbitrary time, I am wondering how to manage this?
I have tried using openssl and a 256-bit AES cipher but unsurprisingly I get block length errors on the decrypt.
My bash scripts do this:
Encrypt:
openssl aes-256-cbc -a -salt -pass file:"$KEY_FILE"
Decrypt:
openssl aes-256-cbc -d -a -pass file:"$KEY_FILE"
Unfortunately I'm on an embedded system so not many binaries included beyond what is necessary. Bash and openssl are present however.
I am very annoyed with the GPG encryption process in the Linux terminal, I encrypt files with GPG from the terminal with the following command:
gpg --output file_out --symmetric --cipher-algo AES256 file_in
This command has been recommended here since GPG is a reliable encryption package.
The problem is that after enter the password and encrypt the file, the password doesn't get deleted. So anyone who has access to the PC can decrypt this file, and it doesn't get deleted only after I restart the computer.
So if I enter the decryption command right after:
gpg --output file_in --decrypt file_out
It will give this message
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
And it will decrypt this automatically. So the password is stored somewhere and it doesn't get deleted until I restart the computer.
Is there any way to clear/wipe the password right after the encryption is finished?
Simply reloading gpg-agent (instead of killing it) clears its passphrase cache. It exists different methods to reload gpg-agent:
echo RELOADAGENT | gpg-connect-agent
gpgconf --reload gpg-agent
pkill -SIGHUP gpg-agent
Passphrase is saved by gpg-agent. GPG tools like gpg start it automatically.
Use gpgconf --kill gpg-agent to stop agent.
Alternatively, you can add --no-symkey-cache option, which disable the passphrase cache used for symmetrical encryption and decryption.
gpg --no-symkey-cache --output file_out --symmetric --cipher-algo AES256 file_in
something like that.
I am running a bunch of shell scripts which uses the properties in config.properties file.. it has database connection details, passwords.. etc.,
I just want to encrypt the passwords.. so that when someone looks at the properties file they shouldn't be able to use it.
Also I don't want to change the permissions on the file, I want only the passwords to be encrypted
I know there are few ways.. like using java or using any encryption algorithm but I don't want to use java.
I am running the shell scripts on CentOS.. sample scripts looks like below..
config.properties
DatabaseHostName=test_host
DatabasePort=4898
DatabaseUserName=test_user
# MY DB Password here is visible.. I want to encrypt this
DatabasePassword=password123
script.sh
#sourcing the above properties file here
source ./config.properties
export PGPASSWORD=${DatabasePassword}
psql -h ${DatabaseHostName} -p ${DatabasePort} ${DatabaseUserName} -c "select * from table_name;"
my both files are under the same folder
Here's the problem, whatever encryption you put in the file, you'd need to be able to reverse in the script. So anyone who can see the script can figure out how to decode the passwords.
command encrypt:
echo 'hoge' | openssl rsautl -encrypt -inkey ~/.ssh/id_rsa > pass.rsa
command decrypt:
openssl rsautl -decrypt -inkey /root/.ssh/id_rsa -in pass.rsa
config modify:
DatabasePassword=S03EXE -> DatabasePassword=$(openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in pass.rsa)