Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Compress & Encrypt to Disk Using OpenSSL in Bash Without Exposing Password
#
# This is the simplest and cleanest way I've come up with for securely compressing (gzip, in this example) & encrypting data to disk with OpenSSL from a bash script without exposing the password to inspection of process or environment variable using `ps` and the likes. Naturally, `cat` is just used as an example so the data can come from anywhere. If the compressed data is to be sent via email instead of written to disk, don't use '-out' and use '-a' to base64 encode the compressed data.
#
# References:
# http://www.madboa.com/geek/openssl/#encrypt-simple
# http://unix.stackexchange.com/questions/29111/safe-way-to-pass-password-for-1-programs-in-bash#answer-29186
# http://stackoverflow.com/questions/6607675/shell-script-password-security-of-command-line-parameters/6607773#6607773
# https://gist.github.com/philfreo/2321650
cat "$file" | gzip -c | openssl enc -e -salt -aes-256-cbc -pass fd:3 -out "$file.gz.enc" 3<<<"$password"
# the above can be decrypted with the following (requiring manual password input, but that can be worked around using a file descriptor & here string as above):
openssl enc -d -aes-256-cbc -in "$file.gz.enc" | gunzip -c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.