Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How can I encrypt a file using shell script?

Posted on 2010-09-15
14
Medium Priority
?
912 Views
Last Modified: 2012-06-27
How can I encrypt a file before sftp'ing it. I am creating a text file
and I want to encrypt that file with same name and sftp it
to a remote server. I am using shell script to create text file then sftp'ing this file.
Somewhere in the shell script I like to encrypt this file before sftp'ing it to remote
server. Please advise.
0
Comment
Question by:IT_ETL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
14 Comments
 
LVL 3

Expert Comment

by:gremwell
ID: 33686592
There are many ways to encrypt a file, which one is the best for you depends on what key(s) or password you want to use to to encrypte and decrypt the file.

If you are encrypting and sftp'ing the file for backup purposes, you could use GPG (http://www.madboa.com/geek/gpg-quickstart/)
 1) Generate encryption keys and assign it a passphrase
 2) Store a copy of your private key in a safe place and make sure you don't forget the passphrase.
 3) Use your public key to encrypt the file before upload. This operation will not require the passphase.
When necessary, you can decrypt the file using the private key and the passphrase.

If you are encrypting the file and transferring it to another person you can use the same approach, but ask your correspondent to provide you with the public key. Alternatively, you can encrypt the file with a password (fixed or automaticly generated using 'pwgen') with same gpg, or zip, or 7zip, depending on what formats your correspondent supports.
0
 

Author Comment

by:IT_ETL
ID: 33686659
Could you provide a example that can be used in a shell script?
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33688807
You don't specify what you need to do, I have provided two possible options in the previous comment.

If you are doing a backup, use GPG to generate a key (need to do it once, not in the script):
           gpg --gen-key

In the script use the following command:
           gpg --encrypt --recipient YOURNAME MYFILE

The encrypted file will appear as MYFILE.gpg. In the above command replace YOURNAME with the name you have provided during key generation step. (You can list your current keys with 'gpg -K' command).
0
[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

 
LVL 3

Expert Comment

by:T1750
ID: 33691243
If you don't need public key and don't mind having the passphrase on the command line...

$ cat test
Hello
Hi
$ gpg --no-tty --batch --passphrase 'your password' --symmetric test && scp test.gpg yottagray:/encrypted
test.gpg                                                                                                     100%   52     0.1KB/s   00:00    
$ ssh yottagray cat /encrypted | gpg --no-tty --batch --passphrase 'your password' --decrypt - 2>/dev/null
Hello
Hi

Open in new window

0
 
LVL 3

Expert Comment

by:T1750
ID: 33691309
for use in a shell script (you can use public key or symmetric it doesn't matter):
if gpg --no-tty --batch --passphrase 'your password' --symmetric test; then
	 scp test.gpg user@yourhost:/where
else
	echo "Encryption failed. Probably because you did this before and test.gpg already exists."
	echo "Consider not using scp at all and simply piping the results of gpg"
	echo "to stdout to an ssh connection"
fi

Open in new window

0
 
LVL 3

Expert Comment

by:T1750
ID: 33691351
In fact i'll prove an example of that too for you.
$ cat test
Hello
Hi
$ gpg --no-tty --batch --passphrase 'your password' --symmetric --output - test | ssh yottagray 'cat >/foo'
$ ssh yottagray cat /foo | gpg --no-tty --batch --passphrase 'your password' --decrypt - 2>/dev/null
Hello
Hi
$

Open in new window

0
 

Author Comment

by:IT_ETL
ID: 33697335
I already got the public key and password. How do I setup the config file as well as other files using this public key and password in my local directory. I believe once everything is set then I can just add few lines of code to encrypt the file then sftp this file to remote server. Examle of codes are below. Please suggest how do I accomplish above two steps.

gpg --default-recipient $GPG_REC --encrypt $outputFile
cd $KSH_LOCAL_DIR
SFTP put $KSH_HOST $KSH_HOST_DIR $outputFile
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33698973
Your gpg commands are correct. Please note that it will not encrypt file in place, but create a new file with .gpg suffix. In the related topic (http://www.experts-exchange.com/Programming/Languages/Scripting/Shell/Q_26476181.html#a33698966) I have asked you to provide more info about 'SFTP' command you are using.
0
 
LVL 3

Expert Comment

by:T1750
ID: 33699326
You don't need to SCP it at all you can directly create the encrypted file over the ssh connection, essentially "SCP" it at once with the command I showed you above. Now I know more about your environment and requirements, the exact command would be:

cd $KSH_LOCAL_DIR
gpg --no-tty --batch --default-recipient $GPG_REC --encrypt $outputFile --output - $THE_FILE_YOU_ARE_ENCRYPTING | ssh $KSH_HOST "cat >$KSH_HOST_DIR/$outputFile"
0
 
LVL 3

Expert Comment

by:T1750
ID: 33699336
This will only work of cause if you have no passphrase on your ssh key. If you do, you have to re-add the --passphrase 'YOUR PASSWORD' command above before the | or a variant such as:

--passphrase-file /path/to/file/with/password/int
0
 
LVL 3

Expert Comment

by:T1750
ID: 33699348
If you insist on making a file locally to SCP, all the above applies except remove

--output -

And everything after and including the |
0
 

Author Comment

by:IT_ETL
ID: 33730250
I need little more help. I have done following. I have imported public key (cm-pubkey.asc) into local directory using following command at the prompt

$gpg --import < cm-pubkey.asc

I do see above publice key at following location /home/local_dir/.gnupg/pubring.gpg

Now in a shell script I am gpg'ing this file then SFTP'ing this file to remote server using below code

cd $KSH_LOCAL_DIR
gpg --default-recipient $GPG_REC --encrypt $outputFile
SFTP put $KSH_HOST $KSH_HOST_DIR $outputFile

How do I use public key (cm-pubkey.asc) that was imported to local directory to gpg above file ($outputFile) or am I using this public key to gpg above file? There might be more than one key in local directory. How do I write a code so that only public key (cm-pubkey.asc) will be used to gpg this file ($outputFile) ? Please suggest......

0
 
LVL 3

Accepted Solution

by:
T1750 earned 2000 total points
ID: 33735245
Execute at the CLI

gpg --list-keys

You will see a list That looks something like this:


/home/local_dir/.gnupg/pubring.gpg
----------------------------
pub   2048R/DEADBEEF 2010-01-01
uid                  T1570
sub   2048R/FEEBDAED 2010-01-01

pub   2048R/ABCDEF12 2010-01-01
uid                  Data Encryption Key
sub   2048R/3456789A 2010-01-01

The line you are interested in are the ones that start with pub, you want the key id which is what appears after the /, in the above example the public key id for T1570 is DEADBEEF (2048R/DEADBEEF).

The gpg command you use is:

gpg --recipient DEADBEEF --encrypt $outputFile

So what you want to do is change --default-recipient to --recipient  and set $GPG_REC wherever you set that to the key id you selected from the list.
0
 

Author Closing Comment

by:IT_ETL
ID: 33735998
This resolves problem
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the years I've spent many an hour playing on hardened, DMZ'd servers, with only a sub-set of the usual GNU toy's to keep me company; frequently I've needed to save and send log or data extracts from these server back to my PC, or to others, and…
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question