How to encrypt and decrypt a string/text in shell (linux environment)

Question

I have a string, which is actually password. I want to encrypt the string and want to store the encrypted result in a parameter file. Next during execution of a script that encrypted string will be picked up and in run time that will be decrypt. So I want to know how to encrypt and decrypt a string/text in linux environment?

see http://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files ? — OznOg, Nov 15 '15 at 10:26
The only concern is it is asking for password during encription and decryption which I don't want. Can we set it up this password less — Koushik Chandra, Nov 15 '15 at 11:10

casonadams · Answer 1 · 2022-08-03T21:48:56.720

41

This isn't quite what was being asked for here but it shows a simple way to do this without a password prompt

Using:

openssl version
LibreSSL 2.8.3

encode.sh

#!/usr/bin/env bash

echo $1 | openssl aes-256-cbc -a -salt -pass pass:somepassword

decode.sh

#!/usr/bin/env bash

echo $1 | openssl aes-256-cbc -d -a -pass pass:somepassword

make files executable

chmod +x encode.sh decode.sh

encode example

./encode.sh "this is my test string"
# => U2FsdGVkX18fjSHGEzTXU08q+GG2I4xrV+GGtfDLg+T3vxpllUc/IHnRWLgoUl9q

decode example

./decode.sh U2FsdGVkX18fjSHGEzTXU08q+GG2I4xrV+GGtfDLg+T3vxpllUc/IHnRWLgoUl9q
# => this is my test string

edited Aug 03 '22 at 21:48

answered Nov 12 '20 at 06:52

casonadams

956
7
7

5

Might be a good to add the `-pbkdf2` flag to each, too – Justin Aug 05 '21 at 20:30
Indeed the proposed commands now show *** WARNING : deprecated key derivation used. – MappaM Aug 02 '22 at 08:43
Those commands should use `echo -n "$1"`, otherwise `echo`'s trailing '\n' will be part of the encrypted string. If this string is used from somewhere else (e.g. a UI), where you cannot enter the newline explicitly, de-/encryption will fail. – flederwiesel Oct 22 '22 at 15:41
Just a side note - when you use OpenSSL to encrypt you will need to use OpenSSL to decrypt as well. The same regarding OpenSSL on OSX (LibreSSL). – JackTheKnife Aug 16 '23 at 19:52

score 6 · Answer 2 · answered Oct 21 '20 at 07:32

6

openssl can do it better.

encode:

$ secret=$(echo "this is a secret." | openssl enc -e -des3 -base64 -pass pass:mypasswd -pbkdf2)

decode:

$ echo "${secret}" | openssl enc -d -des3 -base64 -pass pass:mypasswd -pbkdf2

tips:

you can remove arg -pass and intput password according to the prompt.

answered Oct 21 '20 at 07:32

zhanw15

61
1
2

This answer is great but unfortunately openssl doesn't support url safe base64 encoding so this won't work for my use case. A proposal was put forward but as of this writing it isn't being worked on. – tommyc38 Mar 24 '23 at 04:43

score 1 · Answer 3 · answered Apr 28 '23 at 08:33

using gpg

this is file based but can use stdin

This method requires gpg keys availible.

encrypt.sh

#!/usr/bin/env bash

input_file="${1? must provide an input file}"
recipient="${RECIPIENT? must provide recipient email}"
output_file="${input_file}.gpg"

gpg \
  --quiet \
  --output "${output_file}" \
  --encrypt \
  --sign \
  --armor \
  --recipient "${recipient}" \
  "${input_file}" \
  ;

decrypt.sh

#!/usr/bin/env bash

input_file="${1? must provide an input file}"
output_file=${input_file%.gpg}

gpg \
  --output "${output_file}" \
  --decrypt "${input_file}" \
  ;

chmod +x encrypt.sh decrypt.sh

Create a file to test with

# test.yml
secret: "Hello World"
pin: 3918

encrypt

must have billy@proton.me public key*

RECIPIENT=billy@proton.me ./encrypt.sh test.yml

This creates test.yml.gpg

decrypt

must have billy@proton.me secret key*

./decrypt.sh test.yml.gpg