Uses OpenSSL library to encrypt a file using a private/public key pair and a one-time secret.
A full description of the process can be found here.
This uses a YAML file to describe the configuration; by default it assumes it is in
/etc/filecrypt/conf.yml but its location can be specified using the
The structure of the
conf.yml file is as follows:
keys: private: /home/bob/.ssh/secret.pem public: /home/bob/.ssh/secret.pub secrets: /opt/store/ store: /home/bob/encrypt/stores.csv # Where to store the encrypted file; the folder MUST already exist and the user # have write permissions. out: /data/store/enc # Whether to securely delete the original plain-text file (optional, default true). shred: false
public keys are a key-pair generated using the
openssl genrsa command; the encryption key used to actually encrypt the file will be created in the
secrets folder, and afterward encrypted using the
public key and stored in the location provided.
The name will be
nnn will be a random value between
999, that has not been already used for a file in that folder.
The name of the secret passphrase can also be defined by the user, using the
--secret option (specify the full path, it will be left unmodified):
- if it does not exist a random secure one will be created, used for encryption, then encrypted and saved with the given path, while the plain-text temporary version securely destroyed; OR
- if it is the name of an already existing file, it will be decrypted, used to encrypt the file, then left unchanged on disk.
We recommend NOT to re-use encryption passphrases, but always generate new ones.
NOTE it is currently not possible to specify a plain-text passphrase: we always assume that the given file has been encrypted using the
store file is a CSV list of:
"Original archive","Encryption key","Encrypted archive" 201511_data.tar.gz,/opt/store/pass-key-001.enc,201511_data.tar.gz.enc
a new line will be appended at the end; any comments will be left unchanged.
Always use the
--help option to see the most up-to-date options available; anyway, the basic usage is (assuming the example configuration shown above is saved in
filecrypt.py -f /opt/enc/conf.yml /data/store/201511_data.tar.gz
will create an encrypted copy of the file to be stored as
/data/store/201511_data.tar.gz.enc, the original file will not be securely destroyed (using
shred) and the new encryption key to be stored, encrypted in
A new line will be appended to
We recommend testing your configuration and command-line options on test files:
shrederases files in a terminal way that is not recoverable: if you mess up, you will lose data.
You have been warned.
The code has been uploaded to github.
requirements.txt to install required Python libraries:
pip install -r requirements.txt
(the use of a
virtualenv is recommended here).
sudo apt-get install -y openssl
- a detailed HOW-TO with the steps to encrypt a file manually;
- the original Ask Ubuntu post;
- Ubuntu guide to OpenSSL.