filecrypt – OpenSSL file encryption


Uses OpenSSL library to encrypt a file using a private/public key pair and a one-time secret.


A full description of the process can be found here.


This uses a YAML file to describe the configuration; by default it assumes it is in /etc/filecrypt/conf.yml but its location can be specified using the -f flag.

The structure of the conf.yml file is as follows:

    private: /home/bob/.ssh/secret.pem
    public: /home/bob/.ssh/
    secrets: /opt/store/

store: /home/bob/encrypt/stores.csv

# Where to store the encrypted file; the folder MUST already exist and the user
# have write permissions.
out: /data/store/enc

# Whether to securely delete the original plain-text file (optional, default true).
shred: false

The private/public keys are a key-pair generated using the openssl genrsa command; the encryption key used to actually encrypt the file will be created in the secrets folder, and afterward encrypted using the public key and stored in the location provided.

The name will be pass-key-nnn.enc, where nnn will be a random value between 000 and 999, that has not been already used for a file in that folder.

The name of the secret passphrase can also be defined by the user, using the --secret option (specify the full path, it will be left unmodified):

  • if it does not exist a random secure one will be created, used for encryption, then encrypted and saved with the given path, while the plain-text temporary version securely destroyed; OR
  • if it is the name of an already existing file, it will be decrypted, used to encrypt the file, then left unchanged on disk.

We recommend NOT to re-use encryption passphrases, but always generate new ones.

NOTE it is currently not possible to specify a plain-text passphrase: we always assume that the given file has been encrypted using the private key.

The store file is a CSV list of:

"Original archive","Encryption key","Encrypted archive"

a new line will be appended at the end; any comments will be left unchanged.


Always use the --help option to see the most up-to-date options available; anyway, the basic usage is (assuming the example configuration shown above is saved in /opt/enc/conf.yml): -f /opt/enc/conf.yml /data/store/201511_data.tar.gz

will create an encrypted copy of the file to be stored as /data/store/201511_data.tar.gz.enc, the original file will not be securely destroyed (using shred) and the new encryption key to be stored, encrypted in /opt/store/pass-key-778.enc.

A new line will be appended to /home/bob/encrypt/stores.csv:



We recommend testing your configuration and command-line options on test files: shred erases files in a terminal way that is not recoverable: if you mess up, you will lose data.

You have been warned.


The code has been uploaded to github.

See the requirements.txt to install required Python libraries:

pip install -r requirements.txt

(the use of a virtualenv is recommended here).

To install OpenSSL in Ubuntu see this page, but it boils down essentially to:

 sudo apt-get install -y openssl



2 responses to “filecrypt – OpenSSL file encryption”

  1. […] four years after its initial inception and release, I have entirely rewritten the CLI invocation, streamlined […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: