Originally Posted by eantoranz
Would it be easier to use mcrypt instead?
mcrypt is good, with much of the configuration (encryption method to use) set via environment variables.
however when I looked at it I noted that...
1/ The passphrase can not be provided by a file descriptor.
For example you can not make use of a GUI password prompter (like "ssh-askpass")
Though perhaps a named pipe can be substituted.
2/ It also does not use the PBKDF2 iterative hashing of the passphrase to cryptographic key
(jsut like "openssh enc")
That second point was why I ended up creating the "encrypt.pl" script. It also does not read the passphrase from a file descriptor, but as it is interpreted perl, that can be easilly added as future options.
ASIDE: I have updated the "encrypt" script so that its ability to decrypt "openssl enc" files is performed using the Crypt::CBC perl module. This was done to avoid the need to call "openssl" command from the perl, and validate that the the actual AES data encryption used is the same. The script just uses the improved the passphrase hashing technique for added security.
I would prefer to see openssl enc improved with the same hashing technique. It has all the parts, just needs to be implemented on command line (with appropriate file magic change).
NOTE: You may also like to look at my "ks" script which saves encrypted files in hashed filenames in a "key store", (looks like a EncFS filesystem but actually isn't). It also stores a command (and other information) with the encrypted data, and normally uses that command to process the encrypted data.
That command can be a simple 'read-only display' program.
More commonly, it is encrypted file system mounting command, which uses the encrypted data,
(the master key and configuration data for that mount) to do the mount. This means the users
password unlockes the key-store. The Key store unlocks and mounts the larger ENCFS directory-level encrypted file system, (which may be kept 'in-the-cloud').
This seperates encryption info from the encryption file system (more secure), uses a stronger binary key for the actual encrypted file system, and allows users to change their password, without needed to re-encrypt that whole file system. LUKS dmcrypt under linus also uses a similar technqiue.