Can I use SSH to encrypt/decrypt a file like gpg?
 

The manpage for msmtp lists this example configuration line. It sets the password for SMTP authentication to whatever the command following passwordeval writes to stdout. I don't currently use gpg, but if I understand and I want the easiest operation, I will have to create a gpg key and have keychain prompt me for the passphrase everytime I reboot. Keychain already prompts me for my SSH passphrase, but I'd like to avoid being prompted for more than one.

So the question is, is there any way I can make SSH or an OpenSSH-cooperative program spit out a password for this application?

gpg -c
 

ssh will not do encrypt files, just the connection between machines. However, you do not need a key to use gpg to encrypt. "gpg -c somefile" will encrypt somefile using a passphrase "gpg somefile.gpg" will decrypt the file using a passphrase. It's very simple.

I think you are getting a couple of different technologies confused. SSH, or Secure SHell is a means to gain remote access to the computer using a cryptographically secured method. It uses both asynchronous and synchronous ciphers, the former for secure authentication. SMTP Authentication is a means to authenticate to a mail server. There are several different means to provide SMTP authentication, including plain text and password hashing. Probably the most common is to use plain authentication over SSL or TLS, in which case the SMTP does not use any cryptography but it is provided via the SSL and TLS, which also uses asynchronous and synchronous ciphers in different parts of the exchange. The same type of techniques are also used for viewing HTTPS websites. GPG/PGP uses asynchronous encryption to encrypt and decrypt files and text.

What most of these have in common is the use of cipher keys. Specifically, the use of a "public" and "private" key which are part of the asynchronous encryption. The public key, which is mathematically related to the private key, can be used to encrypt a message while the private key can be used to decrypt it. The concept of keychain gets into "signing" or an authentication of the keys itself. It is important to know that the keys haven't been tampered with to prevent a "man in the middle" situation as well as to gain assurance that your talking to the desired party.

The private keys are oftentimes stored in an encrypted format and protected by a password. In order to utilize the keys, the password needs to be entered. If a server process, such as your mail or web server wants to make use of these protected keys, you will need to enter the password on start up. Depending on your risk acceptance and other factors, this may pose operational difficulties, for example with a remote server where you can't easily enter the password on start up. In these cases, you can strip the password from the key.

The SSL tool suite, which is different than SSH, provides all sorts of capabilities for working with these keys, including removing passwords, and key signing. I have provided a link to a site that I think provides a pretty good overview of how the key process works and how to use the tools. It is oriented more towards Apache, but the same keys/certificates can be used for SMTP authentication too.

I'm not doing SMTP Authentication, I'm providing my password to the msmtp program.

So far I've hardcoded the password in the configuration file. That's not terrible security, but it would be slightly better if I could keep it encrypted until needed, but not have to type in a password every time I send email.

I use SSH a lot. Encryption and decryption is central to it's function. In fact, someone even adapted that capability to mount a file system securely, sshfs. I'm just wondering if anyone has adapted the capability a little differently to encrypt a file locally. It would be a handy capability.

Maybe see http://dev.gentoo.org/~tomka/mail.html, http://jason.the-graham.com/2011/01/...r_offlineimap/ and http://simple-and-basic.com/2008/10/...e-keyring.html wrt integrating msmtp in gnome-keyring?

ssh is a tunneling protocol, as is VPN, and probably the best way to handle communications e.g. with msmtp (and both with regard to logging-in and everything else) is to use this approach to secure the entire tunnel. If you know that the entire connection is secure, you don't have to worry further about the messages that are sent across it.

gpg is a file-encryption system that doesn't do tunneling.

Both of them are capable of doing public-key based encryption, and of ensuring the data-integrity of content.

OpenSSL maybe?
 

Hi there

perhaps you were wanting to use openssl?

something like:
openssl enc -e -des3 -in <anyfile> -out <encryptedfile.enc>
you will be prompted for encryption password/phrase, and again to confirm.
to decrypt:
openssl enc -d -des3 -in <encryptedfile.enc> -out <anyfile>

(just remember to delete the normal file once encrypted, if you want the contents to remain 'unknown', else someone may just open that and not bother trying to guess [ good luck to that! ] your password ;) )

You didn't say, but I expect I would be prompted for that password/phrase every time I send an email. That would be much worse that entering it once at bootup for GPG with keychain.

The only reason I asked about SSH (actually OpenSSH) was to make my one passphrase do double duty for both remote access and decrypting a password file locally. But no one has even hinted that there's any mechanism for the latter.

However, I am interested in openssl for other things. And it seems to have a confusing, non-intuitive command structure. So thank you for the example.

No you don't understand and I already pointed out the easiest way to integrate it in an existing keyring in reply #5 BTW.

OpenSSL maybe? - but not for your requirement
 

(since I didn't actually provide you anything that would have worked for your actual requirement/question) - You are most welcome [ i just read want to encrypt blahblahblah - so, *coff* sorry