LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 10-30-2024, 04:42 AM   #1
primuspaul
LQ Newbie
 
Registered: Sep 2018
Posts: 26

Rep: Reputation: Disabled
Question how to in bash encrypt a tar file with password string included in said bash file?


Currently tar creating a file but what is a good way to encrypt it with a password?

Last edited by primuspaul; 10-30-2024 at 11:29 AM.
 
Old 10-30-2024, 04:53 AM   #2
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 23,009

Rep: Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627
it was already told here: https://www.linuxquestions.org/quest...2/#post6535354
 
Old 10-30-2024, 04:57 AM   #3
primuspaul
LQ Newbie
 
Registered: Sep 2018
Posts: 26

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
Should I use zip -P or zip -e ?
 
Old 10-30-2024, 05:17 AM   #4
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,582
Blog Entries: 4

Rep: Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878
Quote:
Originally Posted by primuspaul View Post
Should I use zip -P or zip -e ?
Neither. Pipe it through GnuPG (gpg) or Sequoia (sq) instead. That way it is not only more secure but you do not have to use a password to do the encryption.
 
Old 10-30-2024, 05:19 AM   #5
primuspaul
LQ Newbie
 
Registered: Sep 2018
Posts: 26

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Neither. Pipe it through GnuPG (gpg) or Sequoia (sq) instead. That way it is not only more secure but you do not have to use a password to do the encryption.
so where would the password/decrypt key get entered? I read that solution before and was a bit confused since many of the commands either didn't mention a password or required it's entry as a prompt after the command was run which wouldn't work if it's supposed to be a bash script run by cron automatically
 
Old 10-30-2024, 05:25 AM   #6
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 23,009

Rep: Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627
you need to save a password/passkey in a file if you want to use it in scripts.
Otherwise these tools will ask the user to to type in that password.
 
Old 10-30-2024, 05:34 AM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,582
Blog Entries: 4

Rep: Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878
Quote:
Originally Posted by primuspaul View Post
so where would the password/decrypt key get entered? I read that solution before and was a bit confused since many of the commands either didn't mention a password or required it's entry as a prompt after the command was run which wouldn't work if it's supposed to be a bash script run by cron automatically
No password or passphrase is needed for encryption. That's just how PKE works. So it is perfect for cron and other automation when you wish to back things up. The file primuspaul.pgp below should contain the public OpenPGP key.

Code:
cd /source/
tar -zcf - ./somewhere/ \
        | sq encrypt --recipient-cert primuspaul.pgp > somewhere.tar.gz.pgp

# XOR

cd /source/
tar -zcf - ./somewhere/ \
        | gpg --encrypt --recipient primuspaul@example.com > somewhere.tar.gz.pgp
However, you will need the passphrase for decryption. The file primuspaul.pvt.pgp contains the private half of the relevant key pair.

Code:
cd /destination/
cat somewhere.tar.gz.pgp | sq decrypt --recipient-key primuspaul.pvt.pgp \
        | tar -zxf - 

# XOR

cd /destination/
cat somewhere.tar.gz.pgp | gpg --decrypt | tar -zxf -
Or something like that.

PS. Keep in mind that if even single bit flips, you've lost the whole tar ball. So keep lots of backups of your backups.

Last edited by Turbocapitalist; 10-30-2024 at 05:37 AM.
 
Old 10-30-2024, 08:05 AM   #8
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 4,935
Blog Entries: 1

Rep: Reputation: 1893Reputation: 1893Reputation: 1893Reputation: 1893Reputation: 1893Reputation: 1893Reputation: 1893Reputation: 1893Reputation: 1893Reputation: 1893Reputation: 1893
Twenty years ago I used these commands, they might still work:
Code:
openssl idea -salt -pass pass:'alakazam' -in secret.tgz -out /floppy/secret.tgz.enc
openssl idea -d -pass pass:'alakazam' -in /floppy/secret.tgz.enc -out secret.tgz
 
Old 10-30-2024, 09:31 AM   #9
primuspaul
LQ Newbie
 
Registered: Sep 2018
Posts: 26

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
No password or passphrase is needed for encryption. That's just how PKE works. So it is perfect for cron and other automation when you wish to back things up. The file primuspaul.pgp below should contain the public OpenPGP key.

Code:
cd /source/
tar -zcf - ./somewhere/ \
        | sq encrypt --recipient-cert primuspaul.pgp > somewhere.tar.gz.pgp

# XOR

cd /source/
tar -zcf - ./somewhere/ \
        | gpg --encrypt --recipient primuspaul@example.com > somewhere.tar.gz.pgp
However, you will need the passphrase for decryption. The file primuspaul.pvt.pgp contains the private half of the relevant key pair.

Code:
cd /destination/
cat somewhere.tar.gz.pgp | sq decrypt --recipient-key primuspaul.pvt.pgp \
        | tar -zxf - 

# XOR

cd /destination/
cat somewhere.tar.gz.pgp | gpg --decrypt | tar -zxf -
Or something like that.

PS. Keep in mind that if even single bit flips, you've lost the whole tar ball. So keep lots of backups of your backups.
I figured as much, but is it possible to use a simpler command with an in-line password? The server in question is only accessed by me and only used for one thing, so when I say secure, I mean I just want the encryption to be good enough that most hackers would give up on brute-forcing an unknown archive. I'd rather just use an in-line password and make it fairly long to make brute forcing harder. Also the whole point of the archive is catastrophic hard drive failure of the server, so if for some reason the key changes after I copy it, the whole thing will be totally lost. What is my simplest option here?
 
Old 10-30-2024, 09:33 AM   #10
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,582
Blog Entries: 4

Rep: Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878
Quote:
Originally Posted by primuspaul View Post
What is my simplest option here?
As mentioned, either sq or gpg.
 
Old 10-30-2024, 09:44 AM   #11
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 23,009

Rep: Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627Reputation: 7627
Something like this may work:
Code:
#this will create an encrypted file:
gpg -c --passphrase <your password> file.tgz
#this will decrypt it:
gpg -d --passphrase <your password> file.tgz.gpg
should be added after the tar (to encrypt) and before untar (to decrypt).
 
1 members found this post helpful.
Old 10-30-2024, 10:03 AM   #12
primuspaul
LQ Newbie
 
Registered: Sep 2018
Posts: 26

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
Something like this may work:
Code:
#this will create an encrypted file:
gpg -c --passphrase <your password> file.tgz
#this will decrypt it:
gpg -d --passphrase <your password> file.tgz.gpg
should be added after the tar (to encrypt) and before untar (to decrypt).
When I run the sh script it still asks me for a password despite using the
Code:
--passphrase "mypassword"
flag

EDIT: --batch flag fixed this I think.

Last edited by primuspaul; 10-30-2024 at 10:05 AM. Reason: add flag
 
  


Reply

Tags
bash, debian, encrypt, tar


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] umount said /dev/sdd is not mounted; yet lsblk said it is mounted to /run/media/ ? andrewysk Linux - Newbie 8 05-29-2021 05:29 PM
how can i decompress this tar.tar file? hmmm sounds new.. tar.tar.. help ;) kublador Linux - Software 14 10-25-2016 03:48 AM
I said, "howdy;" she said, "hi." NoTinyFlacid LinuxQuestions.org Member Intro 1 11-21-2010 09:27 PM
BackUp & Restore with TAR (.tar / .tar.gz / .tar.bz2 / tar.Z) asgarcymed Linux - General 5 12-31-2006 03:53 AM
How do I un tar a .tar, .tar.z, .tar.gz file vofkid Linux - Newbie 4 03-15-2002 03:54 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 10:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration