An encryption utility that is a Work in Progress. Decryption is having issues at the moment
- Used in place of, or in combination with, Veracrypt
- Provide a mechanism by which secrets are unencrypted during use, but encrypted at rest
- Provide a secure way for files containing secrets to processed by programs in plain text for simplicity, but be stored securely
- AES-GCM-256/PEM with additionnal datas (to protect PEM headers) instead of Salted CBC-128
- AEAD Authenticated Encryption Additionnal Data modes (protect the plaintext PEM headers)
- AES-GCM-256 authenticated encryption mode.
- 16K rounds PBKDF2 key derivation function with SHA3-256
- Crypto PRNG.
A few make
targets have been provided for convienance in building the docker container and running it
make help
to see all available targets Sourcemake build
to build the docker container Sourcemake bash
to run a bash shell within the docker container Sourcemake example
to run grypt in the most basic case Source
grypt -e -f /path/to/secret
takes the plaintext file and encrypts itgrypt -d -f /path/to/secret
takes the encrypted file and decrypts it. When grypt is sigterm'd, the file will be read in, and re-encrypted using the same passwordgrypt -D -f /path/to/secret
takes the encrypted file and converts it into plain text
Run the grypt CLI from within a docker container to avoid complex dependency chains. Utilize mounted volumes to transfer data in & out of the docker container. Variables for simplicity:
LOCAL_SECRETS_PATH=/full/host/machine/path/to/secrets/
DOCKER_SECRETS_PATH=/secrets
docker run -it -v $LOCAL_SECRETS_PATH:$DOCKER_SECRETS_PATH --rm stevemcquaid/grypt:latest grypt -f $DOCKER_SECRETS_PATH/file -e
takes the plaintext file and encrypts itdocker run -it -v $LOCAL_SECRETS_PATH:$DOCKER_SECRETS_PATH --rm stevemcquaid/grypt:latest grypt -f $DOCKER_SECRETS_PATH/file -d
takes the encrypted file and decrypts it temporarily. Leave the docker container running for as long as you want the file to remain in plain text. When youctrl-c
/kill the docker container, grypt will be sent SIGTERM, and before quitting, the file will be read in again, and re-encrypted using the same passworddocker run -it -v $LOCAL_SECRETS_PATH:$DOCKER_SECRETS_PATH --rm stevemcquaid/grypt:latest grypt -f $DOCKER_SECRETS_PATH/file -D
takes the encrypted file and converts it into plain text
- Implement Cleanup
- Should reencrypt if -d flag is given, not reencrypt if -D flag is given
- Improve UX:
gcrypt --encrypt -f /path/to/file > Please enter the password to encrypt: > Re-type password:
- Add 1 unit test
- More CLI flags:
- Add verbose flag options
--encrypt --decryptTemp --decryptForce --file --help
- Add flag for inline password
grcypt --encrypt -k /path/to/keyfile -f /path/to/file
- Add flag for inline keyfile
grcypt --encrypt -p password -f /path/to/file
- Add flag to change crypto or method
- Add flag to change crypto strength
- Add verbose flag options
- Should be able to invoke a single line during run script to allow this to work for other projects
grypt -d -p password -f /path/to/secret/file & # Run grypt to decrypt the file and send it to background GRYPT_PID=$! # Get pid to be able to easily kill it later myGreatProgram --config /path/to/secret/file # Run my program using file now decrypted to plaintext kill $GRYPT_PID # Kill grypt to automatically re-encrypt the file
- Multiple integration points:
- Bash/filesystem
- Docker/filesystem
- Golang library