Encrypting a tar or gz (gzip) File with OpenSSL

When you have sensitive data that you need to transmit but want to make it easy to encrypt and decrypt it, use some standard tools to get the job done!

I recently had an issue where a client was using OS X laptops running an Admin panel written in PHP on MAMP in an environment that may or may not have an internet connection. The problem was that they needed to be able to dump their database data into an encrypted file so that they could send the data off when they get a connection (via email, upload, who knows). My initial response was to use gpg to encrypt the file and hand out the keys to the people who would eventually be reading the data.

Turns out, this was going to be a nightmare and I needed something ‘easier’. How about encrypting a tar file with OpenSSL? Bingo! This solution uses utilities that are already on the machine and no installations need to be performed. The reason this was such a big deal is because the laptops running this software will be all over the world with various levels of technical acumen and it will be a nightmare to make sure every single laptop has been updated correctly.

Encrypting Your File

tar and gzip the file, then encrypt it using des3 and a secret key.

That simple!

Decrypting Your File

Essentially, just call all the commands in the reverse order.

Download the Utility Scripts

Download them!


3 Comments

  • PurpleAlien |

     
    Personally I would still go for GPG, but the proposed solution works fine too. One caveat however: for both security and performance reasons, triple DES shouldn't be used. Instead, use 256 bit AES in cipher-block chaining mode together with a salt for the password like this:
     
    openssl enc -aes-256-cbc -salt -in input.txt -out output.enc
     
    You can decrypt the encrypted file as follows:
     
    openssl enc -d -aes-256-cbc -in output.enc
     
     
    Johan.

    • mustafaa |

      I think if I was working with a larger file or wasn’t getting the performance I needed out of dd I would have looked for an alternative, though I wasn’t really aware that cat made that much of a difference!

      Thanks for the good info.

  • PurpleAlien |

    I'll add here what I added to the relevant LinkedIn thread as well, just for completeness sake:
     
    One additional thing: it probably makes sense to use cat instead of dd when operating on files. It is definitely faster (more efficient) than the dd by default since it uses a larger buffer and uses no memcpy(). You could increase that with dd, but then cat becomes shorter.

    Just to confirm:

    ltrace cat /dev/zero >/dev/null

    read(3, "", 32768) = 32768
    write(1, "", 32768) = 32768
    read(3, "", 32768) = 32768
    write(1, "", 32768) = 32768

    ltrace dd if=/dev/zero of=/dev/null

    read(0, "", 512) = 512
    memcpy(0x64f000, "", 512) = 0x64f000
    write(1, "", 512) = 512
    read(0, "", 512) = 512
    memcpy(0x64f000, "", 512) = 0x64f000
    write(1, "", 512) = 512

    Johan.