release 2.2.0

Append extension during encryption

AUTHORS.md

@@ -1 +1,4 @@
 - Justin Keller ([nodesocket](https://github.com/nodesocket))
+- Manuel Wildauer ([int9h](https://github.com/int9h))
+- Adam Daniels ([adam12](https://github.com/adam12))
+- Nicolas Le Gall ([Darkitty](https://github.com/Darkitty))

CHANGELOG.md

@@ -1,2 +1,32 @@
 CHANGELOG
 =========
+
+## 2.2.0 - *7/10/2020*
+
+- Append `.aes` file extension instead of substituting when encrypting.
+- Use derivation function _(-pbkdf2)_ when encrypting. See [pull request](https://github.com/nodesocket/cryptr/pull/3).
+
+## 2.1.1 - *3/25/2019*
+
+- Updated the notice text when using environment variable `CRYPTR_PASSWORD` for the password.
+- Updated `tests/test.bash`.
+- Bump copyright year to 2019.
+
+## 2.1.0 - *10/4/2017*
+
+- You may now define the password to use when encrypting and decrypting using the `CRYPTR_PASSWORD` environment variable. This change enables non-interactive/batch operations.
+
+- Added a test script `tests/test.bash`.
+
+## 2.0.1 - *10/2/2017*
+
+- Small optimization, removed unneeded function `cryptr_info()`.
+
+## 2.0.0 - *10/2/2017*
+
+*BREAKING CHANGE*
+- Increased the OpenSSL key size to *256bit* from *128bit*. Any files encrypted with version `1.0.0` must be decrypted with version `1.0.0`. 
+
+## 1.0.0 - *10/1/2017*
+
+- Initial release.

LICENSE.txt

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2017 Justin Keller
+   Copyright 2019 Justin Keller
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1,6 +1,6 @@
 # cryptr
 
-##### A simple shell utility for encrypting and decrypting files.
+#### A simple shell utility for encrypting and decrypting files using OpenSSL.
 
 ## Installation
 
@@ -9,43 +9,58 @@ git clone https://github.com/nodesocket/cryptr.git
 ln -s "$PWD"/cryptr/cryptr.bash /usr/local/bin/cryptr
 ```
 
+### Bash tab completion
+
+Add `tools/cryptr-bash-completion.bash` to your tab completion file directory.
+
 ## API/Commands
 
 ### encrypt
 
-> encrypt \<file\> - Encryptes file with OpenSSL AES-128 cipher block chaining. Writes an encrypted file out *(ciphertext)* appending `.aes` extension.
+> encrypt \<file\> - Encryptes file with OpenSSL AES-256 cipher block chaining. Writes an encrypted file out *(ciphertext)* appending `.aes` extension.
 
 ```
-➜ cryptr encrypt ./secrets-file
+➜ cryptr encrypt ./secret-file
-enter aes-128-cbc encryption password:
+enter aes-256-cbc encryption password:
-Verifying - enter aes-128-cbc encryption password:
+Verifying - enter aes-256-cbc encryption password:
 ```
 
 ```
-➜ ll
+➜ ls -alh
--rw-r--r--  1 user  group   1.0G Oct  1 13:33 secrets-file
+-rw-r--r--  1 user  group   1.0G Oct  1 13:33 secret-file
--rw-r--r--  1 user  group   1.0G Oct  1 13:34 secrets-file.aes
+-rw-r--r--  1 user  group   1.0G Oct  1 13:34 secret-file.aes
 ```
 
+You may optionally define the password to use when encrypting using the `CRYPTR_PASSWORD` environment variable. This enables non-interactive/batch operations.
+
+```
+➜ CRYPTR_PASSWORD=A1EO7S9SsQYcPChOr47n cryptr encrypt ./secret-file
+```
 
 ### decrypt
 
-> decrypt \<file.aes\> - Decrypt encrypted file using OpenSSL AES-128 cipher block chaining. Writes a decrypted file out *(plaintext)* removing `.aes` extension.
+> decrypt \<file.aes\> - Decrypt encrypted file using OpenSSL AES-256 cipher block chaining. Writes a decrypted file out *(plaintext)* removing `.aes` extension.
 
 ```
-➜ ll
+➜ ls -alh
--rw-r--r--  1 user  group   1.0G Oct  1 13:34 secrets-file.aes
+-rw-r--r--  1 user  group   1.0G Oct  1 13:34 secret-file.aes
 ```
 
 ```
-➜ cryptr decrypt secrets-file.aes
+➜ cryptr decrypt ./secret-file.aes
-enter aes-128-cbc decryption password:
+enter aes-256-cbc decryption password:
 ```
 
 ```
-➜ ll
+➜ ls -alh
--rw-r--r--  1 user  group   1.0G Oct  1 13:35 secrets-file
+-rw-r--r--  1 user  group   1.0G Oct  1 13:35 secret-file
--rw-r--r--  1 user  group   1.0G Oct  1 13:34 secrets-file.aes
+-rw-r--r--  1 user  group   1.0G Oct  1 13:34 secret-file.aes
+```
+
+You may optionally define the password to use when decrypting using the `CRYPTR_PASSWORD` environment variable. This enables non-interactive/batch operations.
+
+```
+➜ CRYPTR_PASSWORD=A1EO7S9SsQYcPChOr47n cryptr decrypt ./secret-file.aes
 ```
 
 ### help
@@ -69,7 +84,7 @@ Usage: cryptr command <command-specific-options>
 
 ```
 ➜ cryptr version
-cryptr 1.0.0
+cryptr 2.2.0
 ```
 
 ### default
@@ -78,7 +93,7 @@ cryptr 1.0.0
 
 ```
 ➜ cryptr
-cryptr 1.0.0
+cryptr 2.2.0
 
 Usage: cryptr command <command-specific-options>
 
@@ -115,7 +130,7 @@ For more information on semantic versioning, visit http://semver.org/.
 
 ## License & Legal
 
-Copyright 2017 Justin Keller
+Copyright 2019 Justin Keller
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

cryptr.bash

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 ###############################################################################
-# Copyright 2017 Justin Keller
+# Copyright 2019 Justin Keller
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,17 +18,13 @@
 
 set -eo pipefail; [[ $TRACE ]] && set -x
 
-readonly VERSION="1.0.0"
+readonly VERSION="2.2.0"
+readonly OPENSSL_CIPHER_TYPE="aes-256-cbc"
 
 cryptr_version() {
   echo "cryptr $VERSION"
 }
 
-cryptr_info() {
-  cryptr_version
-  echo
-}
-
 cryptr_help() {
   echo "Usage: cryptr command <command-specific-options>"
   echo
@@ -44,28 +40,39 @@ EOF
 cryptr_encrypt() {
   local _file="$1"
   if [[ ! -f "$_file" ]]; then
-    echo "File not found or invalid" 1>&2
+    echo "File not found" 1>&2
     exit 4
   fi
 
-  openssl aes-128-cbc -salt -in "$_file" -out "$_file".aes
+  if [[ ! -z "${CRYPTR_PASSWORD}" ]]; then
+    echo "[notice] using environment variable CRYPTR_PASSWORD for the password"
+    openssl $OPENSSL_CIPHER_TYPE -salt -pbkdf2 -in "$_file" -out "${_file}.aes" -pass env:CRYPTR_PASSWORD
+  else
+    openssl $OPENSSL_CIPHER_TYPE -salt -pbkdf2 -in "$_file" -out "${_file}.aes"
+  fi
 }
 
 cryptr_decrypt() {
 local _file="$1"
   if [[ ! -f "$_file" ]]; then
-    echo "File not found or invalid" 1>&2
+    echo "File not found" 1>&2
     exit 5
   fi
 
-  openssl aes-128-cbc -d -salt -in "$_file" -out "${_file%\.aes}"
+  if [[ ! -z "${CRYPTR_PASSWORD}" ]]; then
+    echo "[notice] using environment variable CRYPTR_PASSWORD for the password"
+    openssl $OPENSSL_CIPHER_TYPE -d -salt -pbkdf2 -in "$_file" -out "${_file%\.aes}" -pass env:CRYPTR_PASSWORD
+  else
+    openssl $OPENSSL_CIPHER_TYPE -d -salt -pbkdf2 -in "$_file" -out "${_file%\.aes}"
+  fi
 }
 
 cryptr_main() {
   local _command="$1"
 
   if [[ -z $_command ]]; then
-    cryptr_info
+    cryptr_version
+    echo
     cryptr_help
     exit 0
   fi
@@ -89,7 +96,7 @@ cryptr_main() {
       ;;
 
     *)
-      cryptr_help >&2
+      cryptr_help 1>&2
       exit 3
   esac
 }

tests/test.bash

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -eo pipefail; [[ $TRACE ]] && set -x
+
+plaintext=$(mktemp /tmp/cryptr.XXXXXXXX)
+dd if=/dev/urandom bs=4096 count=256 2> /dev/null | LC_ALL=C tr -dc 'A-Za-z0-9' | head -c262144 > "$plaintext"
+plaintext_sha=($(openssl dgst -sha256 "$plaintext"))
+
+export CRYPTR_PASSWORD
+CRYPTR_PASSWORD=$(dd if=/dev/urandom bs=200 count=1 2> /dev/null | LC_ALL=C tr -dc 'A-Za-z0-9' | head -c32)
+
+cryptr encrypt "$plaintext"
+rm -f "$plaintext"
+
+if [[ ! -f "$plaintext".aes ]]; then
+    printf "Encrypted out file %s was not created" "$plaintext".aes 1>&2
+    exit 3
+fi
+
+cryptr decrypt "$plaintext".aes
+
+decrypted_sha=($(openssl dgst -sha256 "$plaintext"))
+
+rm -f "$plaintext".aes
+rm -f "$plaintext"
+
+if [ "${plaintext_sha[1]}" != "${decrypted_sha[1]}" ]; then
+    printf "Hash mismatch\n\t%s != %s" "${plaintext_sha[1]}" "${decrypted_sha[1]}" 1>&2
+    exit 4
+fi

tools/cryptr-bash-completion.bash

@@ -0,0 +1,14 @@
+_cryptr_complete()
+{
+     local cur_word prev_word type_list
+     COMPREPLY=()
+     cur_word="${COMP_WORDS[COMP_CWORD]}"
+     prev_word="${COMP_WORDS[COMP_CWORD-1]}"
+ 
+     opts='encrypt decrypt'
+ 
+     COMPREPLY=( $(compgen -W "${opts}" -- ${cur_word}) )
+     return 0
+}
+ 
+complete -F _cryptr_complete cryptr.bash cryptr