Author: Paolo Lulli <paolo@lulli.net>
add Readme
README.md | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ x509crypt | 6 ++++--
diff --git a/README.md b/README.md index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..2ad0f430388b56448bd757af265748fb639ce73a 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,57 @@ +# X509Crypt + +X509Crypt is a script to encrypt files that makes use of PKCS#7 and public keys from a recipient's X509 certificates. +The encryption schema is the same adopted for S/MIME encrypted emails. + +With X509Crypt you can encrypt a file in a format that only the desired recipient will be able to read/decrypt. + +## Motivation + +Have a simple mechanism in place for encrypting backups without publishing a private key. + +Remote machines can encrypt the data on a backup server without disclosing the content and the private key, +which is sensible information. + +In this way it is possible to host on the same storage content that is encrypted for distinct recipients +without disclosing the keys. + +Each recipient cannot decrypt a message that is not aimed at them, recipients can only decrypt their own data. + +In a modern 'Cloud' scenario you cannot really trust the provider not to disclose the data, in this way, +only the legit owner of the information is able to decrypt the data: either who encrypted it in the first place, +or the legit recipient. + +The server part is only responsible for the data persistence, but not for the content itself, which is sole +ownership of the user or service that detains the proper decryption keys. + +## How does it work + +X509Crypt works on top of Openssl commandline and uses the 'smime' subcommand with binary optioni. +This actually means it is usingi the PKCS#7 / CMS encryption scheme. + +- RSA is used for the keypair generation +- AES-256-CBC is used for the encryption + +## Commandline Options + +``` +x509crypt <profile> -e <file> : Encrypt <file> (safety checks) +x509crypt <profile> -E <file> : Encrypt <file> +x509crypt <profile> -d <file> : Decrypt <file> +x509crypt <profile> -g : Generate keys +x509crypt <profile> -x : eXport pub key +x509crypt <profile> -s : export private key +x509crypt <profile> -X : eXport pub key details +x509crypt <profile> -i <file> : Import pub key +x509crypt -l : List profiles + +``` + +## Licensing + +The code is freely available under GPL License +see: [COPYING](/x509crypt.git/tree/master/COPYING) + +Additional commercial support and licensing are available on request. Just issue a [support request](https://kevwe.com/message) +and mention you are interested in [cert-signer]() + diff --git a/x509crypt b/x509crypt index 0fcbc9962ebc754dc2280b9339d3d82643122a86..cc51175bddae47faf2258b79be4e68c706d552a2 100755 --- a/x509crypt +++ b/x509crypt @@ -110,8 +110,8 @@ test -d $CONFIG_DIR/$profile_name || echo "profile: [$profile_name] does not exist, EXIT" test -d $CONFIG_DIR/$profile_name || exit 1 decrypted_file=$1".cleartext" CONFIG_CERT_NAME=${profile_name} - #openssl smime -decrypt -binary -in $1 -inform DER -out $decrypted_file -inkey $CONFIG_DIR/$profile_name/certs/$CONFIG_CERT_NAME.key -passin pass:your_password - openssl smime -decrypt -binary -in $1 -inform DER -out $decrypted_file -inkey $CONFIG_DIR/$profile_name/certs/$CONFIG_CERT_NAME.key + openssl smime -decrypt -binary -in $1 -inform DER -out $decrypted_file -inkey $CONFIG_DIR/$profile_name/certs/$CONFIG_CERT_NAME.key -passin pass:your_password + #openssl smime -decrypt -binary -in $1 -inform DER -out $decrypted_file -inkey $CONFIG_DIR/$profile_name/certs/$CONFIG_CERT_NAME.key } file_encrypt(){ @@ -126,6 +126,8 @@ encrypted_file=$1".enc" CONFIG_CERT_NAME=${profile_name} openssl smime -encrypt -binary -aes-256-cbc -in $1 -out $encrypted_file -outform DER $CONFIG_DIR/$profile_name/certs/$CONFIG_CERT_NAME.crt + # NOT BINARY ! + #openssl smime -encrypt -aes-256-cbc -in $1 -out $encrypted_file -outform PEM $CONFIG_DIR/$profile_name/certs/$CONFIG_CERT_NAME.crt } file_import(){