Here's a really simple trick for keeping an encrypted file for passwords and other sensitive information on OS X or Linux. I use this to keep some basic password hints and account numbers on my computer.
Once this is set up, you'll end up with a file called secrets.x which you can decrypt with a simple command, and an easy way to update the file if needed. You'll also be able to embed the encrypted data in a JPG image to hide it from casual observers.
Create the Encrypted File
You shouldn't need to install anything special for this to work, all the programs needed are built in to OS X.
First, create the plaintext file with a text editor, and call it secrets.txt. (We'll delete this file when we're done.)
Once you have the file, encrypt it using OpenSSL, and delete the original:
$ openssl des3 -salt -out secrets.x -in secrets.txt
$ rm secrets.txt
Running the openssl command will prompt you to create a password and verify it. After you've entered your new password twice, it will write a file, secrets.x which is encrypted with the password.
Choosing a Password
Because this uses des3 encryption rather than public/private key encryption, the password will be used to decrypt the file as well. Using a public key encryption method, the public key would be used to encrypt the file and the private key would be used to decrypt it instead of a password. As such, this method relies on you being able to remember the password, or if you're sending an encrypted file to someone, being able to share the password with them in a secure manner.
Obviously sending a password to someone in plaintext isn't a good idea. Unless, of course, the password was something that otherwise looked innocuous. You could use a URL of a web page as the password so that you could send the URL to someone and it would just look like sharing a link with them!
Decrypt the File
Now when you need to look at the contents of the encrypted file, you can decrypt it and print to the terminal with a single command:
$ openssl des3 -salt -d -in secrets.x
This will prompt you for the password you entered previously. You should see the result in your terminal.
Editing the File
If you need to make changes to the file, you can decrypt the file and output to a normal file, edit the file, and save it again.
$ openssl des3 -salt -d -in secrets.x -out secrets.txt
$ vim secrets.txt
$ openssl des3 -salt -out secrets.x -in secrets.txt
$ rm secrets.txt
Note: If you can come up with a way to edit the file in memory without saving to a temp file first please let me know! I wasn't able to find a simple text editor that could read from stdin and write to stdout. Ideally I'd like to run a command something like this:
$ openssl des3 -salt -d -in secrets.x | interactive_editor | openssl des3 -salt -out secrets.x
Bonus: Hiding the encrypted file in a JPG image
If you're worried about someone finding the secrets.x file on your computer and trying a bruteforce attack on it, you could try a simple technique like hiding the encrypted file in a JPG image. This is not a perfect technique, but would be simple enough that a casual observer wouldn't notice anything unusual if they stumbled across the JPG file.
Turns out JPG files are somewhat resilient to corruption, so you can actually append arbitrary text to the end of a JPG and most programs such as OS X Preview and QuickLook will open it just fine.
Given a photo, source.jpg and a secret file, secrets.x, you can combine them into a new JPG like this:
$ (cat source.jpg; echo -n "-----"; cat secrets.x) > photo.jpg
Now, photo.jpg will open fine in most programs, and you won't see anything unusual. But if you inspect the file, you'll notice at the end there are five hyphens followed by your encrypted file which starts with "Salted". To extract and decrypt this file, you can use this simple PHP script piped to openssl.
<?php
if(preg_match('/-----(.+)/sm', file_get_contents($argv[1]), $match)) {
echo $match[1];
}
?>
Save this file as extract.php, then use it like such:
$ php extract.php photo.jpg | openssl des3 -salt -d
After entering your password, you'll see the plaintext output of your encrypted file in your terminal!
If you have any suggestions for improvements to these tricks, please let me know!
