58°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • A Simple Encrypted Password File on OSX

    July 29, 2013

    Here's a really simple trick for keeping an encrypted file for passwords and other sensitive information on OS X or Linux. I use this to keep some basic password hints and account numbers on my computer.

    Once this is set up, you'll end up with a file called secrets.x which you can decrypt with a simple command, and an easy way to update the file if needed. You'll also be able to embed the encrypted data in a JPG image to hide it from casual observers.

    Create the Encrypted File

    You shouldn't need to install anything special for this to work, all the programs needed are built in to OS X.

    First, create the plaintext file with a text editor, and call it secrets.txt. (We'll delete this file when we're done.)

    Once you have the file, encrypt it using OpenSSL, and delete the original:

    $ openssl des3 -salt -out secrets.x -in secrets.txt
    $ rm secrets.txt
    

    Running the openssl command will prompt you to create a password and verify it. After you've entered your new password twice, it will write a file, secrets.x which is encrypted with the password.

    Choosing a Password

    Because this uses des3 encryption rather than public/private key encryption, the password will be used to decrypt the file as well. Using a public key encryption method, the public key would be used to encrypt the file and the private key would be used to decrypt it instead of a password. As such, this method relies on you being able to remember the password, or if you're sending an encrypted file to someone, being able to share the password with them in a secure manner.

    Obviously sending a password to someone in plaintext isn't a good idea. Unless, of course, the password was something that otherwise looked innocuous. You could use a URL of a web page as the password so that you could send the URL to someone and it would just look like sharing a link with them!

    Decrypt the File

    Now when you need to look at the contents of the encrypted file, you can decrypt it and print to the terminal with a single command:

    $ openssl des3 -salt -d -in secrets.x
    

    This will prompt you for the password you entered previously. You should see the result in your terminal.

    Editing the File

    If you need to make changes to the file, you can decrypt the file and output to a normal file, edit the file, and save it again.

    $ openssl des3 -salt -d -in secrets.x -out secrets.txt
    $ vim secrets.txt
    $ openssl des3 -salt -out secrets.x -in secrets.txt
    $ rm secrets.txt
    

    Note: If you can come up with a way to edit the file in memory without saving to a temp file first please let me know! I wasn't able to find a simple text editor that could read from stdin and write to stdout. Ideally I'd like to run a command something like this:

    $ openssl des3 -salt -d -in secrets.x | interactive_editor | openssl des3 -salt -out secrets.x
    

    Bonus: Hiding the encrypted file in a JPG image

    If you're worried about someone finding the secrets.x file on your computer and trying a bruteforce attack on it, you could try a simple technique like hiding the encrypted file in a JPG image. This is not a perfect technique, but would be simple enough that a casual observer wouldn't notice anything unusual if they stumbled across the JPG file.

    Turns out JPG files are somewhat resilient to corruption, so you can actually append arbitrary text to the end of a JPG and most programs such as OS X Preview and QuickLook will open it just fine.

    Given a photo, source.jpg and a secret file, secrets.x, you can combine them into a new JPG like this:

    $ (cat source.jpg; echo -n "-----"; cat secrets.x) > photo.jpg
    

    Now, photo.jpg will open fine in most programs, and you won't see anything unusual. But if you inspect the file, you'll notice at the end there are five hyphens followed by your encrypted file which starts with "Salted". To extract and decrypt this file, you can use this simple PHP script piped to openssl.

    <?php
    if(preg_match('/-----(.+)/sm', file_get_contents($argv[1]), $match)) {
      echo $match[1];
    }
    ?>
    

    Save this file as extract.php, then use it like such:

    $ php extract.php photo.jpg | openssl des3 -salt -d
    

    After entering your password, you'll see the plaintext output of your encrypted file in your terminal!


    If you have any suggestions for improvements to these tricks, please let me know!

    Mon, Jul 29, 2013 1:42am -07:00 #security #password #encryption
    2 mentions

    Other Mentions

    • Alexandre github.com/amark97
      aaronparecki.com/2013/07/29/1/a…
      Fri, Dec 23, 2016 9:44pm +00:00 (via brid-gy.appspot.com)
    • aaronparecki.com
      Sun, Aug 25, 2013 9:28am -07:00
Posted in /articles

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv