Enable passing the password as a command line argument. about encrypto HOT 41 CLOSED

You can use also the dotnet tool at version 1.0.6

https://www.nuget.org/packages/dotnet-encrypto

from encrypto.

@voroninp base64 file encoding supported at the latest version

from encrypto.

Hi @voroninp .

The output feature exists at the version 1.0.8

https://www.nuget.org/packages/dotnet-encrypto/1.0.8

from encrypto.

@tomchavakis Man you are a hero =)

from encrypto.

Hi @voroninp

I use the Environment.SpecialFolder.ApplicationData in Windows and Environment.SpecialFolder.UserProfile in Linux and OSX in order to store the encrypto.settings file.
This file stores the original and encrypted mapping filename in a JSON format.
So if you are going to delete the original file then the decryption process will restore the file at the original location.

You can use the version 1.1.0

dotnet tool install --global dotnet-encrypto --version 1.1.0

If you find any bugs or anything inappropriate just inform me to fix the issues.

Thanks again

from encrypto.

Hi @voroninp ,

You will find a new command-line parameter --local-output.
ex.
dotnet dotnet-encrypto.dll encrypt -i ~/Downloads/logs/original.log -o ~/Downloads/logs/encrypted.log -p "123" --base64 --local-output

This command creates encrypto.settings file to the directory of the original file.

Use version 1.1.1

https://www.nuget.org/packages/dotnet-encrypto/1.1.1

from encrypto.

Hi @voroninp

Can you test this version on Mac?

https://www.nuget.org/packages/dotnet-encrypto/1.1.2

from encrypto.

This bug fixed at the latest version 1.1.4

https://www.nuget.org/packages/dotnet-encrypto

from encrypto.

Hi @voroninp ,

I would like to thank you for your contribution.
I will start the development of this feature asap and I will inform you when it's ready.

from encrypto.

@tomchavakis Can I help somehow?

from encrypto.

Can you describe the requirements of this feature ?

• Password as command line parameter
• what else ??

If you will use the
dotnet-encrypto encrypt -t "tom"
the result is base64

Feel free to join the project.
Thanks @voroninp

from encrypto.

Ideally I would like to use it in a way how ansible-vault works.

For example:
I have a text file, I want to encrypt it, encode as base64 and put it in source control.
And then I need the reverse procedure when deploying.

I also think that we should have an option to provide the output file name. This can help avoid accidental commits of unencrypted sensitive data.

How I see it:

I put in .gitignore the pattern sensitive.*. Then I create file sensitive.credentials.json and call:

dotnet encrypto encrypt -i sensitive.credentials.json -o credentials.json --base64 --decrypt-to-source -p abracadabra

-o - specifies the name of the file with encrypted data.
-p - password
--base64 - asks to encode contents in base64
--decrypt-to-source - asks encrypto do decrypt the contents later to the file with the name used as the source for encryption, that is sensitive.credentials.json. This last feature would be very helpful because it leaves little chance of forgetting the prefix sensitive. for the decrypt output name. But it implies that encrypted file should be in particular format to store this setting. It's "expensive" feature, I suppose. So it would be fine just to be able to call:

dotnet encrypto encrypt -i sensitive.credentials.json -o credentials.json --base64 -p abracadabra
and
dotnet encrypto decrypt -i credentials.json -o sensitive.credentials.json --base64 -p abracadabra

from encrypto.

@voroninp thanks for the detailed explanation, this feature is really great and useful.

from encrypto.

@voroninp I am thinking about the security of the ability to pass the password as command line parameter.
Later if someone has access to the machine that the encryption occurred, with history command the password will be unencrypted.
I guess that this is the reason that ansible vault requires the password as file

ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt

What do you think?
What if the password will be stored at a password json/txt file?

from encrypto.

Good point, yet I am not sure whether history is saved if action is done automatically outside terminal.

My intention was to run decryption on each target machine as a deployment step of Octopus release process. So I could pass the variable for the password.

dotnet encrypto decrypt -i file -p #{Password}

If #{Password} variable has type sensitive it is not logged, though I am not sure about command line as a whole:)
Anyway, target machine will contain unencrypted data :) So if anyone has access to the machine, he already has sensitive data.

from encrypto.

Hi @voroninp

This feature added.
Please verify that the functionality is fine.

from encrypto.

Great. Thanks for the speed!

But without base64 encoding Git is a bit upset with all these bytes. And output option would be much appreciated.

from encrypto.

@voroninp Base64 supported if you add -t as parameter for text encryption.
I would add this functionality also for files.

from encrypto.

https://www.nuget.org/packages/dotnet-encrypto/1.0.7

from encrypto.

Any plans for -o - output option? ;-)

from encrypto.

Hi @voroninp -o supported by --base64 option parameter

ex.
dotnet-encrypto encrypt -i /home/tcs/Downloads/file.txt --base64 -p "123"

from encrypto.

@tomchavakis May be I missed it in code, but I do not see any option where I can specify the name of the encrypted file. I mean that currently the contents of the source file is encrypted/replaced.

from encrypto.

ok You mean that you want the encrypted output to stored at a specific file.
I will add it asap.

from encrypto.

thanx @voroninp

from encrypto.

And one more question. This is not even close to critical. It is only about convenience/safety, though it looks to be the most expensive feature in terms of effort.

Would be nice to save somehow the original file name in the encrypted file, and use it automatically for decryption. I explained the motivation above, but I'll repeat.

This lets me to add pattern unencrypted.* to .gitignore file, and avoid unintentional commit of sensitive unencrypted data.

dotnet encrypto encrypt -i unencrypted.data.json --base64 -p password -o encrypted.data

So the outcome is encrypted.data file which "remembers" the name of initial file.

Later someone checks out the branch and calls:

dotnet encrypto decrypt -i encrypted.data --base64 -p password

He neither has to specify filename, nor even know the convention about unencrypted.*.
So he ends up with two files in folder: unencrypted.data.json and encrypted.data. The first one is ignored, and after it is edited one must call again dotnet encrypto encrypt -i unencrypted.data.json --base64 -p password -o encrypted.data what leads to changes in encrypted.data file which is tracked and could be safely committed.

from encrypto.

Hi @voroninp,

This feature is awesome and really useful.
I will try to implement it asap.
The best way, would be to pass as metadata to the file in some way, and not depict the. actual data.
Thanks again for these nice features.

from encrypto.

But then there are disputable things, actually.

If there is a metadata, should encrypto even allow -o option for decryption?
Should it warn about already existing file and ask about permission to overwrite it? Should -f/--force-overwrite option exist for automation tools?

from encrypto.

i think that your point is right.
Metadata also doesn't works the same in all OS, so it would be better to append to the encrypted file.

from encrypto.

Even when it is not in metadata but in file.

I mean what should encrypto do, if you specify -o file and this file already exists. The same about “saved” filename.

All these corner cases :’(

from encrypto.

I have an idea. We can just store this info in another committed file. Like encrypto.settings ;)

from encrypto.

Hi @voroninp ,

I agree with you, this would be fine.

from encrypto.

Thanks a lot. Is local settings file supported as well?

Otherwise settings file won’t be committed and hence checked out. It means the mapping won’t exist on a fresh system, which just hired developer is very likely to have.

from encrypto.

dotnet encrypto encrypt -i data.txt --base64 -o data.encrypted --local-output -p vpv

then

dotnet encrypto decrypt -i data.encrypted  --base64 -p vpv

Getting data.encrypted | Result:Decryption failed.
Works for text from this file, though.

from encrypto.

Hi @voroninp
What is your operating system?

from encrypto.

Mac OS

from encrypto.

Thanks, @voroninp,

I will check it

from encrypto.

Yep, checked in Windows - it works.

from encrypto.

I found the bug, I will upload the new version asap

from encrypto.

Now it works.

Btw, I noticed that in case of invalid characters when base64 encoding is expected, tool fails with not that user friendly message ;-)

dotnet encrypto decrypt -t $%$#%34 -p vpv

Unhandled Exception: System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
at System.Convert.FromBase64String(String s)
at Encrypto.Utils.Utilities.Base64Decode(String plainText) in /home/tom/Projects/github/encrypto/src/Encrypto.Utils/Utilities.cs:line 17
at Encrypto.Helpers.DecryptText() in /home/tom/Projects/github/encrypto/src/Encrypto/Helpers/ConsoleHelpers.cs:line 116
at Encrypto.Program.<>c.

b__0_1(DecryptOptions options) in /home/tom/Projects/github/encrypto/src/Encrypto/Program.cs:line 56
at Encrypto.Program.Main(String[] args) in /home/tom/Projects/github/encrypto/src/Encrypto/Program.cs:line 15

from encrypto.

Hi @voroninp

May I close this issue ?

from encrypto.

@tomchavakis I believe, yes. Thanks.

from encrypto.