One of the packages that can be installed with homebrew is mbedtls, which gives access to a number of cryptographic libraries. To install mbedtls:
brew install mbedtls
Encrypting a file is then fairly straight forward. Call crypt_and_hash and use a 0 in the first positional parameter to encrypt a file or a 1 to decrypt. Then provide the path to the file in the second position (in this example, mac.json, the target file name (mac.aes in the example), the hash in the fourth (CAMELLIA-256-CBC in the example command), the digest (SHA1 here), and the key to encrypt the information (hex:ABCD123456789 in this example)
crypt_and_hash 0 mac.json mac.aes CAMELLIA-256-CBC SHA1 hex:ABCD123456789
The command to decrypt is then almost the opposite, use a 1 instead of 0, the next position would include the source and the next after that the target:
crypt_and_hash 1 mac.aes mac.json CAMELLIA-256-CBC SHA1 hex:ABCD123456789
It’ll throw an error if the cipher, digest, and key don’t match. Many of these can be done with other commands easily as well, including some built-in; however there are ciphers not supported by default in macOS here, so useful for those. We can also use longer keys and put them into a file. Rather than enter the key, the key can be input from another source like a REST endpoint. In the following example, we’ll input it with a cat – but it’s easy enough to use a curl command instead. We’ll also add a second command to the little one-liner that removes the encrypted source file and the keyfile.
crypt_and_hash 1 mac.aes mac.json CAMELLIA-256-CBC SHA1 hex:`cat keyfile
`;rm mac.aes
;rm keyfile
This shouldn’t be considered an atomically secure operation but does obfuscate away some of the operations otherwise required to perform secure operations.
Available ciphers:
- AES-128-ECB
- AES-192-ECB
- AES-256-ECB
- AES-128-CBC
- AES-192-CBC
- AES-256-CBC
- AES-128-CFB128
- AES-192-CFB128
- AES-256-CFB128
- AES-128-OFB
- AES-192-OFB
- AES-256-OFB
- AES-128-CTR
- AES-192-CTR
- AES-256-CTR
- AES-128-XTS
- AES-256-XTS
- AES-128-GCM
- AES-192-GCM
- AES-256-GCM
- AES-128-CCM
- AES-192-CCM
- AES-256-CCM
- AES-128-CCM*-NO-TAG
- AES-192-CCM*-NO-TAG
- AES-256-CCM*-NO-TAG
- CAMELLIA-128-ECB
- CAMELLIA-192-ECB
- CAMELLIA-256-ECB
- CAMELLIA-128-CBC
- CAMELLIA-192-CBC
- CAMELLIA-256-CBC
- CAMELLIA-128-CFB128
- CAMELLIA-192-CFB128
- CAMELLIA-256-CFB128
- CAMELLIA-128-CTR
- CAMELLIA-192-CTR
- CAMELLIA-256-CTR
- CAMELLIA-128-GCM
- CAMELLIA-192-GCM
- CAMELLIA-256-GCM
- CAMELLIA-128-CCM
- CAMELLIA-192-CCM
- CAMELLIA-256-CCM
- CAMELLIA-128-CCM*-NO-TAG
- CAMELLIA-192-CCM*-NO-TAG
- CAMELLIA-256-CCM*-NO-TAG
- ARIA-128-ECB
- ARIA-192-ECB
- ARIA-256-ECB
- ARIA-128-CBC
- ARIA-192-CBC
- ARIA-256-CBC
- ARIA-128-CFB128
- ARIA-192-CFB128
- ARIA-256-CFB128
- ARIA-128-CTR
- ARIA-192-CTR
- ARIA-256-CTR
- ARIA-128-GCM
- ARIA-192-GCM
- ARIA-256-GCM
- ARIA-128-CCM
- ARIA-192-CCM
- ARIA-256-CCM
- ARIA-128-CCM*-NO-TAG
- ARIA-192-CCM*-NO-TAG
- ARIA-256-CCM*-NO-TAG
- DES-ECB
- DES-EDE-ECB
- DES-EDE3-ECB
- DES-CBC
- DES-EDE-CBC
- DES-EDE3-CBC
- CHACHA20
- CHACHA20-POLY1305
- AES-128-KW
- AES-192-KW
- AES-256-KW
- AES-128-KWP
- AES-192-KWP
- AES-256-KWP
Available message digests:
- SHA512
- SHA384
- SHA256
- SHA224
- SHA1
- RIPEMD160
- MD5