Mac OS X,  Mac Security

Use crypt_and_hash to Encrypt Files From A Shell On macOS

One of the packages that can be installed with homebrew is mbedtls, which gives access to a number of cryptographic libraries. To install mbedtls:

brew install mbedtls

Encrypting a file is then fairly straight forward. Call crypt_and_hash and use a 0 in the first positional parameter to encrypt a file or a 1 to decrypt. Then provide the path to the file in the second position (in this example, mac.json, the target file name (mac.aes in the example), the hash in the fourth (CAMELLIA-256-CBC in the example command), the digest (SHA1 here), and the key to encrypt the information (hex:ABCD123456789 in this example)

crypt_and_hash 0 mac.json mac.aes CAMELLIA-256-CBC SHA1 hex:ABCD123456789

The command to decrypt is then almost the opposite, use a 1 instead of 0, the next position would include the source and the next after that the target:

crypt_and_hash 1 mac.aes mac.json CAMELLIA-256-CBC SHA1 hex:ABCD123456789

It’ll throw an error if the cipher, digest, and key don’t match. Many of these can be done with other commands easily as well, including some built-in; however there are ciphers not supported by default in macOS here, so useful for those. We can also use longer keys and put them into a file. Rather than enter the key, the key can be input from another source like a REST endpoint. In the following example, we’ll input it with a cat – but it’s easy enough to use a curl command instead. We’ll also add a second command to the little one-liner that removes the encrypted source file and the keyfile.

crypt_and_hash 1 mac.aes mac.json CAMELLIA-256-CBC SHA1 hex:`cat keyfile`;rm mac.aes;rm keyfile

This shouldn’t be considered an atomically secure operation but does obfuscate away some of the operations otherwise required to perform secure operations.

Available ciphers:

  •   AES-128-ECB
  •   AES-192-ECB
  •   AES-256-ECB
  •   AES-128-CBC
  •   AES-192-CBC
  •   AES-256-CBC
  •   AES-128-CFB128
  •   AES-192-CFB128
  •   AES-256-CFB128
  •   AES-128-OFB
  •   AES-192-OFB
  •   AES-256-OFB
  •   AES-128-CTR
  •   AES-192-CTR
  •   AES-256-CTR
  •   AES-128-XTS
  •   AES-256-XTS
  •   AES-128-GCM
  •   AES-192-GCM
  •   AES-256-GCM
  •   AES-128-CCM
  •   AES-192-CCM
  •   AES-256-CCM
  •   AES-128-CCM*-NO-TAG
  •   AES-192-CCM*-NO-TAG
  •   AES-256-CCM*-NO-TAG
  •   CAMELLIA-128-ECB
  •   CAMELLIA-192-ECB
  •   CAMELLIA-256-ECB
  •   CAMELLIA-128-CBC
  •   CAMELLIA-192-CBC
  •   CAMELLIA-256-CBC
  •   CAMELLIA-128-CFB128
  •   CAMELLIA-192-CFB128
  •   CAMELLIA-256-CFB128
  •   CAMELLIA-128-CTR
  •   CAMELLIA-192-CTR
  •   CAMELLIA-256-CTR
  •   CAMELLIA-128-GCM
  •   CAMELLIA-192-GCM
  •   CAMELLIA-256-GCM
  •   CAMELLIA-128-CCM
  •   CAMELLIA-192-CCM
  •   CAMELLIA-256-CCM
  •   CAMELLIA-128-CCM*-NO-TAG
  •   CAMELLIA-192-CCM*-NO-TAG
  •   CAMELLIA-256-CCM*-NO-TAG
  •   ARIA-128-ECB
  •   ARIA-192-ECB
  •   ARIA-256-ECB
  •   ARIA-128-CBC
  •   ARIA-192-CBC
  •   ARIA-256-CBC
  •   ARIA-128-CFB128
  •   ARIA-192-CFB128
  •   ARIA-256-CFB128
  •   ARIA-128-CTR
  •   ARIA-192-CTR
  •   ARIA-256-CTR
  •   ARIA-128-GCM
  •   ARIA-192-GCM
  •   ARIA-256-GCM
  •   ARIA-128-CCM
  •   ARIA-192-CCM
  •   ARIA-256-CCM
  •   ARIA-128-CCM*-NO-TAG
  •   ARIA-192-CCM*-NO-TAG
  •   ARIA-256-CCM*-NO-TAG
  •   DES-ECB
  •   DES-EDE-ECB
  •   DES-EDE3-ECB
  •   DES-CBC
  •   DES-EDE-CBC
  •   DES-EDE3-CBC
  •   CHACHA20
  •   CHACHA20-POLY1305
  •   AES-128-KW
  •   AES-192-KW
  •   AES-256-KW
  •   AES-128-KWP
  •   AES-192-KWP
  •   AES-256-KWP

Available message digests:

  •   SHA512
  •   SHA384
  •   SHA256
  •   SHA224
  •   SHA1
  •   RIPEMD160
  •   MD5