Stumbled upon something that I’ve missed for a long time: encrypting files with the ssh public key :)
OpenBSD (and most others *nix systems) got a package for age. Just install it.
doas pkg_add age
Asymmetric Encryption encrypts and decrypts the data using two separate yet mathematically connected cryptographic keys. These keys are known as a ‘Public Key’ and a ‘Private Key’. Together, they’re called a ‘Public and Private Key Pair’
Encrypt with SSH Pub Key
Let’s encrypt our Hosts File and save it to /tmp/ …
age -r "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx" -o /tmp/hosts.enc hosts
Encrypt with all PubKeys from Authorized_keys
You can also encrypt for multiple Persons, for example Users in your authorized_key file …
age -R ~/.ssh/authorized_keys /etc/hosts > /tmp/hosts.age
Decrypt with Private Key
Transfer the encrypted File to the Destination … and with the correct Private Key, it can be easily decryted :)
$ age -d -i ~/.ssh/id_ed25519 /tmp/hosts.age Enter passphrase for ".ssh/id_ed25519": 127.0.0.1 localhost ::1 localhost
Symmetric Key Encryption
You can also use Symmetric Encryption, where the Key to encrypt and decrypt is the same. Exchange the Key over a “Secure Medium” and you’re done. Hint: EMail, SMS, Whatsapp and such Services are not considered as a Secure Channel ;)
Encrypt the File with any Password you want
$ age -p /etc/hosts > /tmp/hosts.age Enter passphrase (leave empty to autogenerate a secure one): [test] Confirm passphrase: [test]
Transfer the File and Password to someone else and he can decrypt it !
$ age -d /tmp/hosts.age Enter passphrase: [test] 127.0.0.1 localhost ::1 localhost
Encrypt with auto-password
without a given password, age generate a secure one for you :)
$ age -p /etc/hosts > /tmp/hosts.age Enter passphrase (leave empty to autogenerate a secure one): Using the autogenerated passphrase "beauty-clean-extend-image-same-primary-stem-trust-able-first".