🌰 encrypt/decrypt using ssh keys

Overview

ssh-vault 🌰

Build Status Coverage Status Go Report Card

encrypt/decrypt using ssh private keys

Documentation

https://ssh-vault.com

Usage

$ ssh-vault -h

Example:

$ echo "secret" | ssh-vault -u <github.com/user> create

Installation

Mac OS

brew install ssh-vault

Binaries

Binaries and packages for a variety of platforms are published to Bintray: Download

To download specific version use URL like https://dl.bintray.com/nbari/ssh-vault/ssh-vault_0.12.4_amd64.deb

To download the latest version:

PACKAGING=amd64.deb
LATEST_VERSION=$(curl -w "%{redirect_url}" -o /dev/null -s https://bintray.com/nbari/ssh-vault/ssh-vault/_latestVersion | sed 's|.*/||')
curl -L -O "https://dl.bintray.com/nbari/ssh-vault/ssh-vault_${LATEST_VERSION}_${PACKAGING}"

Compile from source

Setup go environment https://golang.org/doc/install

For example using $HOME/go for your workspace

$ export GOPATH=$HOME/go

Get the code:

$ go get github.com/ssh-vault/ssh-vault

Build by just typing make:

$ cd $GOPATH/src/github.com/ssh-vault/ssh-vault
$ make

Issues

Please feel free to raise any issue, feature requirement or a simple comment here.

Comments
  • use ssh-agent when asked for password

    use ssh-agent when asked for password

    Find a way to use the ssh-agent to obtain the decrypted key in order to avoid typing the password every time a vault needs to be edited/viewed.

    Probably is not possible: http://security.stackexchange.com/a/55791/54143

    enhancement help wanted Hacktoberfest 
    opened by nbari 8
  • Go 1.10.2 build failure for 0.12.3

    Go 1.10.2 build failure for 0.12.3

    ==> Cloning https://github.com/ssh-vault/ssh-vault.git
    Updating /Users/joe/Library/Caches/Homebrew/ssh-vault--git
    git config remote.origin.url https://github.com/ssh-vault/ssh-vault.git
    git config remote.origin.fetch +refs/tags/0.12.3:refs/tags/0.12.3
    ==> Checking out tag 0.12.3
    git checkout -f 0.12.3 --
    HEAD is now at 33b59a3... prefer the HOME environmental variable
    git reset --hard 0.12.3
    HEAD is now at 33b59a3 prefer the HOME environmental variable
    ==> dep ensure -vendor-only
    ==> go build -ldflags -s -w -X main.version=0.12.3 -o /usr/local/Cellar/ssh-vault/0.12.3/bin/ssh-vault cmd/ssh-vault/main.go
    # github.com/ssh-vault/ssh-vault/vendor/github.com/ssh-vault/go-keychain
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:29: cannot use nil as type _Ctype_CFDataRef in return argument
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:36: cannot convert nil to type _Ctype_CFDataRef
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:37: cannot use nil as type _Ctype_CFDataRef in return argument
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:62: cannot convert nil to type _Ctype_CFDictionaryRef
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:63: cannot use nil as type _Ctype_CFDictionaryRef in return argument
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:74: cannot convert &keys[0] (type *_Ctype_CFTypeRef) to type *unsafe.Pointer
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:74: cannot convert &values[0] (type *_Ctype_CFTypeRef) to type *unsafe.Pointer
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:87: cannot use nil as type _Ctype_CFStringRef in return argument
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:90: cannot use nil as type _Ctype_CFStringRef in return argument
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:141: cannot convert &a[0] (type *_Ctype_CFTypeRef) to type *unsafe.Pointer
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:141: too many errors
    /usr/local/Homebrew/Library/Homebrew/debrew.rb:11:in `raise'
    BuildError: Failed executing: go build -ldflags -s\ -w\ -X\ main.version=0.12.3 -o /usr/local/Cellar/ssh-vault/0.12.3/bin/ssh-vault cmd/ssh-vault/main.go
    

    (doesn't affect Go 1.9.x)

    opened by ilovezfs 7
  • Decryption failed, use private key with fingerprint:

    Decryption failed, use private key with fingerprint:

    when trying to view the content of a vault, if the key doesn't match, prints the default key on the system:

    $ ssh-vault view vault.ssh 
    Decryption failed, use private key with fingerprint: fd:c9:a5:ab:67:c2:6a:3b:6b:c9:72:d6:32:f8:a8:09
    
    bug fixed 
    opened by nbari 7
  • Review homebrew formula

    Review homebrew formula

    Hi, the ssh-vault homebrew formula is currently blocking a pull request to update the go formula to 1.13.5. Details here: https://github.com/Homebrew/homebrew-core/pull/47510#issuecomment-565634744

    Can someone take a look at why the formula fails on macOS with go 1.13.5, please?

    fixed 
    opened by iwittkau 6
  • No valid PEM (private key) data found

    No valid PEM (private key) data found

    Hello,

    I use the public key of some friend to encrypt some content:

    ssh-vault -k ~/.ssh/vault/keys/id_rsa.pub create < QR.jpg > RQ
    

    From the friend's computer:

    ssh-vault -o QR.jpg view RQ
    

    Unfortunately, he's got the message No valid PEM (private key) data found

    He's got well his private key in ~/.ssh/id_rsa

    Thanks for your help.

    opened by faxotherapy 6
  • openssh > v7.8 RSA keys not supported

    openssh > v7.8 RSA keys not supported

    Since version 7.8/7.8p1 (2018-08-24) ssh-keygen by default generates RSA keys in new format and they don't work with ssh-vault any more block.type in this case looks like "OPENSSH PRIVATE KEY" not "RSA PRIVATE KEY"

    • ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key.
    enhancement help wanted 
    opened by gkruszecki 5
  • allow for encryption to multiple recipients

    allow for encryption to multiple recipients

    It would be nice if the -u option could be repeated, to allow multiple recipients. Something like

    ssh-vault -u id_rsa-1.pub -u id_rsa-2.pub -u id_rsa-3.pub create vault.ssh
    
    opened by S2- 4
  • allow creating secrets to STDOUT (without writing to file)

    allow creating secrets to STDOUT (without writing to file)

    hey

    first of all, thanks for the awesome tool :pizza: would it be possible to allow creating secrets on the fly, straight to STDOUT (without having to write to file)?

    something like ssh-vault -u nbari create and, if no file parameter is specified at the end, just open the editor and print the encrypted message to STDOUT.

    enhancement 
    opened by lipanski 4
  • test the windows binaries

    test the windows binaries

    Test the windows binaries https://dl.bintray.com/nbari/ssh-vault/ssh-vault_0.7.2_windows_amd64.zip

    Check if creating, edit, viewing vaults works besides fetching the keys remotely or using keys locally.

    help wanted Hacktoberfest 
    opened by nbari 4
  • bad ssh-vault signature

    bad ssh-vault signature

    I'm encrypting a file using ssh-vault via:

     cat test/data/note_to_encrypt.txt | ./ssh-vault -u bsutton create ./test.vault
    

    This produces a file:

    SSH-VAULT;AES256;ee:88:c8:35:4d:0e:a9:14:c1:44:61:59:90:95:ef:a0
    GxjmmbzD0yR4m0WAdeEOQqViVfaq/KMrEV3bUVZAT/bTT/JuJeg5mXwHMm3DED1y
    SW44D3HZg8jKWeIKms0zsy0p273jCZ+Wi/gj5lTGzsQaltPTpgiX36N9RY9z2eSh
    N/+RPvU8NVfMLE1YvhjBqz+Vnz9iFhivG46TwKKihUUyAt7NmCDIxn6KRNDvGeUF
    YSWwQwXCuqLcO1mE12YkLA6TzoH9cXm+9jU39Bh8VTPqDW4teTcfXgGP7s2f3M1N
    qh1u4IASW58XkpOI5A0OufrvWfpwWhkLKWNtPpPkeBXYvuH2faeCVHVxHcQ+p62+
    bk09zczek3GyrW23AV60f24tNo/EDjUqJ6PEvIHTWrpEZEORC2rYAX/YgDUrG2Jw
    WuVWOsfN+E/QMs+vvdJw7zvKiy/jA3NGUJWhES3DneKanV0SVKlOmoRDQehKtU6X
    0lb5c6nQB4z/cI8uP7bhIE4WTFv2u/VXnHYIIssjM4aZWHs/TkZzeLEQHldadIhm
    or/pF0hG606PunAyeGDO3nHuzyT45DJ+ywmGXln+y+QALjjvMllI9lnwR99o6/ZD
    gXuyhSwaqHCWOLwaTFZ4IK2kdE7shWKlKYnyqldPlV6NBzouuTcWu4EgNGv0MNLm
    DwdwWc8AqgT2fTvfHyILx4GfDVXgqe/BpwL/MTLK3u0=;bLlYIF+UyrlG8zrWTAo
    FH5h/RQ/WgrZ7gfZgNrQF/ZOUusJaq8Ho6TJ5p429avPwPbaAumFSX+DwwWCDcWw
    Y2peF9tvqaOgiy8MJkDAf9OB4L/6WWSBbsqiyViJlGXGhzA==
    

    When I try to decrypt the vault I get:

    echo "<pass phrase>" | ./ssh-vault  -k /home/bsutton/.ssh/id_rsa view test.vault
    bad ssh-vault signature, verify the input
    

    The private key file is encrypted with

    As I understand it you can pass the passphase phrase via stdin hence I pipe the output from the echo command.

    However I'm seeing two problems.

    1. the above invalid signature
    2. even though I pass the passphrase the command is using the gnome agent to request I enter the pass phrase.

    I'm uncertain if these two problems are related?

    opened by bsutton 3
  • RSA key in openssh format with password

    RSA key in openssh format with password

    Hello, Two issues I wanted to report (I believe related to #37) that I have recently experienced on my mac (catalina) when using ssh-vault:

    • First issue

    how to reproduce the issue: ssh-keygen -t rsa -b 4096 -C "[email protected]"(gitlab example) ssh-vault -k id_rsa.pub create < file > file.vault ssh-vault -k id_rsa view file.vault

    output: enter passphrase: could not parse private key: ssh: this private key is passphrase protected

    analysis: When having a passphrase protected key, and no usual PEM header (no dek-info section as tested by x509.IsEncryptedPEMBlock()), it goes through ssh.ParseRawPrivateKey() instead of ssh.ParseRawPrivateKeyWithPassphrase().

    However without password it works fine since it goes through ssh.ParseRawPrivateKey and when -k parameter is the private key ssh-keygen -yf works, if -k is a public key it works too (when both are in local and in the same directory).

    proposal: Either decode the header of the openSSH format private key that should contain something like this when encrypted:

    openssh-key-v1 aes256-ctr bcrypt

    Or when having a block.Type of "OPENSSH PRIVATE KEY" trying ssh.ParseRawPrivateKey() followed by ssh.ParseRawPrivateKeyWithPassphrase() when the first is not successful.

    • Second issue

    Also a second issue appears due to -k parameter. Indeed the usage of ssh-keygen -yf doesn't deal well with passphrase protection. So it works when having the public key as parameter but not the private one. (when both are in local and in the same directory).

    how to reproduce the issue: ssh-keygen -t rsa -b 4096 -C "[email protected]" -m PEM([gitlab example]

    analysis: I don't know why we need to extract sometimes the public key from the private one. -k parameter as showed by the command helper is a public key so I am not quite sure why we are passing the private key sometimes even though that is the private key which is needed to decrypt.

    	// use private key only
    	if strings.HasSuffix(v.key, ".pub") {
    		v.key = strings.Trim(v.key, ".pub")
    	}
    

    proposal: Either decoding the private key and the public from it without using ssh-keygen as already mentionned in the TODO or perhaps adding another parameter to distinguish between public and private keys. Another option could also be to add the suffix pub and get it.

    Thanks for the great work and your help !

    enhancement help wanted 
    opened by CyrilJacob 3
  • Unconventional fingerprint calculation

    Unconventional fingerprint calculation

    This is not a bug report, this is a note for any who will try to use this software. And probably a README update request.

    I spent about half an hour in trying to figure out what's wrong with my keys, and then realized that you're using some unconventional way to calculate the key fingerprint.

    OpenSSH MD5 fingerprint (as it's used in many other software, especially with ssh-* in the name) of test_data/id_rsa.pub is 95:84:27:28:3c:32:9d:80:39:13:8d:cc:90:3e:4b:e8:

    wget https://raw.githubusercontent.com/ssh-vault/ssh-vault/bcf687340bba1fbd9cd00672d965d9b501dae259/test_data/id_rsa.pub
    ssh-keygen -lf id_rsa.pub -E md5 
    4096 MD5:95:84:27:28:3c:32:9d:80:39:13:8d:cc:90:3e:4b:e8 no comment (RSA)
    

    And 55:cd:f2:7e:4c:0b:e5:a7:6e:6c:fc:6b:8e:58:9d:15 is a MD5 hash of binary representation of the same key in PKCS8 format (aka SSH2 format):

    ssh-keygen -e -f id_rsa.pub -m pkcs8 | openssl pkey -pubin -outform der | openssl md5 -c
    (stdin)= 55:cd:f2:7e:4c:0b:e5:a7:6e:6c:fc:6b:8e:58:9d:15
    

    You wrote a few words about this in this blog post, but as I'm not AWS user I had no idea how these formats differ.

    opened by nsauk 0
  • Website blocked in India

    Website blocked in India

    ssh-vault is amazing software and I love it!

    Unfortunately the Indian government is blocking access to https://ssh-vault.com/.

    image

    Not sure if there is anything you can do, but wanted to let you know.

    GitHub isn't blocked so I can still access :)

    opened by yuvipanda 0
  • unable to use ssh-agent

    unable to use ssh-agent

    Reading the #6, it felt that there was some integration with ssh-vault and ssh-agent. I'am wishing that the decryption made with ssh-vault view <a_vault> will occurs without to have to enter the passphrase of my ssh private key.

    Is there any chance that it will work ?

    Information on my package

    ssh -V
      # OpenSSH_8.7p1 Debian-2, OpenSSL 1.1.1l  24 Aug 2021
    ./ssh-vault -v
      # 0.12.8
    
    opened by briner 1
  • Why does it create the directory ~/.ssh/vault/keys?

    Why does it create the directory ~/.ssh/vault/keys?

    Even if I perform a seemingly read-only operation, e.g. ssh-vault -k ~/.ssh/id_rsa.pub view cipher.txt

    It creates the directory ~/.ssh/vault/keys (empty) What is that for?

    opened by wolfch 1
  • could not parse private key ssh: this private key is passphrase protected

    could not parse private key ssh: this private key is passphrase protected

    I'm running on ubuntu trying to decrypt a file:

    cat vault/encrypted | ./ssh-vault view
    could not parse private key: ssh: this private key is passphrase protected
    

    Looking at some of the code it looks like it should prompt for the pass phrase or pull it from the key chain.

    Any reason why it appears to be doing neither?

    lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.1 LTS
    Release:	20.04
    Codename:	focal
    
    
    ./ssh-vault -v
    0.12.6
    
    enhancement help wanted 
    opened by bsutton 3
Releases(0.12.9)
Owner
ssh-vault
encrypt/decrypt using ssh keys
ssh-vault
Sign, verify, encrypt and decrypt data with GPG in your browser.

keygaen Sign, verify, encrypt and decrypt data with GPG in your browser. ⚠️ keygaen has not yet been audited! While we try to make keygaen as secure a

Felix Pojtinger 78 Nov 22, 2022
Decrypt passwords/cookies/history/bookmarks from the browser.

hack-browser-data is an open-source tool that could help you decrypt data ( passwords|bookmarks|cookies|history ) from the browser. It supports the most popular browsers on the market and runs on Windows, macOS and Linux.

ᴍᴏᴏɴD4ʀᴋ 6.7k Dec 7, 2022
hack-browser-data is an open-source tool that could help you decrypt data from the browser.

hack-browser-data is an open-source tool that could help you decrypt data ( password|bookmark|cookie|history|credit card|download

idiotc4t 113 Nov 30, 2022
ddlcpad, *Doki Doki Literature Club Plus Asset Decrypter*, is a tool to decrypt the encrypted asset file on the Doki Doki Literature Club Plus. Writing in golang.

ddlcpad 简体中文 What is this ddlcpad is short of Doki Doki Literature Club Plus Asset Decrypter You can decrypt the *.cy file from Doki Doki Literature C

Aimer Neige 20 Nov 27, 2022
ThanosDecryptor is an project to decrypt files encrypted by Thanos ransomware.

Prometheus-Decryptor Prometheus-Decryptor is an project to decrypt files encrypted by Prometheus ransomware. Command Arguments Usage of ./bin/promethe

CyCraft 46 Jul 29, 2022
Go Encrypt! Is a simple command-line encryption and decryption application using AES-256 GCM.

Go Encrypt! Go Encrypt! is a command-line application used to easily encrypt and decrypt files with the AES-256 GCM encryption algorithm. Usage Usage

Peter Georgas 0 Jan 5, 2022
Split and distribute your private keys securely amongst untrusted network

cocert An experimental tool for splitting and distributing your private keys safely* cocert, generates ECDSA - P521 key and uses a technique known as

Furkan Türkal 189 Dec 5, 2022
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

Filippo Valsorda 12.2k Dec 5, 2022
Go implementation of a vanity attempt to generate Bitcoin private keys and subsequently checking whether the corresponding Bitcoin address has a non-zero balance.

vanity-BTC-miner Go implementation of a vanity attempt to generate Bitcoin private keys and subsequently checking whether the corresponding Bitcoin ad

Lih Ingabo 1 Jun 3, 2022
`age-plugin-yubikey` implementation, encrypt things with a Yubikey/any PIV card

This is an age plugin for PIV cards/Yubikey. Your secret is kept safe on the tamperproof hardware, while letting you use the age command-line.

Tv 22 Aug 10, 2022
Secret - Encrypt anything with a password

Secret - Encrypt anything with a password Ever wanted to hide a file? Now you can do it really easily! Usage secret {-e/--encrypt | -d/--decrypt} <sou

Ishan Goel 32 Aug 10, 2022
Easily encrypt data for the Adyen payment platform

adyen Encrypt secrets for the Adyen payment platform. This library uses crypto/rand to generate cryptographically secure AES keys and nonces, and re-u

CrimsonAIO 35 Oct 25, 2022
A golang library to use aes encrypt easier.

Aes a golang library to use aes encrypt easier. Install go get github.com/hanson/aes Document import import github.com/hanson/aes CBC orig := "hello

null 11 Nov 9, 2022
Xk6-crypto-x509 - A k6 extension to encrypt data with a PEM Public Key

xk6-crypto-x509 A k6 extension to encrypt data with a PEM Public Key This is a k

Rogério Kino 2 Jan 5, 2022
Card-encrypt - The encryption code necessary to enroll debit cards in the Palla API

?? Card RSA Encryption Thank you for choosing Palla! ?? In this repository you'l

palla 0 Jul 15, 2022
Dekripsi dari 2_Simple-Encrypt-Prima pakai golang

Dekripsi dari 2_Simple-Encrypt-Prima pakai golang

hilman kholik 0 Feb 15, 2022
Concurrent ssh client

go-cs Concurrent ssh client cs is a program for concurrently executing local or remote commands on multiple hosts. It is using OpenSSH for running rem

Andy Kosela 15 Feb 21, 2022
PKI support for SSH certificates

PKI certificates for SSH Introduction SSH certificates are limited in their usefulness - a certificate can only be signed with a single CA key, so no

Matthew Garrett 43 Nov 1, 2022
Uniform interface for interacting with network hardware via telnet/ssh

jgivc/console This package provides a uniform interface for interacting with network hardware via telnet/ssh This package uses part of reiver/go-telne

null 0 Dec 9, 2021