🌰 encrypt/decrypt using ssh keys

Overview

ssh-vault 🌰

Build Status Coverage Status Go Report Card

encrypt/decrypt using ssh private keys

Documentation

https://ssh-vault.com

Usage

$ ssh-vault -h

Example:

$ echo "secret" | ssh-vault -u <github.com/user> create

Installation

Mac OS

brew install ssh-vault

Binaries

Binaries and packages for a variety of platforms are published to Bintray: Download

To download specific version use URL like https://dl.bintray.com/nbari/ssh-vault/ssh-vault_0.12.4_amd64.deb

To download the latest version:

PACKAGING=amd64.deb
LATEST_VERSION=$(curl -w "%{redirect_url}" -o /dev/null -s https://bintray.com/nbari/ssh-vault/ssh-vault/_latestVersion | sed 's|.*/||')
curl -L -O "https://dl.bintray.com/nbari/ssh-vault/ssh-vault_${LATEST_VERSION}_${PACKAGING}"

Compile from source

Setup go environment https://golang.org/doc/install

For example using $HOME/go for your workspace

$ export GOPATH=$HOME/go

Get the code:

$ go get github.com/ssh-vault/ssh-vault

Build by just typing make:

$ cd $GOPATH/src/github.com/ssh-vault/ssh-vault
$ make

Issues

Please feel free to raise any issue, feature requirement or a simple comment here.

Comments
  • use ssh-agent when asked for password

    use ssh-agent when asked for password

    Find a way to use the ssh-agent to obtain the decrypted key in order to avoid typing the password every time a vault needs to be edited/viewed.

    Probably is not possible: http://security.stackexchange.com/a/55791/54143

    enhancement help wanted Hacktoberfest 
    opened by nbari 8
  • Go 1.10.2 build failure for 0.12.3

    Go 1.10.2 build failure for 0.12.3

    ==> Cloning https://github.com/ssh-vault/ssh-vault.git
    Updating /Users/joe/Library/Caches/Homebrew/ssh-vault--git
    git config remote.origin.url https://github.com/ssh-vault/ssh-vault.git
    git config remote.origin.fetch +refs/tags/0.12.3:refs/tags/0.12.3
    ==> Checking out tag 0.12.3
    git checkout -f 0.12.3 --
    HEAD is now at 33b59a3... prefer the HOME environmental variable
    git reset --hard 0.12.3
    HEAD is now at 33b59a3 prefer the HOME environmental variable
    ==> dep ensure -vendor-only
    ==> go build -ldflags -s -w -X main.version=0.12.3 -o /usr/local/Cellar/ssh-vault/0.12.3/bin/ssh-vault cmd/ssh-vault/main.go
    # github.com/ssh-vault/ssh-vault/vendor/github.com/ssh-vault/go-keychain
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:29: cannot use nil as type _Ctype_CFDataRef in return argument
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:36: cannot convert nil to type _Ctype_CFDataRef
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:37: cannot use nil as type _Ctype_CFDataRef in return argument
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:62: cannot convert nil to type _Ctype_CFDictionaryRef
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:63: cannot use nil as type _Ctype_CFDictionaryRef in return argument
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:74: cannot convert &keys[0] (type *_Ctype_CFTypeRef) to type *unsafe.Pointer
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:74: cannot convert &values[0] (type *_Ctype_CFTypeRef) to type *unsafe.Pointer
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:87: cannot use nil as type _Ctype_CFStringRef in return argument
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:90: cannot use nil as type _Ctype_CFStringRef in return argument
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:141: cannot convert &a[0] (type *_Ctype_CFTypeRef) to type *unsafe.Pointer
    vendor/github.com/ssh-vault/go-keychain/corefoundation.go:141: too many errors
    /usr/local/Homebrew/Library/Homebrew/debrew.rb:11:in `raise'
    BuildError: Failed executing: go build -ldflags -s\ -w\ -X\ main.version=0.12.3 -o /usr/local/Cellar/ssh-vault/0.12.3/bin/ssh-vault cmd/ssh-vault/main.go
    

    (doesn't affect Go 1.9.x)

    opened by ilovezfs 7
  • Decryption failed, use private key with fingerprint:

    Decryption failed, use private key with fingerprint:

    when trying to view the content of a vault, if the key doesn't match, prints the default key on the system:

    $ ssh-vault view vault.ssh 
    Decryption failed, use private key with fingerprint: fd:c9:a5:ab:67:c2:6a:3b:6b:c9:72:d6:32:f8:a8:09
    
    bug fixed 
    opened by nbari 7
  • Review homebrew formula

    Review homebrew formula

    Hi, the ssh-vault homebrew formula is currently blocking a pull request to update the go formula to 1.13.5. Details here: https://github.com/Homebrew/homebrew-core/pull/47510#issuecomment-565634744

    Can someone take a look at why the formula fails on macOS with go 1.13.5, please?

    fixed 
    opened by iwittkau 6
  • No valid PEM (private key) data found

    No valid PEM (private key) data found

    Hello,

    I use the public key of some friend to encrypt some content:

    ssh-vault -k ~/.ssh/vault/keys/id_rsa.pub create < QR.jpg > RQ
    

    From the friend's computer:

    ssh-vault -o QR.jpg view RQ
    

    Unfortunately, he's got the message No valid PEM (private key) data found

    He's got well his private key in ~/.ssh/id_rsa

    Thanks for your help.

    opened by faxotherapy 6
  • openssh > v7.8 RSA keys not supported

    openssh > v7.8 RSA keys not supported

    Since version 7.8/7.8p1 (2018-08-24) ssh-keygen by default generates RSA keys in new format and they don't work with ssh-vault any more block.type in this case looks like "OPENSSH PRIVATE KEY" not "RSA PRIVATE KEY"

    • ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key.
    enhancement help wanted 
    opened by gkruszecki 5
  • allow for encryption to multiple recipients

    allow for encryption to multiple recipients

    It would be nice if the -u option could be repeated, to allow multiple recipients. Something like

    ssh-vault -u id_rsa-1.pub -u id_rsa-2.pub -u id_rsa-3.pub create vault.ssh
    
    opened by S2- 4
  • allow creating secrets to STDOUT (without writing to file)

    allow creating secrets to STDOUT (without writing to file)

    hey

    first of all, thanks for the awesome tool :pizza: would it be possible to allow creating secrets on the fly, straight to STDOUT (without having to write to file)?

    something like ssh-vault -u nbari create and, if no file parameter is specified at the end, just open the editor and print the encrypted message to STDOUT.

    enhancement 
    opened by lipanski 4
  • test the windows binaries

    test the windows binaries

    Test the windows binaries https://dl.bintray.com/nbari/ssh-vault/ssh-vault_0.7.2_windows_amd64.zip

    Check if creating, edit, viewing vaults works besides fetching the keys remotely or using keys locally.

    help wanted Hacktoberfest 
    opened by nbari 4
  • bad ssh-vault signature

    bad ssh-vault signature

    I'm encrypting a file using ssh-vault via:

     cat test/data/note_to_encrypt.txt | ./ssh-vault -u bsutton create ./test.vault
    

    This produces a file:

    SSH-VAULT;AES256;ee:88:c8:35:4d:0e:a9:14:c1:44:61:59:90:95:ef:a0
    GxjmmbzD0yR4m0WAdeEOQqViVfaq/KMrEV3bUVZAT/bTT/JuJeg5mXwHMm3DED1y
    SW44D3HZg8jKWeIKms0zsy0p273jCZ+Wi/gj5lTGzsQaltPTpgiX36N9RY9z2eSh
    N/+RPvU8NVfMLE1YvhjBqz+Vnz9iFhivG46TwKKihUUyAt7NmCDIxn6KRNDvGeUF
    YSWwQwXCuqLcO1mE12YkLA6TzoH9cXm+9jU39Bh8VTPqDW4teTcfXgGP7s2f3M1N
    qh1u4IASW58XkpOI5A0OufrvWfpwWhkLKWNtPpPkeBXYvuH2faeCVHVxHcQ+p62+
    bk09zczek3GyrW23AV60f24tNo/EDjUqJ6PEvIHTWrpEZEORC2rYAX/YgDUrG2Jw
    WuVWOsfN+E/QMs+vvdJw7zvKiy/jA3NGUJWhES3DneKanV0SVKlOmoRDQehKtU6X
    0lb5c6nQB4z/cI8uP7bhIE4WTFv2u/VXnHYIIssjM4aZWHs/TkZzeLEQHldadIhm
    or/pF0hG606PunAyeGDO3nHuzyT45DJ+ywmGXln+y+QALjjvMllI9lnwR99o6/ZD
    gXuyhSwaqHCWOLwaTFZ4IK2kdE7shWKlKYnyqldPlV6NBzouuTcWu4EgNGv0MNLm
    DwdwWc8AqgT2fTvfHyILx4GfDVXgqe/BpwL/MTLK3u0=;bLlYIF+UyrlG8zrWTAo
    FH5h/RQ/WgrZ7gfZgNrQF/ZOUusJaq8Ho6TJ5p429avPwPbaAumFSX+DwwWCDcWw
    Y2peF9tvqaOgiy8MJkDAf9OB4L/6WWSBbsqiyViJlGXGhzA==
    

    When I try to decrypt the vault I get:

    echo "<pass phrase>" | ./ssh-vault  -k /home/bsutton/.ssh/id_rsa view test.vault
    bad ssh-vault signature, verify the input
    

    The private key file is encrypted with

    As I understand it you can pass the passphase phrase via stdin hence I pipe the output from the echo command.

    However I'm seeing two problems.

    1. the above invalid signature
    2. even though I pass the passphrase the command is using the gnome agent to request I enter the pass phrase.

    I'm uncertain if these two problems are related?

    opened by bsutton 3
  • RSA key in openssh format with password

    RSA key in openssh format with password

    Hello, Two issues I wanted to report (I believe related to #37) that I have recently experienced on my mac (catalina) when using ssh-vault:

    • First issue

    how to reproduce the issue: ssh-keygen -t rsa -b 4096 -C "[email protected]"(gitlab example) ssh-vault -k id_rsa.pub create < file > file.vault ssh-vault -k id_rsa view file.vault

    output: enter passphrase: could not parse private key: ssh: this private key is passphrase protected

    analysis: When having a passphrase protected key, and no usual PEM header (no dek-info section as tested by x509.IsEncryptedPEMBlock()), it goes through ssh.ParseRawPrivateKey() instead of ssh.ParseRawPrivateKeyWithPassphrase().

    However without password it works fine since it goes through ssh.ParseRawPrivateKey and when -k parameter is the private key ssh-keygen -yf works, if -k is a public key it works too (when both are in local and in the same directory).

    proposal: Either decode the header of the openSSH format private key that should contain something like this when encrypted:

    openssh-key-v1 aes256-ctr bcrypt

    Or when having a block.Type of "OPENSSH PRIVATE KEY" trying ssh.ParseRawPrivateKey() followed by ssh.ParseRawPrivateKeyWithPassphrase() when the first is not successful.

    • Second issue

    Also a second issue appears due to -k parameter. Indeed the usage of ssh-keygen -yf doesn't deal well with passphrase protection. So it works when having the public key as parameter but not the private one. (when both are in local and in the same directory).

    how to reproduce the issue: ssh-keygen -t rsa -b 4096 -C "[email protected]" -m PEM([gitlab example]

    analysis: I don't know why we need to extract sometimes the public key from the private one. -k parameter as showed by the command helper is a public key so I am not quite sure why we are passing the private key sometimes even though that is the private key which is needed to decrypt.

    	// use private key only
    	if strings.HasSuffix(v.key, ".pub") {
    		v.key = strings.Trim(v.key, ".pub")
    	}
    

    proposal: Either decoding the private key and the public from it without using ssh-keygen as already mentionned in the TODO or perhaps adding another parameter to distinguish between public and private keys. Another option could also be to add the suffix pub and get it.

    Thanks for the great work and your help !

    enhancement help wanted 
    opened by CyrilJacob 3
  • Unconventional fingerprint calculation

    Unconventional fingerprint calculation

    This is not a bug report, this is a note for any who will try to use this software. And probably a README update request.

    I spent about half an hour in trying to figure out what's wrong with my keys, and then realized that you're using some unconventional way to calculate the key fingerprint.

    OpenSSH MD5 fingerprint (as it's used in many other software, especially with ssh-* in the name) of test_data/id_rsa.pub is 95:84:27:28:3c:32:9d:80:39:13:8d:cc:90:3e:4b:e8:

    wget https://raw.githubusercontent.com/ssh-vault/ssh-vault/bcf687340bba1fbd9cd00672d965d9b501dae259/test_data/id_rsa.pub
    ssh-keygen -lf id_rsa.pub -E md5 
    4096 MD5:95:84:27:28:3c:32:9d:80:39:13:8d:cc:90:3e:4b:e8 no comment (RSA)
    

    And 55:cd:f2:7e:4c:0b:e5:a7:6e:6c:fc:6b:8e:58:9d:15 is a MD5 hash of binary representation of the same key in PKCS8 format (aka SSH2 format):

    ssh-keygen -e -f id_rsa.pub -m pkcs8 | openssl pkey -pubin -outform der | openssl md5 -c
    (stdin)= 55:cd:f2:7e:4c:0b:e5:a7:6e:6c:fc:6b:8e:58:9d:15
    

    You wrote a few words about this in this blog post, but as I'm not AWS user I had no idea how these formats differ.

    opened by nsauk 0
  • Website blocked in India

    Website blocked in India

    ssh-vault is amazing software and I love it!

    Unfortunately the Indian government is blocking access to https://ssh-vault.com/.

    image

    Not sure if there is anything you can do, but wanted to let you know.

    GitHub isn't blocked so I can still access :)

    opened by yuvipanda 0
  • unable to use ssh-agent

    unable to use ssh-agent

    Reading the #6, it felt that there was some integration with ssh-vault and ssh-agent. I'am wishing that the decryption made with ssh-vault view <a_vault> will occurs without to have to enter the passphrase of my ssh private key.

    Is there any chance that it will work ?

    Information on my package

    ssh -V
      # OpenSSH_8.7p1 Debian-2, OpenSSL 1.1.1l  24 Aug 2021
    ./ssh-vault -v
      # 0.12.8
    
    opened by briner 1
  • Why does it create the directory ~/.ssh/vault/keys?

    Why does it create the directory ~/.ssh/vault/keys?

    Even if I perform a seemingly read-only operation, e.g. ssh-vault -k ~/.ssh/id_rsa.pub view cipher.txt

    It creates the directory ~/.ssh/vault/keys (empty) What is that for?

    opened by wolfch 1
  • could not parse private key ssh: this private key is passphrase protected

    could not parse private key ssh: this private key is passphrase protected

    I'm running on ubuntu trying to decrypt a file:

    cat vault/encrypted | ./ssh-vault view
    could not parse private key: ssh: this private key is passphrase protected
    

    Looking at some of the code it looks like it should prompt for the pass phrase or pull it from the key chain.

    Any reason why it appears to be doing neither?

    lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.1 LTS
    Release:	20.04
    Codename:	focal
    
    
    ./ssh-vault -v
    0.12.6
    
    enhancement help wanted 
    opened by bsutton 3
Releases(0.12.9)
Owner
ssh-vault
encrypt/decrypt using ssh keys
ssh-vault
Ssh-lxd - A proof of concept for an ssh server that spawns a bash session inside a LXD container

SSH LXD A proof of concept for an ssh server that spawns a bash session inside a

Henning Dahlheim 2 Aug 16, 2022
Encrypt embedded go files using age.

encembed Encrypt embedded resource in compiled binary using age. Meant for usage with go generate. This tool will generate a go source file that embed

C_Sto 35 Nov 20, 2022
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Filippo Valsorda 12.4k Dec 28, 2022
Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more... Coded with ?? by edoardottt. Share on Twitter! P

gilfoyle97 654 Dec 25, 2022
:lock: acmetool, an automatic certificate acquisition tool for ACME (Let's Encrypt)

acmetool is an easy-to-use command line tool for automatically acquiring certificates from ACME servers (such as Let's Encrypt). Designed to flexibly

Hugo Landau 2k Dec 29, 2022
Let's Encrypt client and ACME library written in Go

Let's Encrypt client and ACME library written in Go. Features ACME v2 RFC 8555 Register with CA Obtain certificates, both from scratch or with an exis

null 5.8k Dec 27, 2022
Let's Encrypt client and ACME library written in Go

Let's Encrypt client and ACME library written in Go. Features ACME v2 RFC 8555 Register with CA Obtain certificates, both from scratch or with an exis

null 5.8k Dec 30, 2022
Encrypt your files or notes by your GPG key and save to MinIO or Amazon S3 easily!

Super Dollop Super Dollop can encrypt your files and notes by your own GPG key and save them in S3 or minIO to keep them safe and portability, also yo

Nedim AKAR 58 Jul 11, 2022
CS http Dynamic Encrypt Bridge.

CS http Dynamic Encrypt Bridge.

TimWhite 34 Nov 25, 2022
null 1.1k Jan 6, 2023
A Simple SSH Honeypot in Go

ssh-honeypot-go Dependencies: gliderlabs/ssh notify-send openssh (not obligatory, you need this only for ssh-keygen used for generate host private key

Luca 29 Sep 14, 2022
Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.

Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user. Drift

Truffle Security 315 Dec 29, 2022
Go library to create/verify armored SSH signatures

Armored ssh signatures in go Package sshsig implements signing/verifying armored SSH signatures. You can use this package to sign data and verify sign

Wim 3 Sep 18, 2022
ID hashing and Obfuscation using Knuth's Algorithm

ID Obfuscation/Hashing Transformer for Go There are many times when you want to generate obfuscated ids. This package utilizes Knuth's Hashing Algorit

pj 325 Nov 22, 2022
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

null 26 Dec 30, 2022
A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go 🔑

simple-scrypt simple-scrypt provides a convenience wrapper around Go's existing scrypt package that makes it easier to securely derive strong keys ("h

Matt Silverlock 183 Dec 22, 2022
Create strong passwords using words that are easy for you to remember

Grasp Create strong passwords using words that are easy for you to remember A way to circumvent password complexity rules and restrictions while only

Luca Sepe 22 Nov 3, 2022