Metadata-Version: 2.1
Name: ssh-crypt
Version: 1.1.3
Summary: ssh-crypt is a tool to encrypt/decrypt data using your ssh key from ssh-agent
Home-page: UNKNOWN
Author: Maxim Nikitenko
Author-email: iam@sets88.com
License: BSD
Platform: any
Requires-Python: >=3.5
Description-Content-Type: text/markdown
Requires-Dist: cryptography (==3.4.6)
Requires-Dist: paramiko (==2.7.2)

# Why you may need it

Sometimes you want to keep your password inside your shell scripts
but it's not very safe to have raw passwords in it

This module can help you to solve this problem by keeping your passwords encrypted.

The idea is you have your ssh key which protected with master password(or a special device containing a key)
and there is an ssh-agent which can keep your ssh key(or use you key device), so you can use you key as an
encryption key, until you have your key in ssh-agent you can decrypt your passwords
inside your shell scripts, but after your ssh key been removed from your ssh-agent you(or somebody else) can't
use it to encrypt/decrypt passwords or other sensitive data, here how you can use it:
You add your ssh key to ssh-agent:

    /usr/bin/ssh-add -t 1d -k ~/.ssh/id_rsa

You enter master password and now you have ssh key in your ssh-agent,
Now you can use it to encrypt passwords or other sensitive data:

    ssh-crypt -e -s 'testpassword'

You get string which contains your encrypted password, copy it, you can use it further,
lets write a shell script:

    !/bin/bash

    PASS='{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5'

    mysql -h localhost -u testuser -p$(ssh-crypt -d -s $PASS)

now you don't have raw password inside your shell script anymore, while this encrypted password
can be decrypted only if your ssh key still in your ssh-agent


Also you can use it just to encrypt/decrypt files like here:

    ssh-crypt -e -i /tmp/rawfile -o /tmp/encrypted_file
    ssh-crypt -d -i /tmp/encrypted_file -o /tmp/rawfile


# How it works

When you encrypt your password it generates random bytes, which signed by you ssh key
from your ssh-agent, then it creates sha3_256 from this signature and uses it as a key
to encrypt your data with AES and creating base85 of it if binary mode is not enabled

![How encryption works](/data/encryption.png)

When you decrypt your password it takes nonce bytes from the string you pass, signs it with your ssh key,
creates sha3_256 from it and uses it as a AES key to decrypt the rest of data

![How decryption works](/data/decryption.png)


# How to install it

    pip install ssh-crypt

# How to use it in python scripts

```python
from ssh_crypt import E

super_secret_password = str(E('{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5'))
```

# Using yubiko keys to keep your ssh key

## Install yubico-piv-tool

Download it from https://developers.yubico.com/yubico-piv-tool/Releases/ or from (brew, apt, yum, or pacman)

## SSH Key

Generate new key

    ssh-keygen -b 2048 -t rsa -m PEM

or alter current key to PEM format

    ssh-keygen -p -m PEM

unfortunately 4096 and longer RSA keys are not supported by PIV specification

## Import key to yubikey

Slot 9a only can be used to store rsa key

    yubico-piv-tool --touch-policy=cached -s 9a -a import-key --pin-policy=once -i id_rsa

## Add card to ssh-agent

Remove old card if exists (as if it was previously added next command will not work even if "ssh-add -D" executed)

    ssh-add -e /usr/local/lib/libykcs11.dylib

Add new card

    ssh-add -s /usr/local/lib/libykcs11.dylib

Enter Yubikey PIN when it's asked for passphrase for PKCS#11
All set up now but you have to confirm decryption by touching yubico button
if it't not convinient for you to touch button all the time you can disable this behaviour by removeing
"--touch-policy=cached" param during key import


# Use it with apps which demands config files which have to contain some token or password

Just create a shell script with which you can access your application here is an example:

```bash
#! /bin/bash

TOKEN='{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5'

CONFIG="apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ***somesertdata**
    server: https://kuber-api-host:6443
  name: app
contexts:
- context:
    cluster: app
    namespace: some-namespace
    user: max
  name: app
current-context: app
kind: Config
preferences: {}
users:
- name: max
  user:
    token:
     $(ssh-crypt -d -s $TOKEN)
"

kubectl --kubeconfig <(echo "$CONFIG") $*
```

# Using SSH-Agent Forwarding

There is an option to use scripts with encrypted passwords in it on remote hosts, by connecting to it via ssh like this

    ssh -A user@somehost

"-A" parameter enables SSH-Agent forwarding.
**Beware!** never use this technique if you don't fully trust remote host
as someone who has enough permissions on that host may use your ssh agent for bad purpose 


# Options

-h, --help

Prints brief usage information.

-e, --encrypt

Encrypt incomming data

Examples:

    ssh-crypt -e -s 'testpassword'
    echo 'testpassword' | ssh-crypt -e


-d, --decrypt

Decrypt incomming data, encrypt mode will be enabled if not set

Examples:

    ssh-crypt -d -s '{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5'
    echo '{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5' | ssh-crypt -e


-i, --input

Input file, STDIN will be used if not set

Examples:

    ssh-crypt -e -i /tmp/testfile
    ssh-crypt -d -i /tmp/testfile
    ssh-crypt -e -b -i /tmp/testfile


-o, --output

Output file, STDOUT will be used if not set

Examples:

    ssh-crypt -e -s 'testpassword' -o /tmp/testfile
    echo 'testpassword' | ssh-crypt -e -o /tmp/testfile


-s, --string

Use passed string as an input data

Examples:

    ssh-crypt -e -s 'testpassword'
    ssh-crypt -d -s '{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5'


-b, --binary

Not use base85(used to make encrypted data look more like text file, to allow to copy it inside shell scripts) for payload

Examples:

    ssh-crypt -e -s 'testpassword' -b -o /tmp/testfile
    ssh-crypt -e -i /tmp/testfile -b


-k, --key

Pick key from ssh-agent keys list by its fingerprint

    ssh-add -l -E md5
    2048 MD5:12:34:56:78:90:ab:cd:ef:01:23:34:56:78:90:12:34 Public key for PIV Authentication (RSA)

Examples:

    ssh-crypt -e -s 'testpassword' --key '12:34:56:78:90:ab:cd:ef:01:23:34:56:78:90:12:34'
    ssh-crypt -d -s '{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5' -k '12:34:56:78:90:ab:cd:ef:01:23:34:56:78:90:12:34'


# Bugs

See github issues: https://github.com/Sets88/ssh-crypt/issues


