Temporarily decrypt file in shell

Question

I've got a lot of secrets stored in myfile.txt, which I have to access more or less daily. So I encrypted it using openssl and decrypt it when I need to look at it:

openssl aes-256-cbc -a -d -in myfile.txt.enc

This will display the file in my terminal, however it will also stay there - is there a way to only temporarily decrypt a file into a buffer that I can view, and afterwards securely erasing that buffer? Simplicity is king here, I just want to quickly get some numbers from an encrypted file.

Bonus points: this is the script I use if I have to edit my encrypted file - is that method safe, security-wise?

openssl aes-256-cbc -a -d -in myfile.txt.enc > /tmp/myfile
vim /tmp/myfile
openssl aes-256-cbc -a -e -in /tmp/myfile -out myfile.txt.enc
shred -zu /tmp/myfile

Answer 1

The secure way is not to use a temporary file at all.

As you are using VIM, vim can read in the encrypted binary file, decrypt it in memory and then let you edit it. It reverses the process to encrypt it on save.

Add the following to your .vimrc (or other relevent files)

" OpenSSL encrypted files.
" PBKDF v1.5 (salted) aes-256-cbc encrypted file.  (File magic "Salted__")
augroup ossl
autocmd!
autocmd  BufReadPre,FileReadPre     *.ossl set binary
autocmd  BufReadPre,FileReadPre     *.ossl set history=0 cmdheight=3 viminfo=
autocmd  BufReadPre,FileReadPre     *.ossl set noswapfile nowritebackup
"
autocmd  BufReadPost,FileReadPost   *.ossl set shell=/bin/sh shellredir=>
autocmd  BufReadPost,FileReadPost   *.ossl '[,']!openssl aes-256-cbc -d -salt
autocmd  BufReadPost,FileReadPost   *.ossl set nobinary cmdheight& shell&
autocmd  BufReadPost,FileReadPost   *.ossl let b:encflag=1
autocmd  BufReadPost,FileReadPost   *.ossl exe "doau BufReadPost
".expand("%:r")
autocmd  BufReadPost,FileReadPost   *.ossl redraw!
"
autocmd  BufWritePre,FileWritePre   *.ossl mark z
autocmd  BufWritePre,FileWritePre   *.ossl set binary cmdheight=3
shell=/bin/sh
autocmd  BufWritePre,FileWritePre   *.ossl '[,']!openssl aes-256-cbc -salt
"
autocmd  BufWritePost,FileWritePost *.ossl undo
autocmd  BufWritePost,FileWritePost *.ossl set nobinary cmdheight& shell&
autocmd  BufWritePost,FileWritePost *.ossl 'z
augroup END

Now if you edit any file that ends in the suffix .ossl you will be asked a password to decrypt it. When you write you will be asked the password twice to re-encrypt it.

NOTE: do not use :wq use :w and :q separatally!

WARNING: swap files and backup files are specifically turned off for security.

PS: this system also works for PGP/GPG file encryption and well as for editing Gzip'ed files. All it needs is a command to encrypt/decrypt of streamed (piped) data.

For more information on this and for other VIM encrypt/decrypt methods see... http://www.ict.griffith.edu.au/anthony/info/crypto/file_encrypt.hints

Answer 2

The data is buffered in the screen, the terminal emulator, not the system where the file is on. The only secure way is to close the terminal afterwards.

The editing method is ok against users other than root, it is not secure against root, who can look at files in /tmp and your vim swap file.

Answer 3

read -sp Password: OPENSSLPASS
OPENSSLPASS=$OPENSSLPASS openssl aes-256-cbc -a -d -in myfile.txt.enc -pass env:OPENSSLPASS | less
unset OPENSSLPASS

Does not involve any temporary on-disk storage. Your password is temporarily stored in the shell environment for the duration of your less session (which might be possible to work around as it is needed only for the openssl execution). less does not leave the output in your terminal after you're done.