fileenc-openssl
This code allows one to easily encrypt and decrypt files symmetrically using openssl and python3.
- Uses
aes-256-cbc
for file encryption (as implemented by openssl) - Uses a salt when encrypting (to avoid pre-computation or rainbow tables).
- Uses
sha256
key stretching (with <0.1s) to make brute force prohibitively expensive. - Uses
sha256
checksum to check file integrity.
Installation
You can install using
.. code-block:: bash
pip install fileenc-openssl
If you want fileenc
and filedec
available system-wide, use sudo
or equivalent.
Usage
From command line:
.. code-block:: bash
fileenc --key 'password123' --input '*.png' --check --overwrite
filedec --key 'password123' --input '*.png.enc' --check --overwrite --remove
# the quotes around wildcards are important
From python:
.. code-block:: python
from fileenc_openssl import stretch_key, encrypt_file, decrypt_file
stretched_key = stretch_key('password123')
enc_pth = encrypt_file(raw_pth, key=stretched_key)
res_pth = decrypt_file(enc_pth, key=stretched_key)
Testing (needs py.test
):
.. code-block:: bash
py.test
Options
You can find all options using fileenc --help
::
-h, --help show this help message and exit
-k KEY, --key KEY the key to use for encryption; you will be prompted for one if this is not provided (more secure)
-i INP, --input INP input file, directory or pattern (as a single string) (.enc will be appended)
-o OUTP, --output OUTP optionally, output file or directory (.enc will be stripped if available)
-d, --decrypt decrypt the input file(s) (as opposed to encrypt, which is the default)
-f, --overwrite overwrite existing files when decrypting (encrypting always overwrites)
-r, --remove remove the input file after en/decrypting (after --check)
-c, --check test the encryption by reversing it (abort on failure) (only for ENcryption due to salting)
-1, --once prompt for the key only once (when encrypting without -k)
-j N, --process-count N number of parallel processes to use for en/decryption; `0` for auto (default), `1` for serial
optional arguments:
-h, --help show this help message and exit
-k KEY, --key KEY the key to use for encryption; you will be prompted
for one if this is not provided (more secure)
-i INP, --input INP input file, directory or pattern as a single string
(required for encrypting; defaults to *.enc when
decrypting)
-o OUTP, --output OUTP
optionally, output file or directory; .enc will be
appended to each file
-d, --decrypt decrypt the input file(s) (as opposed to encrypt,
which is the default)
-f, --overwrite overwrite existing files when decrypting (encrypting
always overwrites)
-r, --remove shred the input file after en/decrypting (after
--check)
-c, --check test the encryption by reversing it (abort on failure)
(only for ENcryption due to salting)
-1, --once prompt for the key only once (only applicable if --key
and --decrypt are not set)
-j PROC_CNT, --process-count PROC_CNT
number of parallel processes to use for en/decryption;
0
for auto (default), 1
for serial
License
Revised BSD License; at your own risk, you can mostly do whatever you want with this code, just don't use my name for promotion and do keep the license file.