Skip to main content

openssl enc

I had to transfer my /Users directory to some other machine. I did not want to save it in the clear on the other machine, but time was an issue so I was looking for a fast solution, with a fast cipher. Also, I could not use rsync, as I did not trust the remote's machine filesystem to handle symlinks/permissions/ownerships very well. These were my options:

  • No cipher: I could tar the whole directory up and write it to a large tarball and save it on a Truecrypt volume already set up (and large enough) on the remote side. However, the tarball would be larger than 4GB but the volume has been formatted with FAT32, which won't handle files that big.

  • Some years ago I came across aespipe, doing exactly what the name suggests. I did not have it installed though and I would've liked to do this with the tools already at hand. Also, while AES sure is fast, it might be a bit overkill for this particular purpose.

  • Why not use openssl? It's installed on most systems, but I hardly use it (knowingly). Let's try:

    alice$ tar -cf - foo/ | ssh bob \
           "openssl enc -e -k s3cr3t -rc4 -out /tmp/foo.tar.rc4"
    
      bob$ openssl enc -d -rc4 -in /tmp/foo.tar.rc4 | tar -tf -
    enter rc4 decryption password:
    [....]
    

  • Perfect, works like a charm! And since RC4 is basically just XOR (well, not really :-)), it should prove to be pretty fast (9,2GB of data in 15min, that's 10MB/s - and I think I was hitting some other bottleneck, as both CPUs were not running at full speed.) Oh, yes RC4 is not to be trusted anymore, but it's perfectly fine for this particular setup of mine. Really. Come to think of it I could've just used rot13, but I've never used this with binary data.

    Update: Apparently aespipe compiles under MacOS X too and now I remember the pain using it:
alice$ tar -cf - foo/ | ssh bob "aespipe -w5 > /tmp/foo.tar.enc"
Password:
Error: Unable to allocate memory
Oh dear. So maybe aespipe has a problem when it can't allocate a tty (passing -t/-T to ssh did not help). But what if we run aespipe locally:
alice$ tar -cf - foo/ | aespipe -p3 | ssh bob "cat > /tmp/foo.tar.enc"
Error: Password must be at least 20 characters.
Password:
Ah, right - I'd have to set up fd3 first so that aespipe can read a password from.