Bash glue to encrypt and hide files
Chest allows you to encrypt any file/folder and move it to a hidden directory on your machine. When needed you can retrieve it from the chest into the current working directory.
Chest makes use of password based AES256 encryption with a strong key derivation function provided by
gpg to make sure your data is secure.
Your chest can easily by synced between machines via any third party cloud storage providers such as Dropbox or Google Drive etc.
I wanted something that was:
- Highly secure to store stuff like Bitcoin private keys
- Easily accessible from the CLI (quickly encrypt/decrypt)
- Can handle directories or files
- Sync-able between machines
- Usable interactively or scriptable
- Password based (keys are in my brain, not on my machine)
- Keeps me completely in control of my data
- Allows me to choose whether to store locally or replicate to the cloud/VPS etc
- Simple and easy to understand source code
- No crazy dependencies
Chest ticks all those boxes. It's under 300 lines of fairly simple Bash, and about 90% of that are just CLI helper methods. The core encryption logic is easily understandable and is only a handful of lines.
It's basically a shell script wrapper around
tar | gpg so you don't have to hand type commands like:
# Encrypt secret-folder tar -cvzf - "secret-folder" | gpg -c --cipher-algo AES256 > "secret-folder.tar.gz.gpg" # Decrypt secret-folder gpg -d "secret-folder.tar.gz.gpg" | tar -xvzf -
$ chest -h chest 0.4.0 Usage: chest -e [folder|file] chest -d [key] -h Help. Display this message and quit. -e Encrypt data and send to chest. -d Decrypt data from chest. -z Compress (zip) data before sending to chest. -r Remove original data after sending to chest. -l List items in chest. -k [key] Set key to save/retrieve. -p [password] Set password. (omit to be prompted)
The directory all of your encrypted data will be stored in.
gpg will cache passwords for as long as the
gpg agent is running. This means you don't need to keep re-entering the same password to decrypt the same file. This is useful for certain use cases but for storing highly sensitive data is probably not what you want. By default we reload the
gpg agent each time you enter a password to ensure they aren't cached.
You can diable this by setting
As long as you're using strong passwords, it's safe to replicate your Chest to the cloud. Everything will be encrypted before it leaves your machine and the keys are safely stored in your brain.
To re-iterate, you must use a sufficiently random password for cloud backup to be safe. If you don't fully understand this, do not replicate your chest to third-party cloud providers.
For example to set this up with Dropbox, you could either do:
ln -s ~/.chest ~/Dropbox/chest
Now your encrypted files will be safely replicated around the world on Dropbox's servers to prevent against data loss.
You can also do this across multiple machines to keep your Chest in sync between them.
brew install lukechilds/tap/chest
Just clone this repo and either copy/symlink
chest to your PATH or run the script directly with
gpg to be installed.
MIT © Luke Childs