Skip to main content

Encrypt sensitive data using SSL and Docker

ยท 4 min read
Christophe

Encrypt sensitive data using SSL and Docker

For 1,000 reasons or more, you want to encrypt a file containing text. Which software should you install? Well ... none other than Docker!

By using a Docker Alpine/OpenSSL image, it's so easy to encrypt/decrypt files using OpenSSL.

Linux scriptsโ€‹

Create a new file on your disk with this content. This is the encrypt.sh script.

#!/usr/bin/env bash

(
MY_PASSWORD="ThisIsMyLongPasswordNobodyWillBeAbleToCrackIt" &&
docker run --rm -it -v $(pwd):/data -w /data -u $(id -u):$(id -g) alpine/openssl enc -aes-256-cbc -salt -pbkdf2 -a -in /data/secrets.md -out /data/secrets_encrypted.md -k ${MY_PASSWORD}
)

And this is the decrypt.sh script:

#!/usr/bin/env bash

(
MY_PASSWORD="ThisIsMyLongPasswordNobodyWillBeAbleToCrackIt" &&
docker run --rm -it -v $(pwd):/data -w /data -u $(id -u):$(id -g) alpine/openssl enc -aes-256-cbc -salt -pbkdf2 -a -d -in /data/secrets_encrypted.md -out //data/secrets_decrypted.md -k ${MY_PASSWORD}
)

Update the MY_PASSWORD variable in both scripts to use yours.

DOS scriptsโ€‹

For the illustration purpose, the DOS encryption script, encrypt.cmd, will ask you for a password (since the -k parameter is not part of the instruction). If the encrypted file has been created, the original one will be removed from your disk.

Here is the content of the encrypt.cmd DOS script:

@echo off

cls

docker run --rm -it -v %CD%:/data -w /data alpine/openssl enc -aes-256-cbc -salt -pbkdf2 -a -in /data/secrets.md -out /data/secrets.encrypted

# Put this part in comment if you want to keep the original, unencrypted, file.
IF EXIST secrets.encrypted (
del secrets.md
)

The decryption script, decrypt.cmd will ask you for the password and will display the decrypted content on the console (since the -out parameter is not part of the instruction).

Here is the content of the decrypt.cmd DOS script:

@echo off

cls

docker run --rm -it -v C:\temp:/data -w /data alpine/openssl enc -aes-256-cbc -salt -pbkdf2 -a -d -in /data/secrets.encrypted

Use caseโ€‹

In addition to simple encryption need, one use case is to store confidential files in online systems, e.g. a versioning system such as Github, or on cloud disks (e.g. Google drive).

Command line argumentsโ€‹

The openssl enc command accepts those arguments:

OptionDescription
encEncoding with Ciphers
-aes-256-cbcThe encryption cipher to be used
-saltAdds strength to the encryption
-pbkdf2Generate a PBKDF2 key derivation of a supplied password
-aEncrypted data should be in Base64 and not binary
-dDecrypt action (if -d is missing, action is encryt)
-inSpecifies the input file
-outSpecifies the output file
-kProvide the password to use

Decrypt on the console, don't write a fileโ€‹

Edit the decrypt.sh (or decrypt.cmd) script and search for -out /data/secrets_decrypted.md. Remove that part.

Now, when you'll run decrypt.sh the decrypted content will be displayed on the console only, nothing will be written on the disk. Your secrets are safe.

Exampleโ€‹

Imagine a text file like secrets.md with this content:

# My password

## My secret site

### FTP server

* Name: `127.0.0.1`
* Login: `admin`
* Password: `admin`

### Admin interface

* URL: `https://..../admin`
* Login: `admin`
* Password: `admin`

By running the encrypt.sh script, the file secrets_encrypted.md will be created on your disk and will have this content:

U2FsdGVkX18jyyHAiaDcwolgvrCmB9SutNFhOFosDZvYA+t/8F5PWsxU+YIb0xLj
/0swl1Mvh9XBcg3FwpQn5CGm5ltb3zKiExPO8WoTuYOmlJj2PN5eLJv3GWVVJ8/t
q31xBBAlbI0k+a3pWiETl1qEmh4hwc4jeC5NOByYSAojiIdCNF0W5+VVkUlBeKGb
sv8tpDWEb/dgHrfFPtZD5MqeNQw71/ndORZC1ZDIT/Ju6O7a6rd9ph0aQuPz49PU
SzDUePUgn9wbR0tZvNM1JA1LkN1kDaguJ940TdKns+Q=

From now, you can remove secrets.md since you've the encrypted version.

To retrieve the original content, just run the decrypt.sh script.

By running that command (or by running decrypt.sh), you'll decrypt the file secrets_encrypted.md and get a newer one called secrets_decrypted.md.