April 22nd, 2013
A few months ago, I wrote about the use of SSH Keys to share secrets. That is, they can be used to encrypt and decrypt text messages between multiple parties. Even though other solutions exist, SSH keys are useful in this regard because many organizations already use them for access to their hosts. That is, they have a central place (local file systems on shared hosts as well as, perhaps, LDAP) where public keys are stored that are already trusted to belong to the given person.
The commands to encrypt content with a public SSH key are not terribly sophisticated, but cumbersome to remember. What's more, the example I gave in the previously mentioned blog post only allows you to encrypt content smaller than the public key in question, and only for a single recipient. In order to make it easier for people to share secrets, I therefor wrote a small wrapper called jass(1).
jass(1) will convert the given public key(s) into PKCS8 format, allowing it to be used with openssl(1)'s rsautl(1) utility. (For this, it uses ssh-keygen(1)'s "-m PKCS8" options, which unfortunately is only available in SSH >= 5.6.) jass(1) will then generate a 256 bit session key. This session key is encrypted using the user's public key, while the data itself is encrypted using AES-256-CBC mode with said session key.
You can get jass(1):
In order to send a secret message to the local user 'jschauma' (assuming a public SSH key can be found on either the local system or stored in LDAP), you could then run the following commands:
echo "The lion sleeps." | jass -u jschauma | \ mail -s "Nothing to see here" jschauma
The manual page provides further details and example usage. Happy secret sharing!
April 22nd, 2013