Encrypting pipes/socat/netcat with openssl


On the sending side:

 uname -a | openssl enc -aes-256-cbc -k myoutofbandpassword | socat - TCP4:destinationhost:5001

On the receiving side:

 socat TCP4-LISTEN:5001 - | openssl enc -aes-256-cbc -d -k myoutofbandpassword

The above example will send the output of uname -a on the sending machine to the receiving machine at address destinationhost:5001. This output is encrypted and then later decrypted using a one-time password, myoutofbandpassword.

Of course, socat has a method that handles encryption (and optionally authentication too) all in one address type. The following should be essentially equivalent to the above:

On the sending side:

 uname -a | socat - OPENSSL:destinationhost:5001,verify=0,cipher=aNULL

On the receiving side:

 socat OPENSSL-LISTEN:5001,verify=0,cipher=aNULL -

Here, the output of uname -a is still encrypted, but uses SSL to negotiate a temporary private key. (This is no less secure if you trust in maths.) This now requires two-way communication. The “aNULL” option means that no authentication is used: anyone can connect and start an encrypted session.

If your sending-side doesn’t have socat, or socat is built without openssl support (such as with SmartOS’s pkgin version), you can use the “openssl” command directly:

 uname -a | openssl s_client -cipher aNULL -connect destinationhost:5001

Example wrapper/helper script

See symencrypt. Create files/symlinks named symencrypt and symdecrypt with the same content. This script implements the first example: one-way communication, key chosen and sent out of band, and no network.