Encrypting pipes/socat/netcat with openssl
Example
On the sending side:
uname -a | openssl enc -aes-256-cbc -k myoutofbandpassword | socat - TCP4:destinationhost:5001On the receiving side:
socat TCP4-LISTEN:5001 - | openssl enc -aes-256-cbc -d -k myoutofbandpassword
The above example will send the output of uname -a on the sending machine to the receiving machine at address destinationhost:5001. This output is encrypted and then later decrypted using a one-time password, myoutofbandpassword.
Of course, socat has a method that handles encryption (and optionally authentication too) all in one address type. The following should be essentially equivalent to the above:
On the sending side:
uname -a | socat - OPENSSL:destinationhost:5001,verify=0,cipher=aNULLOn the receiving side:
socat OPENSSL-LISTEN:5001,verify=0,cipher=aNULL -
Here, the output of uname -a is still encrypted, but uses SSL to negotiate a temporary private key. (This is no less secure if you trust in maths.) This now requires two-way communication. The “aNULL” option means that no authentication is used: anyone can connect and start an encrypted session.
If your sending-side doesn’t have socat, or socat is built without openssl support (such as with SmartOS’s pkgin version), you can use the “openssl” command directly:
uname -a | openssl s_client -cipher aNULL -connect destinationhost:5001
Example wrapper/helper script
See symencrypt. Create files/symlinks named symencrypt and symdecrypt with the same content. This script implements the first example: one-way communication, key chosen and sent out of band, and no network.