Automator service for encrypting or decrypting with openssl

automatorencryptionservices

Can I create two Automator services that allow me to encrypt or decrypt files? So I would right click a file and click 'Encrypt', the .txt file would be encrypted to a .enc using openssl:

pass=$(osascript -e 'tell app (path to frontmost application as text)
text returned of (display dialog "Enter password:" default answer "")
end')
for f in "$@"; do
    printf %s "$pass" | openssl enc -aes-256-cbc -salt -in "$f" -out "${f%.*}.enc" -pass stdin
done

Can I create a decrypt version that will give me the original .txt file back? Or can I write one service that knows if I want to encrypt or decrypt and run in the way necessary?

Best Answer

Select the service template, change the input type to files, add a Run Shell Script action, select pass input as arguments, and paste this script:

pass() {
    osascript - "$1" <<END
    on run args
    tell app (path to frontmost application as text)
    text returned of (display dialog ("Enter password for " & item 1 of args) default answer "")
    end
    end
END
    [ $? != 0 ] && exit 0
}

for f in "$@"; do
    if [[ "$f" == *.enc ]]; then
        pass "$f" | openssl enc -d -aes-256-cbc -pass stdin -in "$f" -out "${f%.enc}"
    else
        pass "$f.enc" | openssl enc -aes-256-cbc -salt -pass stdin -in "$f" -out "$f.enc"
    fi
done
exit 0

It doesn't show specific error messages, you have to run the service again if you enter a wrong password, and there is no way to use the same password for multiple files. It would be easier to just do it from a shell.

Related Solutions

How to make an automator service always show up

In Automator at the very top of your workflow, there is a dropdown box for which the prompt reads Service receives selected. If you are getting the results you report, the word text likely appears in the dropdown box. Change it to no input and save the service.

enter image description here

Using Automator or AppleScript to encrypt/decrypt with OpenSSL

Actually, Automator is not a bad choice for this, as it allows you to combine AppleScript and shell scripting without actually having to mix them (which leads you straight to escaping hell, after a short stay in quoting purgatory) and pass values between them an orderly fashion. Also, besides a droplet application, Automator will allow you to create a Service with excellent integration into Finder:

Create a new Automator workflow.
- either select “Application” when prompted what type of workflow to create – that will get you a droplet that processes files and folders you send to it, or
- select “Folder action” and set “Accepts selected” to “files and folders” – that will get you an item in the Finder Services and context menu of files an folders (all translations approximate, I’m on a German system).

Add a "Run AppleScript” action and edit its contents as follows:

on run {input, parameters}
    try
        tell application "System Events" to set thePassword to text returned of (display dialog "Please input your password for OpenSSL encryption" default answer "" with hidden answer)
    on error errorMessage number errorNumber
        if errorNumber is -128 then quit me -- user has canceled
        error errorMessage number errorNumber
    end try
    return (thePassword as list) & input
end run

– this will prompt the user for the encryption password and pass it as the first argument to the next action.

Add a “Run Shell Script” action, setting it to get its input through arguments (not stdin, as is default). Make sure the shell is set to /bin/bash. Edit the script contents as follows:

[[ -n $1 ]] && password="$1" && shift || exit 0
for f in "$@"; do
    if [[ ${f##*.} = "encrypted" ]]; then
        fname="${f%.encrypted}"
        openssl enc -d -aes-256-cbc -salt -in "$f" -out "$fname".tar.gz -pass pass:$password || continue
        tar -xPf "$fname".tar.gz && rm "$fname".tar.gz || continue
    else
        fname=$([[ -f $f ]] && printf "${f%.*}" || printf "$f")
        tar -czPf "$fname".tar.gz "$f" || continue 
        openssl enc -aes-256-cbc -salt -in "$fname".tar.gz -out "$fname".encrypted  -pass pass:$password && rm -f "$fname".tar.gz || continue
    fi
done

– this will decrypt and untar-gzip .encrypted files, tar-gzip and encrypt all other files and directories with AES 256-CBC encryption and the password given.

Caveat Empteor: error handling is primitive (basically, the for loop skips an iteration when it encounters an error), there is no logging and there is no failsafe against wrong password inputs (you might want to ask twice and compare the results, as the shell utility does). Disasters should not happen, though, as files are only deleted when the previous steps complete successfully.

Finally, you might want to investigate alternatives to prompting for a password – a passphrase file on a USB key, say (use -pass file:/Volumes/volname/passfile instead of -pass pass:$password, skip the Applescript step and remove the first line of the shell script), or storing your password in the OS X keychain and retrieving it programmatically (see this answer of mine on Stack Exchange for ways to do that).

Best Answer

Related Solutions

How to make an automator service always show up

Using Automator or AppleScript to encrypt/decrypt with OpenSSL

Related Question