Using Automator or AppleScript to encrypt/decrypt with OpenSSL


I would like to know how to use Automator or AppleScript to create a droplet that would compress/uncompress (tar.gz) and encrypt/decrypt with OpenSSL files and/or directories dropped in it. The workflow on what the droplet will do to encrypt would be something like this:

  • Files/directory is dropped on droplet
  • Files/directory is compressed
  • A password prompt is presented
  • OpenSSL is used to encrypt file, file is renamed to *.encrypted

To decrypt:

  • File is dropped on droplet
  • If file is named *.encrypted, a password prompt is presented. If not, do encrypt workflow
  • File is decrypted, and renamed
  • Files is uncompressed


Best Answer

Actually, Automator is not a bad choice for this, as it allows you to combine AppleScript and shell scripting without actually having to mix them (which leads you straight to escaping hell, after a short stay in quoting purgatory) and pass values between them an orderly fashion. Also, besides a droplet application, Automator will allow you to create a Service with excellent integration into Finder:

  1. Create a new Automator workflow.
    • either select “Application” when prompted what type of workflow to create – that will get you a droplet that processes files and folders you send to it, or
    • select “Folder action” and set “Accepts selected” to “files and folders” – that will get you an item in the Finder Services and context menu of files an folders (all translations approximate, I’m on a German system).
  2. Add a "Run AppleScript” action and edit its contents as follows:

    on run {input, parameters}
            tell application "System Events" to set thePassword to text returned of (display dialog "Please input your password for OpenSSL encryption" default answer "" with hidden answer)
        on error errorMessage number errorNumber
            if errorNumber is -128 then quit me -- user has canceled
            error errorMessage number errorNumber
        end try
        return (thePassword as list) & input
    end run

    – this will prompt the user for the encryption password and pass it as the first argument to the next action.

  3. Add a “Run Shell Script” action, setting it to get its input through arguments (not stdin, as is default). Make sure the shell is set to /bin/bash. Edit the script contents as follows:

    [[ -n $1 ]] && password="$1" && shift || exit 0
    for f in "$@"; do
        if [[ ${f##*.} = "encrypted" ]]; then
            openssl enc -d -aes-256-cbc -salt -in "$f" -out "$fname".tar.gz -pass pass:$password || continue
            tar -xPf "$fname".tar.gz && rm "$fname".tar.gz || continue
            fname=$([[ -f $f ]] && printf "${f%.*}" || printf "$f")
            tar -czPf "$fname".tar.gz "$f" || continue 
            openssl enc -aes-256-cbc -salt -in "$fname".tar.gz -out "$fname".encrypted  -pass pass:$password && rm -f "$fname".tar.gz || continue

    – this will decrypt and untar-gzip .encrypted files, tar-gzip and encrypt all other files and directories with AES 256-CBC encryption and the password given.

Caveat Empteor: error handling is primitive (basically, the for loop skips an iteration when it encounters an error), there is no logging and there is no failsafe against wrong password inputs (you might want to ask twice and compare the results, as the shell utility does). Disasters should not happen, though, as files are only deleted when the previous steps complete successfully.

Finally, you might want to investigate alternatives to prompting for a password – a passphrase file on a USB key, say (use -pass file:/Volumes/volname/passfile instead of -pass pass:$password, skip the Applescript step and remove the first line of the shell script), or storing your password in the OS X keychain and retrieving it programmatically (see this answer of mine on Stack Exchange for ways to do that).