Using Automator or AppleScript to encrypt/decrypt with OpenSSL

applescriptautomatorencryptionopenssl

I would like to know how to use Automator or AppleScript to create a droplet that would compress/uncompress (tar.gz) and encrypt/decrypt with OpenSSL files and/or directories dropped in it. The workflow on what the droplet will do to encrypt would be something like this:

Files/directory is dropped on droplet
Files/directory is compressed
A password prompt is presented
OpenSSL is used to encrypt file, file is renamed to *.encrypted

To decrypt:

File is dropped on droplet
If file is named *.encrypted, a password prompt is presented. If not, do encrypt workflow
File is decrypted, and renamed
Files is uncompressed

Anyone?

Best Answer

Actually, Automator is not a bad choice for this, as it allows you to combine AppleScript and shell scripting without actually having to mix them (which leads you straight to escaping hell, after a short stay in quoting purgatory) and pass values between them an orderly fashion. Also, besides a droplet application, Automator will allow you to create a Service with excellent integration into Finder:

Create a new Automator workflow.
- either select “Application” when prompted what type of workflow to create – that will get you a droplet that processes files and folders you send to it, or
- select “Folder action” and set “Accepts selected” to “files and folders” – that will get you an item in the Finder Services and context menu of files an folders (all translations approximate, I’m on a German system).

Add a "Run AppleScript” action and edit its contents as follows:

on run {input, parameters}
    try
        tell application "System Events" to set thePassword to text returned of (display dialog "Please input your password for OpenSSL encryption" default answer "" with hidden answer)
    on error errorMessage number errorNumber
        if errorNumber is -128 then quit me -- user has canceled
        error errorMessage number errorNumber
    end try
    return (thePassword as list) & input
end run

– this will prompt the user for the encryption password and pass it as the first argument to the next action.

Add a “Run Shell Script” action, setting it to get its input through arguments (not stdin, as is default). Make sure the shell is set to /bin/bash. Edit the script contents as follows:

[[ -n $1 ]] && password="$1" && shift || exit 0
for f in "$@"; do
    if [[ ${f##*.} = "encrypted" ]]; then
        fname="${f%.encrypted}"
        openssl enc -d -aes-256-cbc -salt -in "$f" -out "$fname".tar.gz -pass pass:$password || continue
        tar -xPf "$fname".tar.gz && rm "$fname".tar.gz || continue
    else
        fname=$([[ -f $f ]] && printf "${f%.*}" || printf "$f")
        tar -czPf "$fname".tar.gz "$f" || continue 
        openssl enc -aes-256-cbc -salt -in "$fname".tar.gz -out "$fname".encrypted  -pass pass:$password && rm -f "$fname".tar.gz || continue
    fi
done

– this will decrypt and untar-gzip .encrypted files, tar-gzip and encrypt all other files and directories with AES 256-CBC encryption and the password given.

Caveat Empteor: error handling is primitive (basically, the for loop skips an iteration when it encounters an error), there is no logging and there is no failsafe against wrong password inputs (you might want to ask twice and compare the results, as the shell utility does). Disasters should not happen, though, as files are only deleted when the previous steps complete successfully.

Finally, you might want to investigate alternatives to prompting for a password – a passphrase file on a USB key, say (use -pass file:/Volumes/volname/passfile instead of -pass pass:$password, skip the Applescript step and remove the first line of the shell script), or storing your password in the OS X keychain and retrieving it programmatically (see this answer of mine on Stack Exchange for ways to do that).

Related Solutions

MacOS – Creating an automated HFS+ compressed folder

There are two parts to the answer to your question.

How to add a Finder context menu item to “Archive” files: this is easy to achieve by creating an Automator Service (Mac OS X Automation has a good overview of what the Automator services introduced in OS X 10.6 can do):
- Launch Automator, choose “Service” when prompted for the kind of workflow you want to create.
- Choose “Files or Folders” in the “Service receives” drop down (approximate translations – I’m on a German system). Optionally, set “in” drop down to “Finder”.
- Add a “Get Selected Finder Items” action.
- Add a “Move Finder Items” actions below that and set it to your target folder.
- Save your service in the default location (~/Library/Services) as “Archive”.
you now have a new service menu and context menu entry (depending on the number of services active: either on the first menu level, or in the “Services” submenu) called “Archive” that will move the selected file or folder to your target folder.
How to automate HFS+ compression of files added to your target folder: there are several ways to achieve that. You could, of course, simply add that step to your archiving service. The disadvantage of this approach is that no compression will be applied if files or folders are ever added to the folder outside the service, of course. A better approach would be to have everything in the folder be compressed automatically, without reliance on the the entry vector or user interaction.

One way is, as you have discovered, to have a compression utility run every time a file or folder is added to your watched folder:
- the way to launch a shell utility in AppleScript is the do shell script command – see the linked documentation;
- the inbuilt way to leverage filesystem events in an AppleScript is to use Folder Actions, which call AppleScripts on changes in a watched folder. What events the script reacts to are defined by the script itself, through the handlers it provides (for instance, the script in Mark’s answer has a handler for adding folder items – meaning it reacts to newly added files; see the Applescript Language Guide for the full reference). Folder Actions configuration is found in the services menu of folders in Finder (in the context menu, too).
- a turbocharged alternative to Folder Actions is Paul Kim’s Hazel (commercial software), which adds rule based processing and a plethora of criteria for filesystem event handling that go far beyond what you can achieve with simple Folder Actions – you might want to investigate Hazel if you plan on doing more or more complex stuff along the lines of what you are planning now.
An alternative to the whole scripting approach is using LateNiteSoft’s Clusters – another commercial software, that does nothing but automatically apply (and re-apply, where needed) HFS+ compression to the contents of watched folders.

Automator service for encrypting or decrypting with openssl

Select the service template, change the input type to files, add a Run Shell Script action, select pass input as arguments, and paste this script:

pass() {
    osascript - "$1" <<END
    on run args
    tell app (path to frontmost application as text)
    text returned of (display dialog ("Enter password for " & item 1 of args) default answer "")
    end
    end
END
    [ $? != 0 ] && exit 0
}

for f in "$@"; do
    if [[ "$f" == *.enc ]]; then
        pass "$f" | openssl enc -d -aes-256-cbc -pass stdin -in "$f" -out "${f%.enc}"
    else
        pass "$f.enc" | openssl enc -aes-256-cbc -salt -pass stdin -in "$f" -out "$f.enc"
    fi
done
exit 0

It doesn't show specific error messages, you have to run the service again if you enter a wrong password, and there is no way to use the same password for multiple files. It would be easier to just do it from a shell.

Best Answer

Related Solutions

MacOS – Creating an automated HFS+ compressed folder

Automator service for encrypting or decrypting with openssl

Related Question