Enigmafy is a shell script which makes encrypting multiple archives an easy task.
Under the hood, Enigmafy first compacts the desired archive or folder in a single file using gzip. Then, encrypts it using AGE. Optionally, the hash (SHA512) of the encrypted file is calculated and stored in a file which is signed with ssh keys.
When decrypting, Enigmafy can validate the signature and verify the hash, to validate integrity and authentication.
The private AGE key should be symmetrically encrypted in accordance with NIST 800-63B guidelines, which specifies a minimum length of 15 characters. This approach protects the private key against fast misuse by adversaries on unsecured credentials scenarios, as they would need to rely on brute force.
To create a encrypted private key, run:
age-keygen | age -p > backup.age
git clone https://github.com/cibero42/enigmafy.git
The installation script requires root priviledges
cd enigmafy/
sudo ./install.sh
To simply encrypt an archive:
enigmafy -e receivers_public_keys your_archive
It's also possible to calculate its hash and sign using a ssh key, via -s option
enigmafy -e receivers_public_keys -s private_ssh_key your_archive
You can send the encrypted archive to a S3 bucket using -u. Before using, you need to configure your remote in rclone, by running rclone config.
enigmafy -e receivers_public_keys -s private_ssh_key -u remote:your/bucket/path your_archive
To decrypt an archive:
enigmafy -d private_age_key your_archive.age
To verify the sender before decrypting:
enigmafy -d private_age_key -s sender_public_ssh_key your_archive.age
Run:
enigmafy -h