Using Automator or AppleScript to encrypt/decrypt with OpenSSL
I would like to know how to use Automator or AppleScript to create a droplet that would compress/uncompress (tar.gz) and encrypt/decrypt with OpenSSL files and/or directories dropped in it. The workflow on what the droplet will do to encrypt would be something like this:
- Files/directory is dropped on droplet
- Files/directory is compressed
- A password prompt is presented
- OpenSSL is used to encrypt file, file is renamed to *.encrypted
To decrypt:
- File is dropped on droplet
- If file is named *.encrypted, a password prompt is presented. If not, do encrypt workflow
- File is decrypted, and renamed
- Files is uncompressed
Anyone?
Solution 1:
Actually, Automator is not a bad choice for this, as it allows you to combine AppleScript and shell scripting without actually having to mix them (which leads you straight to escaping hell, after a short stay in quoting purgatory) and pass values between them an orderly fashion. Also, besides a droplet application, Automator will allow you to create a Service with excellent integration into Finder:
- Create a new Automator workflow.
- either select “Application” when prompted what type of workflow to create – that will get you a droplet that processes files and folders you send to it, or
- select “Folder action” and set “Accepts selected” to “files and folders” – that will get you an item in the Finder Services and context menu of files an folders (all translations approximate, I’m on a German system).
-
Add a "Run AppleScript” action and edit its contents as follows:
on run {input, parameters} try tell application "System Events" to set thePassword to text returned of (display dialog "Please input your password for OpenSSL encryption" default answer "" with hidden answer) on error errorMessage number errorNumber if errorNumber is -128 then quit me -- user has canceled error errorMessage number errorNumber end try return (thePassword as list) & input end run– this will prompt the user for the encryption password and pass it as the first argument to the next action.
-
Add a “Run Shell Script” action, setting it to get its input through arguments (not
stdin, as is default). Make sure the shell is set to/bin/bash. Edit the script contents as follows:[[ -n $1 ]] && password="$1" && shift || exit 0 for f in "$@"; do if [[ ${f##*.} = "encrypted" ]]; then fname="${f%.encrypted}" openssl enc -d -aes-256-cbc -salt -in "$f" -out "$fname".tar.gz -pass pass:$password || continue tar -xPf "$fname".tar.gz && rm "$fname".tar.gz || continue else fname=$([[ -f $f ]] && printf "${f%.*}" || printf "$f") tar -czPf "$fname".tar.gz "$f" || continue openssl enc -aes-256-cbc -salt -in "$fname".tar.gz -out "$fname".encrypted -pass pass:$password && rm -f "$fname".tar.gz || continue fi done– this will decrypt and untar-gzip
.encryptedfiles, tar-gzip and encrypt all other files and directories with AES 256-CBC encryption and the password given.
Caveat Empteor: error handling is primitive (basically, the for loop skips an iteration when it encounters an error), there is no logging and there is no failsafe against wrong password inputs (you might want to ask twice and compare the results, as the shell utility does). Disasters should not happen, though, as files are only deleted when the previous steps complete successfully.
Finally, you might want to investigate alternatives to prompting for a password – a passphrase file on a USB key, say (use -pass file:/Volumes/volname/passfile instead of -pass pass:$password, skip the Applescript step and remove the first line of the shell script), or storing your password in the OS X keychain and retrieving it programmatically (see this answer of mine on Stack Exchange for ways to do that).
Solution 2:
I built an applescript droplet to compress & encrypt a folder. You may need to switch cases on compress & decompress and change command to achieve the same.
https://github.com/palaniraja/PassArchive
look at the code - https://github.com/palaniraja/PassArchive/blob/master/PassArchive.app/Contents/Resources/Scripts/main.scpt
My script is basically a little more beautified version of
http://hints.macworld.com/article.php?story=20040923120629702