ENC(1) General Commands Manual ENC(1)

encencrypt and decrypt files

enc [-acdef] [file ...]

enc encrypts and decrypts files using ChaCha20 via openssl(1). When encrypting files, the .enc extension is added. When decrypting files, the .enc extension is removed, if possible. Otherwise output is written to standard output. Input files are not removed. If no files are provided, standard input is encrypted or decrypted.

The arguments are as follows:

Encrypted data is Base64-encoded.
Always write to standard output.
Decrypt.
Encrypt. This is the default.
Do not ask to confirm overwriting files.

$ enc secret.txt
$ rm secret.txt
$ enc -d secret.txt.enc
January 30, 2022 OpenBSD 7.3

enc.sh in git

#!/bin/sh
set -eu

readonly Command='openssl enc -ChaCha20 -pbkdf2'

base64=
stdout=false
mode=encrypt
force=false

while getopts 'acdef' opt; do
	case $opt in
		(a) base64=-a;;
		(c) stdout=true;;
		(d) mode=decrypt;;
		(e) mode=encrypt;;
		(f) force=true;;
		(?) exit 1;;
	esac
done
shift $((OPTIND - 1))

confirm() {
	$force && return 0
	while :; do
		printf '%s: overwrite %s? [y/N] ' "$0" "$1" >&2
		read -r confirm
		case "$confirm" in
			(Y*|y*) return 0;;
			(N*|n*|'') return 1;;
		esac
	done
}

encrypt() {
	if test -z "${1:-}"; then
		$Command -e $base64
	elif $stdout; then
		$Command -e $base64 -in "$1"
	else
		input=$1
		output="${1}.enc"
		if test -e "$output" && ! confirm "$output"; then
			return
		fi
		$Command -e $base64 -in "$input" -out "$output"
	fi
}

decrypt() {
	if test -z "${1:-}"; then
		$Command -d $base64
	elif $stdout || [ "${1%.enc}" = "$1" ]; then
		$Command -d $base64 -in "$1"
	else
		input=$1
		output=${1%.enc}
		if test -e "$output" && ! confirm "$output"; then
			return
		fi
		$Command -d $base64 -in "$input" -out "$output"
	fi
}

for input; do
	$mode "$input"
done
if [ $# -eq 0 ]; then
	$mode
fi