{"id":20510835,"url":"https://github.com/sets88/ssh-crypt","last_synced_at":"2026-03-07T15:34:40.584Z","repository":{"id":48397609,"uuid":"350839073","full_name":"Sets88/ssh-crypt","owner":"Sets88","description":"This tool helps you to keep passwords inside your shell scripts safely","archived":false,"fork":false,"pushed_at":"2024-11-15T12:08:12.000Z","size":164,"stargazers_count":26,"open_issues_count":2,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-09-29T17:13:57.713Z","etag":null,"topics":["cryptography","encrypt-passwords","passwords","sensitive-data","ssh-agent","ssh-key"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Sets88.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"license.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-23T19:51:42.000Z","updated_at":"2024-11-15T12:08:22.000Z","dependencies_parsed_at":"2024-12-19T15:20:00.420Z","dependency_job_id":null,"html_url":"https://github.com/Sets88/ssh-crypt","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Sets88/ssh-crypt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sets88%2Fssh-crypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sets88%2Fssh-crypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sets88%2Fssh-crypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sets88%2Fssh-crypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Sets88","download_url":"https://codeload.github.com/Sets88/ssh-crypt/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sets88%2Fssh-crypt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30219541,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-07T14:02:48.375Z","status":"ssl_error","status_checked_at":"2026-03-07T14:02:43.192Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","encrypt-passwords","passwords","sensitive-data","ssh-agent","ssh-key"],"created_at":"2024-11-15T20:31:34.003Z","updated_at":"2026-03-07T15:34:40.549Z","avatar_url":"https://github.com/Sets88.png","language":"Python","readme":"# Why you may need it\n\n[![PyPI version](https://img.shields.io/pypi/v/ssh-crypt.svg?color=blue)](https://pypi.org/project/ssh-crypt)\n[![License](https://img.shields.io/badge/License-BSD_3--Clause-blue.svg)](https://opensource.org/license/bsd-3-clause/)\n\n[![Black](https://img.shields.io/badge/code%20style-black-000000.svg)](Black)\n[![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)\n\nSometimes, you may need to store passwords within your shell scripts, but doing so in plain text is a major security risk.\n\nFortunately, this module can help you keep your passwords encrypted and secure.\n\nHere's how it works: you protect your ssh key with a master password or a special device, and then use the ssh-agent\nto keep your ssh key (or use your key device). This allows you to use your key as an encryption key, and decrypt your\npasswords within your shell scripts while your key is in the ssh-agent. However, once your ssh key is removed\nfrom the ssh-agent, neither you nor anyone else can use it to encrypt or decrypt sensitive data.\nTo use this module, simply add your ssh key to the ssh-agent:\n\n    /usr/bin/ssh-add -t 1d -k ~/.ssh/id_rsa\n\nAfter entering your master password, your ssh key is now stored in the ssh-agent. You can use it\nto encrypt passwords or other sensitive data securely:\n\n    ssh-crypt -e -s 'testpassword'\n\nOnce you have encrypted your password, you will receive a string containing the encrypted data.\nYou can copy this string and use it as needed. To automate this process, you can write a shell script:\n\n    !/bin/bash\n\n    PASS='{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5'\n\n    mysql -h localhost -u testuser -p$(ssh-crypt -d -s $PASS)\n\nBy using this module, you no longer need to store raw passwords within your shell scripts.\nInstead, you can use encrypted passwords that can only be decrypted if your ssh key is still stored in\nthe ssh-agent. This ensures that your sensitive data remains secure and protected from unauthorized access.\n\nIn addition to encrypting and decrypting passwords, this module can also be used to encrypt and\ndecrypt files. This provides an extra layer of security for your sensitive data, ensuring\nthat it remains protected from prying eyes.\n\n    ssh-crypt -e -i /tmp/rawfile -o /tmp/encrypted_file\n    ssh-crypt -d -i /tmp/encrypted_file -o /tmp/rawfile\n\n\n# How it works\n\nWhen you encrypt your password using this module, it generates random bytes that are signed by\nyour ssh key from your ssh-agent. It then creates a sha3_256 hash from this signature and uses\nit as a key to encrypt your data with AES. If binary mode is not enabled, it also creates\na base85 representation of the encrypted data. This process ensures that your sensitive data\nis encrypted using a strong key and is protected from unauthorized access.\n\n![How encryption works](/data/encryption.png)\n\nWhen you decrypt your password using this module, it takes the nonce bytes from the string\nyou pass and signs it with your ssh key. It then creates a sha3_256 hash from this signature\nand uses it as an AES key to decrypt the rest of the data.\n\n![How decryption works](/data/decryption.png)\n\n\n# How to install it\n\n    pip install ssh-crypt\n\n# How to use it in python scripts\n\nTo decrypt passwords\n\n```python\nfrom ssh_crypt import E\n\nsuper_secret_password = str(E('{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5'))\n```\n\nTo encrypt passwords\n\n```python\nfrom ssh_crypt import encrypt\n\nencrypted_password = encrypt('super_secret_password')\n```\n\n\n# Using yubiko keys to keep your ssh key\n\n## Install yubico-piv-tool\n\nDownload it from https://developers.yubico.com/yubico-piv-tool/Releases/ or from (brew, apt, yum, or pacman)\n\n## SSH Key\n\nGenerate new key\n\n    ssh-keygen -b 2048 -t rsa -m PEM\n\nor alter current key to PEM format\n\n    ssh-keygen -p -m PEM\n\nunfortunately 4096 and longer RSA keys are not supported by PIV specification\n\n## Import key to yubikey\n\nSlot 9a only can be used to store rsa key\n\n    yubico-piv-tool --touch-policy=cached -s 9a -a import-key --pin-policy=once -i id_rsa\n\n## Add card to ssh-agent\n\nRemove old card if exists (as if it was previously added next command will not work even if \"ssh-add -D\" executed)\n\n    ssh-add -e /usr/local/lib/libykcs11.dylib\n\nAdd new card\n\n    ssh-add -s /usr/local/lib/libykcs11.dylib\n\nEnter Yubikey PIN when it's asked for passphrase for PKCS#11\nAll set up now but you have to confirm decryption by touching yubico button\nif it't not convinient for you to touch button all the time you can disable this behaviour by removeing\n\"--touch-policy=cached\" param during key import\n\n\n# Use it with apps which demands config files which have to contain some token or password\n\nJust create a shell script with which you can access your application here is an example:\n\n```bash\n#! /bin/bash\n\nTOKEN='{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5'\n\nCONFIG=\"apiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: ***somesertdata**\n    server: https://kuber-api-host:6443\n  name: app\ncontexts:\n- context:\n    cluster: app\n    namespace: some-namespace\n    user: max\n  name: app\ncurrent-context: app\nkind: Config\npreferences: {}\nusers:\n- name: max\n  user:\n    token:\n     $(ssh-crypt -d -s $TOKEN)\n\"\n\nkubectl --kubeconfig \u003c(echo \"$CONFIG\") $*\n```\n\n# Get JSON from JSONC file with encrypted passwords\n\n```bash\n    cat test.json\n    {\n        \"tst\": 1, // Some number\n        \"aa\": {\n            /*\n            \"bb\": [1,2,3],\n            \"ee\": \"bbb\",\n            */\n            \"password\": E\"{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5\"\n        },\n        // Some comment\n        \"cc\": [32,21,10],\n        \"ee\": \"bbb\"\n    }\n    ssh-crypt -i test.json -t jsonc\n    {\n        \"tst\": 1,     \"aa\": {\n\n            \"password\": \"testpassword\"\n        },\n            \"cc\": [32,21,10],\n        \"ee\": \"bbb\"\n    }\n```\n\n# FIFO mode\n\nIn some applications, it is required that the decrypted file be accessible, for example in k9s, which executes kubectl with a parameter\npointing to the configuration file. For this, the fifo mode is suitable, in which ssh_crypt will run in the background and decrypt the file\nas it is accessed, while the decrypted file will never touch the disk.\n\n```bash\nENC_FILENAME=\"/home/user/.kube/kctl.enc\"\nDEC_FILENAME=\"/home/user/.kube/kctl\"\n\n# Remove FIFO file if it exists\nrm $DEC_FILENAME\n\n# To terminate the background process when the script exits\ntrap 'kill $(jobs -p)' EXIT\n\n# Create a FIFO file to decrypt the file on the fly\nssh-crypt -f -t jsonc -d -i $ENC_FILENAME -o $DEC_FILENAME \u003e /dev/null 2\u003e\u00261 \u0026\n\nk9s --kubeconfig $DEC_FILENAME\n```\n\n# Using SSH-Agent Forwarding\n\nThis module also allows you to use scripts with encrypted passwords on remote hosts by connecting to them via ssh.\nThis can be done by using the ssh-agent to forward your ssh key to the remote host, allowing you to decrypt\nthe passwords within your scripts on the remote host.\n\n    ssh -A user@somehost\n\n\"-A\" parameter enables SSH-Agent forwarding.\n**Beware!** never use this technique if you don't fully trust remote host\nas someone who has enough permissions on remote host may use your ssh agent for bad purpose\n\n\n# Options\n\n-h, --help\n\nPrints brief usage information.\n\n-e, --encrypt\n\nEncrypt incomming data\n\nExamples:\n\n    ssh-crypt -e -s 'testpassword'\n    echo 'testpassword' | ssh-crypt -e\n\n\n-d, --decrypt\n\nDecrypt incomming data, encrypt mode will be enabled if not set\n\nExamples:\n\n    ssh-crypt -d -s '{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5'\n    echo '{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5' | ssh-crypt -e\n\n\n-i, --input\n\nInput file, STDIN will be used if not set\n\nExamples:\n\n    ssh-crypt -e -i /tmp/testfile\n    ssh-crypt -d -i /tmp/testfile\n    ssh-crypt -e -b -i /tmp/testfile\n\n\n-o, --output\n\nOutput file, STDOUT will be used if not set\n\nExamples:\n\n    ssh-crypt -e -s 'testpassword' -o /tmp/testfile\n    echo 'testpassword' | ssh-crypt -e -o /tmp/testfile\n\n\n-s, --string\n\nUse passed string as an input data\n\nExamples:\n\n    ssh-crypt -e -s 'testpassword'\n    ssh-crypt -d -s '{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5'\n\n\n-b, --binary\n\nNot use base85(used to make encrypted data look more like text file, to allow to copy it inside shell scripts) for payload\n\nExamples:\n\n    ssh-crypt -e -s 'testpassword' -b -o /tmp/testfile\n    ssh-crypt -e -i /tmp/testfile -b\n\n\n-k, --key\n\nPick key from ssh-agent keys list by its fingerprint\n\n    ssh-add -l -E md5\n    2048 MD5:12:34:56:78:90:ab:cd:ef:01:23:34:56:78:90:12:34 Public key for PIV Authentication (RSA)\n\nExamples:\n\n    ssh-crypt -e -s 'testpassword' --key '12:34:56:78:90:ab:cd:ef:01:23:34:56:78:90:12:34'\n    ssh-crypt -d -s '{V|B;*R$Ep:HtO~*;QAd?yR#b?V9~a34?!!sxqQT%{!x)bNby^5' -k '12:34:56:78:90:ab:cd:ef:01:23:34:56:78:90:12:34'\n\n\n-t, --type\n\nSet type of input data, for instance it may replace encrypted passwords inside JSONC file returning JSON\n\nExample:\n\n    ssh-crypt -i test.json -t jsonc\n\n-f, --fifomode\n\nEnable FIFO mode, in which the program will decrypt the input data and send it to a special file when accessed\n\n\n# Bugs\n\nSee github issues: https://github.com/Sets88/ssh-crypt/issues\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsets88%2Fssh-crypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsets88%2Fssh-crypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsets88%2Fssh-crypt/lists"}