/pyaes256

Generates and encrypts plaintext into Cyphertext with AES256 in python mattching what openssl is doing

Primary LanguagePythonMIT LicenseMIT

PyAes256

This project aims to encrypt text with AES-256 and put it into a pdf similar to a paperwallet. It is useful for example to encrypt seeds or passwords to a piece of paper and print it. The output is base64 encoded and follows the same scheme that is generated by openssl. Eg. the base64 string starts with "Salt__" followed by 8 bytes of salt. The Rest is the ciphertext.

Disclaimer

Use at your own risk. The author takes no responsibility for any damage, lost funds or similar due to errors in encryption or any other mistakes. Always be cautios when using this tool for important or high value data. Always verify that the decryption script yields the encrypted plaintext. Additionally, crosscheck with openssl if you can decrypt your encrypted data before using it.

Usage

The simplest way is to get the file from pip. pip install pyaes256

Encryption

Then execute it with: pyaes256 encrypt myplaintext

Then give it a password and confirm. You can optionally specify a --password <mypassword> argument.

Then we will not ask you to confirm it.

To set a different output file use --output targetFile

To see the generated key and IV use --show-key

You can add a title to the output pdf with --title "My Super Secret Password"

You can add notes to the notes sections with --notes "The first rule of fight club is. You do not talk about fight club"

The pdf will automatically open. To not open the generated pdf automatically use --no-open

You can download a single executable standalone exe of the latest release here

Unpack it and run: windows: pyaes256.exe encrypt "myplaintext"

Linux: the file is located in the bin folder, unpack it and extract from bin folder:

chmod a+x pyaes256
./pyaes256 encrypt aaaa

As mentioned below it is important to install gtk3 before running the tool! You can download it here https://github.com/tschoonj/GTK-for-Windows-Runtime-Environment-Installer/releases

Decryption

pyaes256.exe decrypt <base64encryptedcyphertext>

Then just type in your password you set when encrypting.

Getting Started

  1. Install python >3.8

  2. Install pipenv by executing pip install pipenv.

  3. Create a new virtual environment with all dependencies by executing pipenv install.

  4. Important: PyAes256 uses weasyprint to generate the pdf with the encrypted QR Code. In order to make it work on different Operating Systems it is required to install certain libraries, that are needed for rendering..

    For Windows you have to install the GTK+ Libraries. You can download it here https://github.com/tschoonj/GTK-for-Windows-Runtime-Environment-Installer/releases

    Pick the gtk3 runtime and install it. After that restart your terminal. Also select the PATH option

    More information at: https://weasyprint.readthedocs.io/en/stable/install.html#step-4-install-the-gtk-libraries

Activating the virtual environment

Before executing any of the commands below, you need to activate the virtual environment. You can do so by executing pipenv shell. Your command prompt should now indicate that you've activated the virtual environment. It can be deactivated by executing exit.

Build single executable

run pyinstaller pyaes256.spec

the executable will be generated in dist folder. Run it with in linux ./dist/pyaes256 encrypt "hhhhh"

On Windows: dist/pyaes256.exe encrypt "hhhhh"

The paper wallet is generated into the output folder.

Generating encrypted passwords

to encode text with aes256-cbc. Pick any password.

Additional Notes

To verify that this script outputs the same cyphertexts as other tools and it is reproducible you can verify the output with openssl

generate with openssl: echo -n 'mysupersecretseedphrase' | openssl enc -aes-256-cbc -base64 -salt -pbkdf2 -out secretphrase-enc.txt

Then type in your password.

to decode it run: openssl enc -aes-256-cbc -d -base64 -salt -pbkdf2 -in secretphrase-enc.txt

Docker

You can also use the docker container if you need it to be more isolated.

docker run -v $PWD:/out -it nalisdev/pyaes256 encrypt helloworld --no-open --output out/docker1.pdf

Parameters used for AES-256 encryption

  1. pbkdf2 with 10000 iterations: to derive the pass
  2. pkcf#7 to pad the plaintext to the correct blocksize which must be multiple of 16