Tech, Art, and Things

Introduction

I needed a straightforward way to encrypt a database dump file for archival purposes—something simple, effective, and with minimal dependencies. After exploring various options, I settled on this method.

Prerequisites

• OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
• xxd 2024-09-15 by Juergen Weigert et al.

Generate RSA Key Pair

Note this step only needs to happen once. Unless you have any reason to keep different private keys around for different reasons.

For this method of encryption we'll want to create a RSA Key Pair just like you would for SSH access. You will want to store the private key somewhere secure and we will be using the public key encrypt the AES key and AES IV files in a later step.

# Generate the private key
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096 -aes-256

# Extract the public key from the private key
openssl rsa -pubout -in private_key.pem -out public_key.pem

Encryption with AES & RSA

0. Setup

If you are following along you can replace the UNENCRYPTED_FILE variable with a file you want to try encrypting. The rest of the commands in this tutorial will be using these variables.

Copy and paste the following variables into your terminal.

UNENCRYPTED_FILE=MY_FILE.PNG
ENCRYPTED_FILE=${UNENCRYPTED_FILE}.enc
PUB_KEY=public_key.pem
AES_KEY=aes.key
AES_IV=aes.iv
AES_BIN=aes.bin
AES_ENC=aes.bin.enc

1. Generate a AES Key and AES IV file

We will be using the following files to do symmetrical encryption.

openssl rand -out ${AES_KEY} 32   # 32 bytes = 256-bit AES key
openssl rand -out ${AES_IV} 16    # 16 bytes = IV for AES-256-CBC

cat $AES_KEY $AES_IV > ${AES_BIN}

Explainer

AES Key

• This is the secret key used to encrypt and decrypt the data.
• AES-256 requires a 256-bit (32-byte) key, which must be securely stored.

AES IV

• The Initialization Vector (IV) is a random value that ensures each encryption operation produces different ciphertexts, even if encrypting the same plaintext with the same key.
• The IV is required when using CBC mode (-aes-256-cbc), as it helps prevent pattern recognition attacks.

2. Encrypt the large file with the AES key

We use openssl's enc commandto encrypt the target file with aes-256-cbc

openssl enc -aes-256-cbc -salt -in {UNENCRYPTED_FILE} -out ${ENCRYPTED_FILE} -pass file:${AES_KEY} -pbkdf2 -iter 10000 -iv $(cat ${AES_IV}$ | xxd -p)

Explainer

• -salt: This ensures that a unique cryptographic salt is used for each encryption operation. The salt is a random value added to the encryption key derivation process to prevent precomputed attacks (e.g., rainbow table attacks). It makes sure that even if the same plaintext is encrypted multiple times with the same password, the resulting ciphertext will be different.

• -iter 10000: This specifies the number of iterations used in the key derivation function (PBKDF2 in this case). By increasing the iteration count, you make brute-force attacks more difficult because it forces the attacker to perform many computations for each password guess. A higher iteration count increases security but also increases encryption and decryption time.

• -pass file:${AES_KEY} option. OpenSSL derives the actual encryption key from this file, especially if -pbkdf2 and -iter are used.

• $(cat ${AES_IV} | xxd -p) reads the IV file and converts it to a hexadecimal format suitable for OpenSSL.

You can use a different iter value but the decryption step will have to match.

3. Encrypt the AES Key and IV

After we encrypt the file, we will want to encrypt our AES key and AES IV file with the RSA public key. This ensures that the file encryption keys are also encrypted but recoverable with the private RSA key.

openssl pkeyutl -encrypt -inkey ${PUB_KEY} -pubin -in ${AES_BIN} -out ${AES_ENC} -pkeyopt rsa_padding_mode:oaep

4. Cleanup

After the encryption process is done, we will want to remove the intermediate AES key and the AES file and the combined file that we created earlier. If these files are left around and discovered they can be used to decrypt your encrypted file without the use of the private RSA key.

rm $AES_KEY $AES_IV $AES_BIN

5. Moving the files around

At this point we should have the ENCRYPTED_FILE and the AES_ENC file. These files should be stored together or separately (for more security):

UNENCRYPTED_FILE=MY_FILE.PNG
ENCRYPTED_FILE=${UNENCRYPTED_FILE}.enc
AES_ENC=aes.bin.enc

Script

The following bash script does the above steps and will combine the ENCRYPTED_FILE and AES_ENC file into a single file for easier transport and storage. I found for my purposes that this is "Secure Enough".

#!/bin/bash

set -e

# Default behavior: remove the original file 
KEEP_ORIGINAL=false 

# Parse the optional -k flag 
if [ "$1" == "-k" ]; then 
    KEEP_ORIGINAL=true
    shift # Remove the flag from the arguments list
fi

# Check if arguments are passed
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <public_key.pem> <file_to_encrypt>";
    exit 1;
fi

PUB_KEY=$1
UNENCRYPTED_FILE=$2
TEMP_ENCRYPTED_FILE=${UNENCRYPTED_FILE}.tmp.enc
ENCRYPTED_FILE=${UNENCRYPTED_FILE}.enc

AES_FILE_NAME=aes
AES_KEY=${UNENCRYPTED_FILE}.${AES_FILE_NAME}.key
AES_IV=${UNENCRYPTED_FILE}.${AES_FILE_NAME}.iv
AES_BIN=${UNENCRYPTED_FILE}.${AES_FILE_NAME}.bin
AES_ENC=${UNENCRYPTED_FILE}.${AES_FILE_NAME}.enc

cleanup() {
    rm -f $AES_KEY $AES_IV $AES_BIN $AES_ENC $TEMP_ENCRYPTED_FILE
    echo -e "\n[✔] Temp files removed..."
}
trap cleanup EXIT

openssl rand -out ${AES_KEY} 32 && \
    openssl rand -out ${AES_IV} 16

echo "[✔] Generated AES Key and IV."

cat $AES_KEY $AES_IV > ${AES_BIN}
echo "[✔] AES Key and IV successfully packaged"

openssl enc \
    -aes-256-cbc \
    -salt \
    -in ${UNENCRYPTED_FILE} \
    -out ${TEMP_ENCRYPTED_FILE} \
    -pass file:${AES_KEY} \
    -pbkdf2 \
    -iter 10000 \
    -iv $(cat ${AES_IV} | xxd -p)
echo "[✔] File encrypted successfully using AES-256-CBC."
    
openssl pkeyutl \
    -encrypt \
    -inkey ${PUB_KEY} \
    -pubin \
    -in ${AES_BIN} \
    -out ${AES_ENC} \
    -pkeyopt rsa_padding_mode:oaep
echo "[✔] Encrypted ${AES_BIN}"

cat $AES_BIN $TEMP_ENCRYPTED_FILE > $ENCRYPTED_FILE

if [ "$KEEP_ORIGINAL" = false ]; then
    rm "$UNENCRYPTED_FILE"
    echo "[✔] Original file removed."
else
    echo "[✔] Original file kept."
fi

echo -e "\nResulting Files:"
echo -e "\tEncrypted File:\t${ENCRYPTED_FILE}"

Decrypt with AES & RSA

We do it all in reverse

0. Setup

UNENCRYPTED_FILE=MY_FILE.PNG
UNENCRYPTED_FILE=${ENCRYPTED_FILE%.enc}
PRIVATE_KEY=private_key.pem
AES_KEY=aes.key
AES_IV=aes.iv
AES_BIN=aes.bin
AES_ENC=aes.bin.enc

1. Decrypt the AES key with the private RSA key

This step will decrypt the AES_ENC file into the AES_BIN file.

openssl pkeyutl -decrypt -inkey ${PRIVATE_KEY} -in ${AES_ENC} -out ${AES_BIN} -pkeyopt rsa_padding_mode:oaep

2. Extract the AES Key and IV

We will then extract the AES Key and AES IV file from the AES_BIN file

head -c 32 ${AES_BIN} > ${AES_KEY}  # Extract AES Key
tail -c 16 ${AES_BIN} > ${AES_IV}   # Extract IV

3. Decrypt the file

We then use the AES_KEY and AES_IV files to decrypt the ENCRYPTED_FILE

openssl enc -aes-256-cbc -d -salt -in ${ENCRYPTED_FILE} -out ${UNENCRYPTED_FILE} -pass file:${AES_KEY} -pbkdf2 -iter 10000 -iv $(cat ${AES_IV} | xxd -p)

Script

Similar to above, this script also does the bonus step of extracted the AES_ENC file from the combined file before decrypting the AES key and AES IV file.

#!/bin/bash

set -e

# Default behavior: remove the original file 
KEEP_ORIGINAL=false 

# Parse the optional -k flag 
if [ "$1" == "-k" ]; then 
    KEEP_ORIGINAL=true
    shift # Remove the flag from the arguments list
fi

# Check if arguments are passed
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <private_key.pem> <file_to_decrypt>";
    exit 1;
fi

PRIVATE_KEY=$1
ENCRYPTED_FILE=$2
TEMP_ENCRYPTED_FILE=${ENCRYPTED_FILE}.tmp.enc
UNENCRYPTED_FILE=${ENCRYPTED_FILE%.enc}

AES_FILE_NAME=aes
AES_ENC=${UNENCRYPTED_FILE}.${AES_FILE_NAME}.enc
AES_BIN=${UNENCRYPTED_FILE}.${AES_FILE_NAME}.bin
AES_KEY=${UNENCRYPTED_FILE}.${AES_FILE_NAME}.key
AES_IV=${UNENCRYPTED_FILE}.${AES_FILE_NAME}.iv

cleanup() {
    rm -f $AES_KEY $AES_IV $AES_BIN $TEMP_ENCRYPTED_FILE
    echo -e "\n[✔] Temp files removed..."
}
trap cleanup EXIT

echo "---Enter pass phrase for $PRIVATE_KEY:"
read -s RSA_PASS
echo $RSA_PASS

# Determine RSA key size from private key (in bytes) 
RSA_KEY_SIZE=$(openssl rsa -in "$PRIVATE_KEY" -text -noout -passin pass:"$RSA_PASS" | sed -n -E 's/.*\(([0-9]+) bit.*/\1/p')
echo "[✔] Discovered RSA Key Size: $RSA_KEY_SIZE"
if [ -z "$RSA_KEY_SIZE" ]; then
    echo "Error: Unable to determine RSA key size."
    exit 1
fi

# Extract the encrypted AES key and IV (first RSA_KEY_SIZE bytes) 
head -c $RSA_KEY_SIZE $ENCRYPTED_FILE > $AES_ENC
echo "[✔] ${AES_BIN} successfully extracted"
tail -c +$((RSA_KEY_SIZE + 1)) $ENCRYPTED_FILE > $TEMP_ENCRYPTED_FILE
echo "[✔] ${TEMP_ENCRYPTED_FILE} successfully extraced"

openssl pkeyutl \
    -decrypt \
    -inkey ${PRIVATE_KEY} \
    -in ${AES_ENC} \
    -out ${AES_BIN} \
    -pkeyopt rsa_padding_mode:oaep \
    -passin env:RSA_PASS
echo "[✔] ${AES_BIN} successfully decrypted"

# Extract AES Key & Extract IV
head -c 32 ${AES_BIN} > ${AES_KEY} && \
    tail -c 16 ${AES_BIN} > ${AES_IV}
echo "[✔] AES Key and IV successfully unpackaged"

openssl enc \
    -aes-256-cbc \
    -d \
    -salt \
    -in ${ENCRYPTED_FILE} \
    -out ${UNENCRYPTED_FILE} \
    -pass file:${AES_KEY} \
    -pbkdf2 \
    -iter 10000 \
    -iv $(cat ${AES_IV} | xxd -p)
echo "[✔] File successfully decrypted using AES-256-CBC."

if [ "$KEEP_ORIGINAL" = false ]; then
    rm $ENCRYPTED_FILE
    rm $AES_ENC
    echo "[✔] Encrypted file removed."
else
    echo "[✔] Encrypted file kept."
fi

echo -e "\nResulting Files:"
echo -e "\tDecrypted File:\t${UNENCRYPTED_FILE}"

Questions

Why can't we just encrypt with the RSA key?

RSA asymmetrical encryption has a limit to the file size that it can encrypt. This limit is directly in relation to the RSA key size. Generating an extremely large RSA key comes with performance hits and would still not encompass extremely large files. For example, we would easily exceed the limit with database dumps. Instead, we side step this by generating a key that can be encrypted with RSA and subsequently using AES to encrypt the large file with that key.

Project Requirement

I needed a script to parse through a directory + subdirectories to find all swift files and see if there are any string quotes in the files.

Download and Install Process

# Install
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

# Source cargo env
source $HOME/.cargo/env

Writing the code

Project Configuration with Cargo.toml

Cargo.toml is a configuration file used by Cargo, the Rust package manager and build system. It's an essential part of any Rust project. This file contains metadata about your project and dependencies on other Rust crates (libraries or packages).

You can find the crates here: https://crates.io/

Code

[package]  
name = "parse_swift_string"  
version = "0.1.0"  
edition = "2021"  
  
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html  
  
[dependencies]  
walkdir = "2.4"  
regex = "1.10"  
csv = "1.3"

Structure of Cargo.toml

A typical Cargo.toml file includes several sections:

• [package]: Contains metadata about your project like name, version, authors, edition, etc.
• [dependencies]: Lists the crates your project depends on. You can specify versions here.
• [dev-dependencies]: Crates used in development, like testing libraries, which aren't needed in the final build.
• Other sections like [features], [workspace], etc., for more advanced configurations.

Actual Code in main.rs

Code

use walkdir::WalkDir;  
use regex::Regex;  
use csv::Writer;  
use std::fs::File;  
use std::io::{self, BufRead};  
use std::env;  
  
fn main() -> Result<(), Box<dyn std::error::Error>> {  
    // Grab the arguments from the run command
    // In this case we want it to be the directory that we want to parse
    let args: Vec<String> = env::args().collect();  
    if args.len() < 2 {  
        eprintln!("Usage: {} <directory>", args[0]);  
        std::process::exit(1);  
    }
    let project_path = &args[1];
    let output_file = "extracted_strings.csv";  
  
    let re = Regex::new(r#""([^"\\]*(?:\\.[^"\\]*)*)""#).unwrap();  
    let mut wtr = Writer::from_path(output_file)?;  
  
    for entry in WalkDir::new(project_path) {  
        let entry = entry?;  
        let path = entry.path();  
        if path.extension().map_or(false, |e| e == "swift") {  
            let file = File::open(path)?;  
            let reader = io::BufReader::new(file);  
  
            for (line_number, line) in reader.lines().enumerate() {  
                let line = line?;  
                for cap in re.captures_iter(&line) {  
                    // Check if the match is not escaped  
                    if !line[..cap.get(0).unwrap().start()].ends_with('\\') {  
                        wtr.write_record(&[  
                            path.to_string_lossy().to_string(),  
                            line_number.to_string(),  
                            cap[1].to_string()  
                        ])?;  
                    }  
                }  
            }  
        }  
    }  
  
    wtr.flush()?;  
    println!("Data extracted to {}", output_file);  
    Ok(())  
}

Namespaces like C/C++

Similar to C/C++ and probably other languages you can let the compiler that you are using certain name spaces.

In this case wea re using walkdir/regex/csv on top of the builtin std

Variables immutable by default

In Rust all variables are immutable by default , so if you look at the wtr variable that one is mutable because it represents a CSV writer (Writer from the csv crate) that changes its internal state as it writes data.

When you create a Writer instance in Rust for writing CSV data, the act of writing to a CSV file is not just a single operation but potentially many. Each time you write a record (a row in the CSV file), the Writer updates its internal state. This includes keeping track of the current position in the output stream (like a file or in-memory buffer), buffering the data, and possibly handling encodings.

? after a variable

In Rust, the question mark (?) is an operator used for error handling. It's a convenient shorthand for propagating errors up the call stack. When you see ? used after an expression, it means that if the expression evaluates to an Err variant of a Result or Option, it will return from the enclosing function with that Err. If the expression is Ok, the program will continue, and the value inside the Ok will be extracted.

Here, WalkDir::new(project_path) returns an iterator that yields items of type Result<DirEntry, Error>. Each item is a Result because reading a directory can fail for various reasons (like permissions issues, the directory not existing, etc.).

The let entry = entry?; line is checking each item as it's iterated over. If an item is an Err, the ? operator will cause the function to return early with that error. If it's an Ok, it extracts the DirEntry from inside the Ok and assigns it to the entry variable, which is then used in the loop.

This use of ? makes the code much cleaner and more readable, especially compared to manual error handling where you would need to use match statements or unwrapping. It's a very idiomatic way in Rust to handle errors in situations where you want to propagate them upwards instead of handling them at the point where they occur.

Error Propagation: Since the main function itself returns Result, when an error is returned using ?, it propagates up to the caller of main. In the case of the main function, this caller is the Rust runtime. If main returns an Err, the Rust runtime will handle this by printing a diagnostic message to the standard error stream and exiting the program.

Reassigning entry in the for loop

for entry in WalkDir::new(project_path) {
    let entry = entry?;
    // ...
}

1. Error Handling: It uses the ? operator to handle the Result. If entry is an Err, the ? operator will return that error from the current function (main in your case), effectively stopping the iteration and the function execution. This is a concise way to propagate errors upwards.

2. Unwrapping the Result: If entry is an Ok, the ? operator unwraps it, extracting the DirEntry value. This unwrapped value is then bound to a new variable, also named entry (shadowing the previous entry variable from the loop). This new entry variable is now a DirEntry object that can be used directly in the subsequent code without further unwrapping.

More Rust specifics

What is map_or()

fn map_or<T, F>(self, default: T, f: F) -> T
where
    F: FnOnce(T) -> T,

if path.extension().map_or(false, |e| e == "swift") {
    // ...
}

• false: is the default
• |e| e == "swift": apply the closure / synonymous with supplying a lambda function in python

"applying the closure" refers to executing a closure (an anonymous function) on the value contained within an Option, if that Option is Some.

Compile

# Compile and run immediately against a directory
cargo run -- /path/to/your/ios/project

# Compile for release. Release binary is compiled to `./target/release/{program_name}`
cargo build --release

Results

example/Example1.swift,6,"Hello, World!"
example/Example1.swift,10,Greeting: \(message)
example/Example1.swift,14,Calculating sum of \(a) and \(b)
example/Example1.swift,19,To be or not to be
example/Example1.swift,27,Sum is \(sum)
example/Example2.swift,7,My name is \(name) and I am \(age) years old.
example/Example2.swift,11,John Doe
example/Example2.swift,15,My favorite color is \(color).
example/Example2.swift,18,blue
example/Example2.swift,20,This is a warning message!
example/Example2.swift,23,An error occurred while processing your request.

Repository

https://github.com/JJK-IO/playing_with_rust

Markdown Syntax

sequenceDiagram
    Alice-)Bob: Hello Bob, how are you ?
    Bob-)Alice: Fine, thank you. And you?
    create participant Carl
    Alice-)Carl: Hi Carl!
    create actor D as Donald
    Carl-)D: Hi!
    destroy Carl
    Alice-xCarl: We are too many
    destroy Bob
    Bob-)Alice: I agree

Rendered SVG