Just found out a really neat, convenient way to transfer folders encrypted and peer-to-peer on Unix/Linux.
Destination:
$ nc -l -p 10002 | gpg -d | tar -xv
Source:
$ tar -c [folder] | gpg -c | nc [dest's hostname] 10002
I was aware of something like this before, but hadn't polished it off.
#Unix #Linux #commandLine #lifehack
@golemwire
That's very cool!
I would be worried though that your tunnel is encrypted but not authenticated... If someone knows your public gpg key and port number, they could send you whatever they want and your destination would just unpack it?
As an alternative, ssh is also encrypted, and authenticated, and has less moving pieces :)
$ tar -c [folder] | ssh [destination] tar -xv
@lack That's pretty slick, and just one command on the source host, no need to manually enter the command on the destination host. This does ofc require ssh to be set up on the hosts though.
I didn't think about it, but since my command uses `gpg -d`, a malicious actor *could* send something publickey-encrypted, yeah... one would need to check its output (which currently could get drowned in tar's verbose mode output). Also, adding --no-symkey-cache to gpg -d might be a good idea in this case.
@golemwire
I like that your solution would work on a system without sshd running, and can be initiated by a non-root user (assuming there's no firewall in place that would block incoming traffic on the destination host)
And the window for potential attack is low since it would be hard to guess the port number you choose, and probably have a fairly short window of time where it's open on the receiving side anyway. So I think this has its place too :)
An improved, I think, version:
Destination:
$ nc -l -p 10002 | pv | gpg -d --no-symkey-cache | tar -x
Source:
$ tar -cv [folder] | gpg -c | nc [dest's hostname] 10002
The `tar` `-v` flag is moved to the source host, so that you can see `gpg -d`'s output better to check that it isn't decrypting bogus publickey-encrypted data.
This uses the `pv` command too, which is optional in the pipeline and is usually not installed. It behaves similar to `cat` but with a handy progress indicator.
@lack