I have a ssl wrapper around GNU-Cash which decrypts my data file when opening GNU-Cash, and then re-encrypts it when I exit the app, overwriting the original encrypted file and then deletes the unencrypted one. What happens is if I make say 1 single change in GNU-Cash, the file re-encryption is a second or two, but if I make a lot of changes to the data, then the encryption takes significantly longer. It appears the time to create the new encrypted file is directly related to the changes made in the data file within.
I cannot see why it takes longer to encrypt a heavily modified file than the same one with only minor changes. My script does not remove the original encrypted data, just overwrites it upon exit from GNU-Cash. Does OpenSSl reference the old copy of the encrypted data file which it is over-writing?
I can post the whole thing if needed, but here are the Decrypt and Encrypt lines from the script:
openssl enc -d -aes-256-cbc -pbkdf2 -in ${DATA_FILE} -out ${DECRYPTED_FILE} -pass stdin <<EOPW &> /dev/null
${FILEPASS}
EOPW
openssl enc -e -aes-256-cbc -pbkdf2 -in ${DECRYPTED_FILE} -out ${DATA_FILE} -pass stdin <<EOPW &> /dev/null
${FILEPASS}
EOPW
Thanks.
I need to encrypt a file containing one CLIENT_ID by line.
When I use
openssl enc -k jesuislacle -aes256 -base64 -e -in &_fidat/num_tie_dmp.csv -out &_fidat/decrypted_numtie.csv, I encrypt the whole file.
But what I want is to encrypt line by line. i.e.
Original I have:
ABCDEC
FGHHIJ
KLMNOP
QRSTUV
What I want :
QHXrpv3ah0qEPBECCt1//PBKiugmWYMuE+WaA4r9Rgc#
nAca0Pb6bH1cQRfkO9wReY+X6dgl44BKE/nKSFBLM+o#
UjTJsoHoLAC0GeqqImxDXX9znUtd7dGm4VODZ+T7lvM#
dcU+H+jd9RZZqweDu1nnJDWMlKjxW2Hc+Q2uAW1tQfk#
For the moment, I launch this command X times for each ID.
But I can have, more than 10000 ID to encrypt. It takes few hours to have the results. It's too much.
What's the best way.
I'm on SAS 9.3, UNIX and I have to encrypt in AES 256 not MD5 (thank's to my DPO :-) )
Thanks for your help.
Jérome
You can try this:
while read line; do
echo "$line" | openssl enc -k jesuislacle -aes256 -base64 -e;
done <infile >outfile
It reads all lines of the file one by one and encrypts it with the specified key.
I'm trying to use the example here for Clearkey encryption for videos. As per the steps mentioned here I was able to download and build the encryption tool wemb_crypt but When I try to encrypt the file with
webm_crypt -i input.webm -o input-enc_bear1_0123456789012345.webm -video true -audio true -video_options content_id=0123456789012345,base_file=bear1.key -audio_options content_id=0123456789012345,base_file=bear1.key
I get this error
File: input.webm is not WebM file.Could not open WebM files.
Tried many different webm files with no luck.
Is there another way to encrypt clear key media with other tools? Any clue about the error above?
You can use ffmpeg and openssl to create an AES encrypted HLS stream - the ffmpeg documentation (http://ffmpeg.org/ffmpeg-all.html#Options-34) includes this example script:
#!/bin/sh
BASE_URL=${1:-'.'}
openssl rand 16 > file.key
echo $BASE_URL/file.key > file.keyinfo
echo file.key >> file.keyinfo
echo $(openssl rand -hex 16) >> file.keyinfo
ffmpeg -f lavfi -re -i testsrc -c:v h264 -hls_flags delete_segments \
-hls_key_info_file file.keyinfo out.m3u8
You can also use mp4Box (https://gpac.wp.imt.fr/mp4box/encryption/common-encryption/) to create basic clear DASH encryptions:
MP4Box -crypt drm_file.xml movie.mp4 -out movie_encrypted.mp4
The drm info is included in the drm_file.xml and is explained at the link above.
I trying to decrypt AES-128 encrypted m3u8 video files such as this one :
the m3u8 file :
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-ALLOW-CACHE:NO
#EXT-X-VERSION:2
#EXT-X-FAXS-CM:MII6lAYJKoZIhvcNAQcCoII6hTCCOoECAQExCzAJBgUrDgMCGgUAM... very long key...
#EXT-X-KEY:METHOD=AES-128,URI="faxs://faxs.adobe.com",IV=0X99b74007b6254e4bd1c6e03631cad15b
#EXT-X-TARGETDURATION:8
#EXTINF:8,
video.mp4Frag1Num0.ts
#EXTINF:8,
video.mp4Frag1Num1.ts
...
I've tried with openssl :
openssl aes-128-cbc -d -kfile key.txt -iv 99b74007b6254e4bd1c6e03631cad15b -nosalt -in video_enc.ts -out video_dec.ts
key.txt contains the very long key
-->
bad decrypt
1074529488:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
What am-I doing wrong ?
This might be a bit of a hack, but given a URL to an .m3u8 file, it will download and decrypt the files that make up the stream:
#!/usr/bin/env bash
curl "$1" -s | awk 'BEGIN {c=0} $0 ~ "EXT-X-KEY" {urlpos=index($0,"URI=")+5; ivpos=index($0,"IV="); keyurl=substr($0, urlpos, ivpos-urlpos-2); iv=substr($0, ivpos+5); print "key=`curl -s '\''"keyurl"'\'' | hexdump -C | head -1 | sed \"s/00000000//;s/|.*//;s/ //g\"`"; print "iv="iv} $0 !~ "-KEY" && $0 ~ "http" {printf("curl -s '\''"$0"'\'' | openssl aes-128-cbc -K $key -iv $iv -d >seg%05i.ts\n", c++)}' | bash
This script generates a second script that extracts keys and initialization vectors and uses them to decrypt while downloading. It needs curl, awk, hexdump, sed, and openssl to run. It'll probably choke on an unencrypted stream, or on a stream that uses something other than AES-128 (is any other encryption supported?).
You'll get a bunch of files: seg00000.ts, seg00001.ts, etc. Use tsMuxeR (https://www.videohelp.com/software/tsMuxeR) to merge these into a single file (simple concatenation didn't work for me...it's what I tried first):
(echo "MUXOPT --no-pcr-on-video-pid --new-audio-pes --vbr --vbv-len=500"; (echo -n "V_MPEG4/ISO/AVC, "; for i in seg*.ts; do echo -n "\"$i\"+"; done; echo ", fps=30, insertSEI, contSPS, track=258") | sed "s/+,/,/"; (echo -n "A_AAC, "; for i in seg*.ts; do echo -n "\"$i\"+"; done; echo ", track=257") | sed "s/+,/,/") >video.meta
tsMuxeR video.meta video.ts
(Track IDs and framerate may need adjustment...get the values to use by passing one of the downloaded files to tsMuxeR.)
Then use ffmpeg to remux to something a bit more widely understood:
ffmpeg -i video.ts -vcodec copy -acodec copy video.m4v
In order to decrypt encrypted video stream you need encryption key.
This key is not part of the stream. It should be obtained separately.
EXT-X-FAXS-CM header contains DRM meta-data and not the key.
This is excert from Adobe Media Server developer guide:
The Adobe Access Server protected variant playlist also needs to include the #EXT-X-FAXS-CM tag. The value of #EXT-X-FAXS-CM tag in variant playlist is the relative URI referring to the DRM metadata of one of the individual streams.At the client, the #EXT-X-FAXS-CM tag in variant playlist will be used to create the DRM session. The same DRM session will be used for all encrypted M3U8 files inside the variant playlist.
Full guide can be found here:
http://help.adobe.com/en_US/adobemediaserver/devguide/WS5262178513756206-4b6aabd1378392bb59-7fe8.html
There is also mention that faxs://faxs.adobe.com URI is for local key serving.
So key obtained locally from a device.
While some of the bash scripts in the existing answers get you part (or even all) of the way, depending which site you're trying to download from, you might hit other obstacles (different auth method, custom license server mount, etc.)
I've found streamlink to be the most robust solution for this, which also lets you stream directly (rather than download), if that's what you're after, and it has all the site-specific work already done for you for a long list of sites (see plugins section, but keep in mind it's under active development and the latest release was in June, so for some of the newer ones you'll have to git clone and install from source).
In many cases, VLC will happily convert an .m3u8 video to an unencrypted .ts or .mp4. In the VLC graphical interface, go to Media > Convert/Save.
Even through this file includes AES encrypted data, openssl don't know the m3u8 format. However FFmpeg might be able to handle it.
Has anyone had any luck getting encrypted streaming to work with Apple's HTTP Live Streaming using openssl? It seems I'm almost there but my video doesn't play but I don't get any errors in Safari either (like "Video is unplayable" or "You don't have permission to play this video" when I got the key wrong).
#bash script:
keyFile="key.txt"
openssl rand 16 > $keyFile
hexKey=$(cat key.txt | hexdump -e '"%x"')
hexIV='0'
openssl aes-128-cbc -e -in $fileName -out $encryptedFileName -p -nosalt -iv ${hexIV} -K ${hexKey}
#my playlist file:
#EXTM3U
#EXT-X-TARGETDURATION:000020
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-KEY:METHOD=AES-128,URI="key.txt"
#EXTINF:20, no desc
test.ts.enc
#EXT-X-ENDLIST
I was using these docs as a guide:
https://datatracker.ietf.org/doc/html/draft-pantos-http-live-streaming
Okay, I figured it out... My hexdump command was wrong. It should be:
hexKey=$(cat key.txt | hexdump -e '16/1 "%02x"')
Also keep in mind the following, if you have more than 1 TS "chunk", and you're looking for a bit-exact replacement for the Apple encryption pipeline. By default, the Apple encryption tool updates the IV (initialization vector) parameter for each of the chunks, which "increases the strength of the cipher," according to the Pantos spec.
Implementing this just means that the sequence number needs to be encoded in hex and passed as the -iv parameter to openssl:
#!/bin/bash
keyFile="key.txt"
openssl rand 16 > $keyFile
hexKey=$(cat key.txt | hexdump -e '"%x"')
# hexIV='0'
for i in {0..number_of_TS_chunks}
do
hexIV=`printf '%032x' $i`
openssl aes-128-cbc -e -in $fileName -out $encryptedFileName -p -nosalt -iv ${hexIV} -K ${hexKey}
done
Combining information from three of the above (the OP, the fix for hexdump and the IV information) yielded a working solution for us. Namely:
openssl rand 16 > static.key
key_as_hex=$(cat static.key | hexdump -e '16/1 "%02x"')
for i in {0..9}; do
init_vector=`printf '%032x' $i`
openssl aes-128-cbc -e -in video_low_$(($i+1)).ts -out video_low_enc_$(($i+1)).ts -p -nosalt -iv $init_vector -K $key_as_hex
done
Unfortunately I don't have the tools to experiment with this. It looks like you carefully followed the spec. One thing I would do is sniff the network do make sure the key.txt file is getting downloaded to Safari. I would also try explicitly picking the IV using the IV attribute of the EXT-X-KEY tag, e.g.
#EXT-X-KEY:METHOD=AES-128,URI="key.txt",IV=0x00000000000000000000000000000000