No-frills secret sharing with openssl


Sometimes we need to share a secret with a colleague, and frequently it’s a hassle to do so securely. Worst options include people simply sending plain-text secrets over email or slack. Better, if this is some sort of encrypted email service like ProtonMail, but still it’s a fairly brittle way if we’re dealing with something sensitive.
More secure (and more hassle) options include leveraging cloud vault solutions, GPG over email, using Shamir’s Secret Sharing, i.e. ssss linux tool. While those options are nice, sometimes the amount of hassle is just too much. Also speaking about vaults, frequently you don’t want to give any authorization on particular vault to the person with whom you’re sharing particular secret.

The solution I’m opting to use frequently and want describe here involves encrypting the secret via openssl with one-time password. The idea is that now we have our secret represented as 2 pieces (encrypted secret + one-time password), and then we send those pieces over 2 different channels (i.e., email and sms). The benefit of this solution is that a) the secret is not sent in plain text anywhere; b) compromising any one of those channels is not enough to retrieve the secret; c) the method is fairly simple and straightforward as shown below.

Openssl way walkthrough

  1. Create or generate a secure one-time password, i.e. using openssl -rand 30 | base64
  2. Encrypt your secret with openssl using:
    echo 'my secret' | openssl aes-256-cbc -a -pbkdf2 -salt
    then input your one-time password generated in p.1 when prompted (you need to do it twice – first time and during verification)
    You will obtain base64 output of your encrypted secret.
  3. Send output from p.2 and one-time password from p.1 to your recipient via different channels. I.e., send encrypted secret via email and password via slack.
  4. To decrypt your recipient would do:
    echo 'base64 encrypted secret' | openssl aes-256-cbc -a -d -pbkdf2 -salt
    and would need to supply one-time password when prompted.