Encrypted zip files on OSX

My passwords and other miscellany are in a plain text file within an encrypted zip. Since starting to use OSX I’ve been looking for a way to access my passwords such that:

  • I get prompted for the decryption password.
  • The file gets unzipped, but not in the same directory, because that’s synced to Dropbox, so would send my plaintext passwords to them every time I accessed them. Maybe to /tmp?
  • The plaintext file within the zip is opened in $EDITOR.
  • Wait for me to close $EDITOR, then remove my plaintext passwords from the filesystem.
  • Before deleting the passwords, check if I’ve updated them. If so, put the new updated version back into the original zip file.
  • Don’t forget to keep the updated zip file encrypted, using the same password as before, without prompting for it again.

I failed to find an existing app which would do all this (although I had no trouble on Linux or even on Windows.) Hence, resorting to good old Bash:

#!/bin/bash
 
ZIPDIR="$HOME/docs/org"
 
read -s -p "Password:" key
 
cd $ZIPDIR
unzip -P $key passwords.zip passwords.txt -d $TMPDIR
if [[ $? != 0 ]] ; then
    exit 1
fi
 
cd "$TMPDIR"
touch passwords.datestamp
$EDITOR passwords.txt
if [[ passwords.txt -nt passwords.datestamp ]] ; then
    zip -P $key -r "$ZIPDIR/passwords.zip" passwords.txt
fi
 
rm passwords.txt
rm passwords.datestamp

I don’t expect this to be watertight, but seems good enough for today. I’m happy to hear suggestions.

9 thoughts on “Encrypted zip files on OSX

  1. FWIW, JB, I use 1Password which encrypts notes too. But that admission is probably not cool in this worldspace (for some reason I’m probably not cool enough to understand :))

  2. I’m surprised Merlin Mann isn’t already here telling you about OnePassword and TextExpander and SquareSpace and…

  3. I use Codebook on iOS, for the same predominantly-unstructured-text reason. They’ve got a contact form – you should lobby them to do one for Android. Also it’s backed by SQLCipher, which is an encrypted extension of SQLite. It’s pretty straightforward to build from source.

    I don’t think it would be that hard to write a command-line client that would open the database, prompt for your password, let you select an entry, plop that into $EDITOR, and then write the results back. But it would definitely be more than your little script. One benefit would be that it doesn’t decrypt the whole password file and leave it sitting in your filesystem – only the note you’re editing is exposed.

  4. I do use KeePass, but haven’t transferred the majority of my secret data over to it because lots of my secret data seems to be unstructured text rather than username/password combos. Plus, darn-it-all, I really like being able to view it in my favourite text editor, complete with a decent search and the like.

  5. This is of course where 25 people pile in to let you know about the entire mini-industry devoted to solving exactly this problem on OSX!

Leave a Reply