Using Bash to Simplify AES Encryption for API Security 

5 min read
zen8labs using bash to simplify AES Encryption for API Security 1

For zen8labs mobile developers, ensuring the security of data sent over APIs is important. The chosen encryption algorithm is AES since it is dependable and widely used. Encryption functions can be difficult to implement and time-consuming to check accurately. I’ve created a Bash script that makes AES encryption easier to speed up this step. I’ll guide you through writing and utilizing this script step-by-step in this blog. 

Understanding AES encryption 

zen8labs using bash to simplify AES Encryption for API Security 2

Because of its efficiency and security, the symmetric encryption technique known as AES (Advanced Encryption Standard) is frequently used in many different applications. The term “symmetric encryption” means encryption and decryption using the same key. Different key lengths are supported by AES, with AES-256 being one of the more secure alternatives because of its 256-bit key length. AES runs on set block sizes. 

Using an initialization vector (IV) that ensures that identical plaintext blocks return different ciphertext blocks, AES-CBC (Cipher Block Chaining) is an AES mode of operation that improves security. Every encryption process requires a different and unpredictable IV. 

We will focus on AES-CBC-256, which combines the extra protection offered by the CBC mode with the strong security of AES. 

Setting up the script 

Create a shell script file named start.sh with the following content:: 

```bash 

#!/bin/bash 

echo "Hello world" 

```

Give executable permissions to the script: 

```bash 

chmod +x start.sh 

```

You can then run the script: 

```bash 

./start.sh 

```

The output will show like this: 

``` 

Hello world 

```

Implementing the functions 

Installing OpenSSL Library 

To implement AES encryption and decryption functions, we’ll leverage OpenSSL. 

Installation Steps: 

For macOS (using HomeBrew): 

``` 

brew install openssl 

```

For Ubuntu (using apt): 

``` 

apt-get install libssl-dev 

```

Implementing AES encrypt, decrypt & generate key functions 

Now, let’s integrate OpenSSL to handle AES encryption and decryption within our shell script. 
Here’s how you can incorporate OpenSSL to encrypt and decrypt using AES-256-CBC: 

Encrypt function 

``` 

#!/bin/bash 


# Function to encrypt with AES using OpenSSL 

encrypt_aes() { 

    read -p "Enter the text to encrypt: " text_to_encrypt 

    read -p s "Enter the AES key (Base64): " base64_encoded_key 

    echo # for newline after entering password 



    local key_hex=$(echo "$base64_encoded_key" | base64 -d | xxd -p -u -c 32) 



    # Prompt for IV input 

    read -p "Enter the IV in hexadecimal (leave empty for random IV): " iv_hex_input 

    if [ -z "$iv_hex_input" ]; then 

        iv_hex=$(openssl rand -hex 16)  # Generate random IV for AES-256-CBC 

    else 

        iv_hex=$iv_hex_input 

    fi 



    # Encrypt using AES-256-CBC with specified IV 

    local encrypted_text=$(echo -n "$text_to_encrypt" | openssl enc -aes-256-cbc -iv "$iv_hex" -e -a -K "$key_hex") 



    echo "AES Encrypted Text: $encrypted_text" 

} 

```

Decrypt function 

``` 

decrypt_aes() { 

    read -p "Enter the text to decrypt (Base64): " encrypted_text 

    read -p -s "Enter the AES key (Base64): " base64_encoded_key 

    echo # for newline after entering password 


    local key_hex=$(echo "$base64_encoded_key" | base64 -d | xxd -p -u -c 32) 


    # Prompt for IV input 

    read -p "Enter the IV in hexadecimal: " iv_hex 



    echo "iv_hex: $iv_hex" 

    echo "key_hex: $key_hex" 



    # Decrypt using AES-256-CBC with specified IV 

    decrypted_text=$(echo "$encrypted_text" | openssl enc -aes-256-cbc -iv "$iv_hex" -d -a -K "$key_hex") 



    if [ $? -eq 0 ]; then 

        echo "AES Decrypted Text: $decrypted_text" 

    else 

        echo "Decryption failed. Check your input and try again." 

    fi 

} 

```

Using the script 

We have four options in our script: 

  1.  Encrypt with AES (Base64 key) 
  1.  Decrypt with AES (Base64 key) 
  1.  Generate AES key 
  1.  Generate IV 

Here’s how you can use each option step-by-step: 

Generate AES key

This will create a new AES key for encryption and decryption. 

  1. Run the script and select option 3. 
  1. The script will output a Base64 encoded AES key. 
  1. Save this key securely as it is required for both encryption and decryption. 

Generate IV

This will create a new initialization vector (IV) for encryption. 

  1. Run the script and select option 4
  1. The script will output a hexadecimal IV. 
  1. Save this IV securely as it is required for both encryption and decryption 

Encrypt text

This will encrypt the text you provide using the generated AES key and IV. 

  1. Run the script and select option 1
  1. Enter the text you want to encrypt when prompted. 
  1. Enter the previously generated AES key when prompted. 
  1. Enter the previously generated IV when prompted (or leave it blank to generate a new IV). 

Decrypt text

This will decrypt the encrypted text back to the original text using the same AES key and IV. 

  1. Run the script and select option 2
  1. Enter the Base64 encoded encrypted text when prompted. 
  1. Enter the previously generated AES key when prompted. 
  1. Enter the previously generated IV when prompted. 

By following these steps, you can successfully encrypt and decrypt text using AES-256-CBC with your generated keys and IVs. This script simplifies the process and ensures that your data is securely transmitted over your APIs. 

Full script for reference 

``` 

#!/bin/bash 

# Function to encrypt with AES using OpenSSL 

encrypt_aes() { 

    read -p "Enter the text to encrypt: " text_to_encrypt 
    read -p "Enter the AES key (Base64): " base64_encoded_key 
    echo # for newline after entering password 

    local key_hex=$(echo "$base64_encoded_key" | base64 -d | xxd -p -u -c 32) 

    # Prompt for IV input 
    read -p "Enter the IV in hexadecimal (leave empty for random IV): " iv_hex_input 
    if [ -z "$iv_hex_input" ]; then 
        iv_hex=$(openssl rand -hex 16)  # Generate random IV for AES-256-CBC 
    else 
        iv_hex=$iv_hex_input 
    fi 

    # Encrypt using AES-256-CBC with specified IV 
    local encrypted_text=$(echo -n "$text_to_encrypt" | openssl enc -aes-256-cbc -iv "$iv_hex" -e -a -K "$key_hex") 


    echo "AES Encrypted Text: $encrypted_text" 

} 

# Function to decrypt with AES using OpenSSL 
decrypt_aes() { 
    read -p "Enter the text to decrypt (Base64): " encrypted_text 


    read -p "Enter the AES key (Base64): " base64_encoded_key 
    echo # for newline after entering password 

    local key_hex=$(echo "$base64_encoded_key" | base64 -d | xxd -p -u -c 32) 

    # Prompt for IV input 
    read -p "Enter the IV in hexadecimal: " iv_hex 

    echo "iv_hex: $iv_hex" 
    echo "key_hex: $key_hex" 

    # Decrypt using AES-256-CBC with specified IV 
    decrypted_text=$(echo "$encrypted_text" | openssl enc -aes-256-cbc -iv "$iv_hex" -d -a -K "$key_hex") 


    if [ $? -eq 0 ]; then 
        echo "AES Decrypted Text: $decrypted_text"
    else 
        echo "Decryption failed. Check your input and try again." 
    fi 
} 

# Function to generate AES key 
generate_aes_key() { 
    aes_key=$(openssl rand -hex 32)  # Generate random 32-byte AES key in hexadecimal format 
    aes_key_base64=$(echo -n "$aes_key" | xxd -r -p | base64) 

    echo "Generated AES Key (Base64): $aes_key_base64" 
} 

# Function to generate IV 
generate_iv() { 
    iv_hex=$(openssl rand -hex 16)  # Generate random IV for AES-256-CBC 
    echo "Generated IV: $iv_hex" 
} 

# Function to display menu 

show_menu() { 
    echo "Choose a function:" 
    echo "1) Encrypt with AES (Base64 key)" 
    echo "2) Decrypt with AES (Base64 key)" 
    echo "3) Generate AES key" 
    echo "4) Generate IV" 
    echo -n "Enter your choice [1-4]: " 
} 



# Main script execution 
show_menu 
read choice 
case $choice in 
    1) encrypt_aes ;; 
    2) decrypt_aes ;; 
    3) generate_aes_key ;; 
    4) generate_iv ;; 
    *) echo "Invalid choice, please try again." ;; 
esac 

```

Conclusion 

Using this Bash script, you can efficiently manage AES encryption and decryption for your mobile applications. By automating key and IV generation, as well as providing straightforward encryption and decryption functions, this script simplifies the process of securing your data. 

Hope this helps you to create your own script that assists in your work. Feel free to customize it further to suit your specific needs! 

Quan Nguyen, Solutions Architect

Related posts

If you are an iOS developer, you might be familiar with in-app-purchases (IAP). You can provide additional content or services within the app, such as buying clothes for your character, unlocking new features in your app, removing ads, etc. Learn about these areas in our new blog!
5 min read
Normally when programming a mobile application, we often encounter apps crashing, which is when the current application cannot operate (force close). But there is another status that is less serious: Application Not Responding (ANR). Why is it less serious because your application can continue to be used normally after waiting? The question is how to minimize ANR errors? Let's find out below.
3 min read
The need to make mock A.P.I responses has become increasingly crucial for efficient testing and development workflows. While various tools offer powerful capabilities for intercepting and modifying HTTP traffic, they often come with an expensive price tag. This is where mitmproxy steps in as a cost-effective and feature-rich alternative.
5 min read