Skip to content

Instantly share code, notes, and snippets.

@nicerobot

nicerobot/ssh-tgzx

Last active February 15, 2026 02:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save nicerobot/78b8f61427893de526db5a8c12b8d577 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save nicerobot/78b8f61427893de526db5a8c12b8d577 to your computer and use it in GitHub Desktop.
Download ZIP
Self-extracting, encrypted tarballs using SSH public keys from GitHub. Because https://ssh-vault.com is awesome but it requires an installation.
Raw
ssh-tgzx
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
(( ${#} >= 3 )) || { echo "usage: $(basename "${0}") github-username archive-file [files | directories]" >&2; exit 1; }
username="${1}"
outfile="${2}"
shift 2
key=$(curl -sfS -L "https://github.com/${username}.keys" | head -1)
[[ -n "${key}" ]] || { echo "error: no SSH keys found for github.com/${username}" >&2; exit 1; }
exec >"${outfile}"
zero='${0}'
cat <<SCRIPT
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
usage() {
echo "usage: bash ${zero} identity-file"
echo "encrypted using: github.com/${username}.keys"
echo " : ${key}"
[[ -f ~/.ssh/id_rsa-${username} ]] && bash \${0} ~/.ssh/id_rsa-${username} || true
exit
}
SCRIPT
cat <<'SCRIPT'
(( ${#} >= 1 )) || usage "${@}"
passfile=$(mktemp)
trap 'rm -f "${passfile}" 2>/dev/null' 0
openssl pkeyutl -decrypt -inkey "${1}" -out "${passfile}" -in <(head -18 "${0}" | tail -1 | perl -p -e 's/\\n/\n/g' | openssl base64 -d)
tail -n+19 "${0}" | openssl enc -aes-256-cbc -d -a -pbkdf2 -pass "file:${passfile}" | tar "${2:-xv}z"
exit
SCRIPT
pass=$(openssl rand -hex 64)
export pass
openssl pkeyutl -encrypt -pubin \
-in <(printf '%s' "${pass}") \
-inkey <(ssh-keygen -e -f <(printf '%s\n' "${key}") -m PKCS8) \
| openssl base64 \
| perl -p -e 's/\n/\\n/g'
echo
tar zc "${@}" | openssl enc -aes-256-cbc -a -salt -pbkdf2 -pass env:pass
chmod +x "${outfile}"
Raw
ssh-tgzx.md

Generate a plain-text, encrypted archive that is secured using the public key of a particular GitHub user.

Archive and Secure

Usage is similar to tar.

ssh-tgzx github-username archive-file [files | directories]

Extract

Send the file to user who owns the identity and they simply:

bash ./archive-file identity-file

List

bash ./archive-file identity-file t

Example

Create secure archive

To archive some files to send to me:

ssh-tgzx nicerobot private.tgzx private-folder secret-file

It is (relatively) safe to send the file to me via insecure channels.

Extract

I can extract is using:

bash ./private.tgzx ~/.ssh/id_rsa

List

Or just list the contents:

bash ./private.tgzx ~/.ssh/id_rsa t

macOS Quarantine

macOS XProtect may flag this script as malware and delete it due to its use of encryption, curl, and executable file generation. This is a false positive.

To restore and allow it:

  1. Recover the file from Trash or re-download it
  2. Open System Settings > Privacy & Security
  3. Look for the blocked file notice and click Allow Anyway
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment