What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again.

Delete that bloated snippets file you've been using and share your personal repository with the world. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Get involved!

You can sign-in using OpenID credentials, or register a traditional username and password.

First-time OpenID users will be automatically assigned a username which can be changed after signing in.

UpGuard checks and validates configurations for every major OS, network device, and cloud provider.

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for:



May 19, 2015 - A Look At The New Commandlinefu
I've put together a short writeup on what kind of newness you can expect from the next iteration of clfu. Check it out here.
March 2, 2015 - New Management
I'm Jon, I'll be maintaining and improving clfu. Thanks to David for building such a great resource!

Top Tags



Commands tagged Encryption from sorted by
Terminal - Commands tagged Encryption - 27 results
scrypt(){ [ -n "$1" ]&&{ echo '. <(echo "$(tail -n+2 $0|base64 -d|mcrypt -dq)"); exit;'>$1.scrypt;cat $1|mcrypt|base64 >>$1.scrypt;chmod +x $1.scrypt;};}
2017-06-14 16:27:20
User: rodolfoap
Functions: cat chmod echo

This function will encrypt a bash script and will only execute it after providing the passphrase. Requires mcrypt to be installed on the system.

cat hello


case "$1" in

""|-h) echo "This is the fantastic Hello World. Try this:" $(basename $0) "[entity]" ;;

moon) echo Good night. ;;

sun) echo Good morning. ;;

world) echo "Hello, world!" ;;

*) echo Hi, $@. ;;


scrypt hello

Enter the passphrase (maximum of 512 characters)

Please use a combination of upper and lower case letters and numbers.

Enter passphrase:

Enter passphrase:

Stdin was encrypted.

cat hello.scrypt

. <(echo "$(/usr/bin/tail -n+2 $0|base64 -d|mcrypt -dq)");exit;









This is the fantastic Hello World. Try this: hello [entity]


Enter passphrase:

This is the fantastic Hello World. Try this: hello.scrypt [entity]

./hello world

Hello, world!

./hello.scrypt world

Enter passphrase:

Hello, world!

ncat -vlm 5 --ssl --chat 9876
2014-06-07 19:17:29
User: snipertyler

Client ~$ ncat --ssl localhost 9876

Change localhost to the correct ip address.

edrv() { N=${1:-edrv}; truncate -s ${2:-256m} $N.img && L=$(losetup -f) && losetup $L $N.img && cryptsetup luksFormat --batch-mode $L && cryptsetup luksOpen $L $N && mkfs.vfat /dev/mapper/$N -n $N; cryptsetup luksClose $N; echo losetup -d $L to unmount; }
2014-02-24 01:38:21
User: snipertyler
Functions: echo losetup

You need to be root to do this. So check the command before running it.

You enter the same password for

Enter LUKS passphrase:

Verify passphrase:

Enter passphrase for /dev/loopn:


You can then copy the .img file to somewhere else.

Loop it it with losetup -f IMAGENAME.img and then mount it with a file manager (eg nemo) or run mount /dev/loopn /media/mountfolder

Acts similar to a mounted flash drive

echo -n "string" | md5sum|cut -f 1 -d " "
2014-02-20 22:44:00
User: labadf
Functions: cut echo

echo defaults to include a newline character at the end of the string, which messes with the hash. If you suppress it with -n then it has the same effect as PHP's ?echo md5("string"), "\t-";? Even more, by using cut you get the exact same output, so it works as a drop-in replacement for the original command for this thread.

server$ while true; do read -n30 ui; echo $ui |openssl enc -aes-256-ctr -a -k PaSSw; done | nc -l -p 8877 | while read so; do decoded_so=`echo "$so"| openssl enc -d -a -aes-256-ctr -k PaSSw`; echo -e "Incoming: $decoded_so"; done
2014-01-16 14:36:09
User: arno
Functions: echo read

client$ while true; do read -n30 ui; echo $ui |openssl enc -aes-256-ctr -a -k PaSSw ; done | nc localhost 8877 | while read so; do decoded_so=`echo "$so"| openssl enc -d -a -aes-256-ctr -k PaSSw`; echo -e "Incoming: $decoded_so"; done

This will establish a simple encrypted chat with AES-256-CTR using netcat and openssl only.

More info here https://nixaid.com/encrypted-chat-with-netcat/

tar --exclude-from=$excludefile -zcvp "$source" | openssl aes-128-cbc -salt -out $targetfile -k $key
2013-12-13 19:35:20
User: klausman
Functions: tar

Create compressed, encrypted backup from $source to $targetfile with password $key and exclude-file $excludefile

openssl aes-256-cbc -salt -in secrets.txt -out secrets.txt.enc
2013-04-13 19:33:37
User: jrdbz

To decrypt: openssl aes-256-cbc -d -in secrets.txt.enc -out secrets.txt.new

Reference: http://tombuntu.com/index.php/2007/12/12/simple-file-encryption-with-openssl

Optional parameter -a makes output base64 encoded, can be viewed in text editor or pasted in email

tar zcf - foo | gpg -c --cipher-algo aes256 -o foo.tgz.gpg
2013-03-13 09:44:39
User: skkzsh
Functions: gpg tar

Decrypt with:

gpg -o- foo.tgz.gpg | tar zxvf -
echo "ls" > script.bash; gpg -c script.bash; cat script.bash.gpg | gpg -d --no-mdc-warning | bash
2013-03-10 09:34:12
User: betsubetsu
Functions: cat echo gpg

echo "ls" > script.bash;

This is my script, a simple 'ls'.

gpg -c script.bash;

Here I encrypt and passord-protect my script. This creates file script.bash.gpg.

cat script.bash.gpg | gpg -d --no-mdc-warning | bash

Here I open file script.bash.gpg, decrypt it and execute it.

read -p 'Script: ' S && C=$S.crypt H='eval "$((dd if=$0 bs=1 skip=//|gpg -d)2>/dev/null)"; exit;' && gpg -c<$S|cat >$C <(echo $H|sed s://:$(echo "$H"|wc -c):) - <(chmod +x $C)
2013-03-10 08:59:45
User: rodolfoap
Functions: cat chmod echo gpg read sed wc

(Please see sample output for usage)

Use any script name (the read command gets it) and it will be encrypted with the extension .crypt, i.e.:

myscript --> myscript.crypt

You can execute myscript.crypt only if you know the password. If you die, your script dies with you.

If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string).

Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner.

Sorry for the chmod on parentheses, I dont like "-" at the end.

Thanks flatcap for the subshell abbreviation to /dev/null

echo "eval \"\$(dd if=\$0 bs=1 skip=XX 2>/dev/null|gpg -d 2>/dev/null)\"; exit" > script.secure; sed -i s:XX:$(stat -c%s script.secure): script.secure; gpg -c < script.bash >> script.secure; chmod +x script.secure
2013-03-09 11:16:48
User: rodolfoap
Functions: chmod echo gpg sed stat

(Please see sample output for usage)

script.bash is your script, which will be crypted to script.secure

script.bash --> script.secure

You can execute script.secure only if you know the password. If you die, your script dies with you.

If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string).

Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner.

dd if=/dev/zero of=T bs=1024 count=10240;mkfs.ext3 -q T;E=$(echo 'read O;mount -o loop,offset=$O F /mnt;'|base64|tr -d '\n');echo "E=\$(echo $E|base64 -d);eval \$E;exit;">F;cat <(dd if=/dev/zero bs=$(echo 9191-$(stat -c%s F)|bc) count=1) <(cat T;rm T)>>F
2013-01-31 01:38:30
User: rodolfoap

This is just a proof of concept: A FILE WHICH CAN AUTOMOUNT ITSELF through a SIMPLY ENCODED script. It takes advantage of the OFFSET option of mount, and uses it as a password (see that 9191? just change it to something similar, around 9k). It works fine, mounts, gets modified, updated, and can be moved by just copying it.


The file is composed of three parts:

a) The legible script (about 242 bytes)

b) A random text fill to reach the OFFSET size (equals PASSWORD minus 242)

c) The actual filesystem

Logically, (a)+(b) = PASSWORD, that means OFFSET, and mount uses that option.

PLEASE NOTE: THIS IS NOT AN ENCRYPTED FILESYSTEM. To improve it, it can be mounted with a better encryption script and used with encfs or cryptfs. The idea was just to test the concept... with one line :)

It applies the original idea of http://www.commandlinefu.com/commands/view/7382/command-for-john-cons for encrypting the file.

The embedded bash script can be grown, of course, and the offset recalculation goes fine. I have my own version with bash --init-file to startup a bashrc with a well-defined environment, aliases, variables.

tar --create --file - --posix --gzip -- <dir> | openssl enc -e -aes256 -out <file>
2012-11-27 15:33:45
User: seb1245
Functions: tar

Create an AES256 encrypted and compressed tar archive.

User is prompted to enter the password.

Decrypt with:

openssl enc -d -aes256 -in <file> | tar --extract --file - --gzip
echo -n 'the_password' | md5sum -
md5sum<<<'text to be encrypted'
2012-02-14 19:57:52
User: waldvogel
Functions: md5sum

Here Strings / A variant of here documents, the format is:

(from bash manpage)

cryptmount -m <name>
2012-01-17 18:02:47
User: totti

In order to create a new encrypted filing system managed by cryptmount,

you can use the supplied 'cryptmount-setup' program, which can be used

by the superuser to interactively configure a basic setup.

Alternatively, suppose that we wish to setup a new encrypted filing

system, that will have a target-name of "opaque". If we have a free

disk partition available, say /dev/hdb63, then we can use this directly

to store the encrypted filing system. Alternatively, if we want to

store the encrypted filing system within an ordinary file, we need to

create space using a recipe such as:

dd if=/dev/zero of=/home/opaque.fs bs=1M count=512


cryptmount --generate-key 32 opaque


cryptmount --prepare opaque


mke2fs /dev/mapper/opaque


cryptmount --release opaque


mkdir /home/crypt


cryptmount -m opaque


cryptmount -u opaque

For detail see sample output

alias sshv='ssh -vvv -o LogLevel=DEBUG3'
2010-10-30 11:23:52
User: AskApache
Functions: alias

When debugging an ssh connection either to optimize your settings ie compression, ciphers, or more commonly for debugging an issue connecting, this alias comes in real handy as it's not easy to remember the '-o LogLevel=DEBUG3' argument, which adds a boost of debugging info not available with -vvv alone.

Especially useful are the FD info, and the setup negotiation to create a cleaner, faster connection.

tr '[A-Za-z]' '[N-ZA-Mn-za-m]'
2010-04-30 10:07:27
User: hackerb9
Functions: tr

I noticed some spammer posted an advertisement here for "not bad" encryption. Unfortunately, their software only runs under Microsoft Windows and fails to work from the commandline. My shell script improves upon those two aspects, with no loss in security, using the exact same "military-grade" encryption technology, which has the ultra-cool codename "ROT-13". For extra security, I recommend running ROT-13 twice.

truecrypt volume.tc
2010-04-14 18:34:09
User: rkulla

This should automatically mount it to /media/truecrypt1. Further mounts will go to /media/truecrypt2, and so on. You shouldn't need sudo/su if your permissions are right.

I alias tru='truecrypt' since tr and true are commands.

To explicitly create a mount point do: tru volume.tc /media/foo

To make sure an GUI explorer window (nautilus, et al) opens on the mounted volume, add: --explorer

To see what you currently have mounted do: tru -l

To dismount a volume do: tru -d volume.tc. To dismount all mounted volumes at once do: tru -d

Tested with Truecrypt v6.3a / Ubuntu 9.10

cat private-file | gpg2 --encrypt --armor --recipient "Disposable Key" | mailx -s "Email Subject" [email protected]
2009-10-19 20:38:37
User: slashdot
Functions: cat mailx

This is a quick and easy way of encrypting files in a datastream, without ever really creating an output file from gpg. Useful with cron also, when file(s) have to be sent based on a set schedule.

openssl des3 -salt -in unencrypted-data.tar -out encrypted-data.tar.des3
2009-10-03 03:50:46
User: berot3

The lifehacker way: http://lifehacker.com/software/top/geek-to-live--encrypt-your-data-178005.php#Alternate%20Method:%20OpenSSL

"That command will encrypt the unencrypted-data.tar file with the password you choose and output the result to encrypted-data.tar.des3. To unlock the encrypted file, use the following command:"

openssl des3 -d -salt -in encrypted-data.tar.des3 -out unencrypted-data.tar
eval $(sed -n "s/^d[^D]*DB_\([NUPH]\)[ASO].*',[^']*'\([^']*\)'.*/_\1='\2'/p" wp-config.php) && mysqldump --opt --add-drop-table -u$_U -p$_P -h$_H $_N | gpg -er AskApache >`date +%m%d%y-%H%M.$_N.sqls`
2009-08-18 07:03:08
User: AskApache
Functions: eval gpg sed

The coolest way I've found to backup a wordpress mysql database using encryption, and using local variables created directly from the wp-config.php file so that you don't have to type them- which would allow someone sniffing your terminal or viewing your shell history to see your info.

I use a variation of this for my servers that have hundreds of wordpress installs and databases by using a find command for the wp-config.php file and passing that through xargs to my function.

tar c folder_to_encrypt | openssl enc -aes-256-cbc -e > secret.tar.enc
2009-07-23 06:03:39
User: recursiverse
Functions: c++ tar

command to decrypt:

openssl enc -aes-256-cbc -d < secret.tar.enc | tar x

Of course, don't forget to rm the original files ;) You may also want to look at the openssl docs for more options.

for a in path/* ; do ccenrypt -K <password> $a; done
2009-05-08 18:33:23
User: P17
Tags: Encryption

To decrypt the files replace "ccenrypt" with "ccdecrypt.

ccrypt(1) must be installed. It uses the AES (Rijndael) block cipher.

To make it handier create an alias.

pwsafe -qa "gpg keys"."$(finger `whoami` | grep Name | awk '{ print $4" "$5 }')"
2009-05-07 14:49:56
User: denzuko

From time to time one forgets either thier gpg key or other passphrases. This can be very problematic in most cases. But luckily there's this script. Its based off of pwsafe which is a unix commandline program that manages encrypted password databases. For more info on pwsafe visit, http://nsd.dyndns.org/pwsafe/.

What this script does is it will help you store all your passphrases for later on and allow you to copy it to your clipboard so you can just paste it in, all with one password. Pretty neat no?

You can find future releases of this and many more scripts at The Teachings of Master Denzuko - denzuko.wordpress.com.