Build your own encryption tools with 50 lines of Bash.
Real privacy is built on transparency, not on shiny apps or black boxes. This guide gives you two auditable Bash scripts to encrypt and decrypt sensitive folders using standard GPG and AES256. No cloud, no subscription — just pure mathematics and Linux.
"Don't trust, verify."
We say that about Bitcoin nodes. We should say it about our security tools too.
Many people rely on complex apps with glossy interfaces to hide their data. But complexity is the enemy of security. Every line of code you didn't write (and can't read) is a potential security risk.
The most robust encryption often comes from tools that have been battle-tested for decades: GPG and Tar.
Below you'll find two scripts I use to secure data. They turn any folder into an encrypted .tar.gz.gpg archive.
They work on your high-end Linux desktop and even on your smartphone (via Termux).
Why use scripts?
- Auditability: You can read every line. No hidden backdoors.
- Standardization: The output is standard OpenPGP. You can still decrypt it 20 years from now, even if these scripts are long gone.
- Speed: It combines archiving, compression, and encryption in a single stream.
1. The Concept
We're not reinventing the wheel. We're chaining standard tools together:
- Tar: Bundles files together.
- Gzip: Compresses them.
- GPG (AES256): Encrypts them symmetrically.
OpSec Note
These scripts use symmetric encryption. Security depends entirely on the strength of your passphrase. Use a long passphrase with high entropy (randomness) that you don't use anywhere else.
2. Part 1: The Shield (Encryption)
Save this code as a file named encrypt-folder.sh.
#!/bin/bash
# 🔒 Vereinheitlichtes Verschlüsselungs-Skript (TUXEDO + Termux)
# Ausgabe: ~/Verschlüsselt_<Ordner>.tar.gz.gpg (+ .sha256)
#
# S2K-Härtung: SHA512 + AES256 + maximale Iterationen (65011712)
# → Brute-Force-Angriffe auf das Passwort werden 100x teurer.
set -Eeuo pipefail
umask 077
read -p "📁 Bitte gib den Ordnernamen ein: " ORDNERNAME
if [ -z "${ORDNERNAME:-}" ]; then
echo "❌ Kein Name eingegeben. Abbruch."
exit 1
fi
SRC="$HOME/$ORDNERNAME"
if [ ! -d "$SRC" ]; then
echo "❌ Ordner nicht gefunden: $SRC"
exit 1
fi
# Zielpfad unterscheiden (PC vs. Termux)
if [ -d "$HOME/storage/downloads" ]; then
# Termux-Speicher (Android)
OUTDIR="$HOME/storage/downloads"
else
# TUXEDO OS / Linux Desktop
OUTDIR="$HOME"
fi
ZIEL="$OUTDIR/Verschlüsselt_${ORDNERNAME}.tar.gz.gpg"
if [ -f "$ZIEL" ]; then
ZIEL="$OUTDIR/Verschlüsselt_${ORDNERNAME}_$(date +%F_%H%M).tar.gz.gpg"
fi
echo "📦 Packe & verschlüssele → $ZIEL"
# Packen und verschlüsseln im Stream (kein Klartext-Zwischenschritt)
# S2K-Härtung:
# --s2k-cipher-algo AES256 → Schlüsselableitung mit AES256
# --s2k-digest-algo SHA512 → SHA512 als Hash (stärker als Standard SHA1)
# --s2k-count 65011712 → Maximale Iterationen → Brute-Force 100x teurer
# --no-symkey-cache → Passwort wird nicht im GPG-Agenten gecacht
tar -C "$HOME" -cf - -- "$ORDNERNAME" \
| gzip -9 \
| gpg --symmetric \
--cipher-algo AES256 \
--s2k-cipher-algo AES256 \
--s2k-digest-algo SHA512 \
--s2k-count 65011712 \
--compress-level 0 \
--no-symkey-cache \
-o "$ZIEL"
# Prüfsumme mit relativem Namen
( cd "$(dirname "$ZIEL")" && sha256sum "$(basename "$ZIEL")" > "$(basename "$ZIEL").sha256" )
# Optional Desktop-Benachrichtigung (nur unter Linux)
if command -v notify-send >/dev/null 2>&1; then
notify-send "✅ Verschlüsselt" "Archiv: $(basename "$ZIEL")"
fi
echo "✅ Fertig: $(basename "$ZIEL")"
echo "🧩 SHA256-Datei: $(basename "$ZIEL").sha256"
3. Part 2: The Key (Decryption)
The decryption script offers three modes — depending on what you need:
- [T] Write TAR (default): Writes the decrypted
.tar.gzto your home directory — without unpacking. - [E] Extract: Decrypts and extracts directly into
~/Restore/. - [L] List: Shows the contents of the archive without writing anything.
Save this code as a file named decrypt-folder.sh.
#!/usr/bin/env bash
# decrypt-folder.sh – Entschlüsselt <NAME>[.tar.gz].gpg aus ~ oder ~/Downloads.
# Modi: SHA256-Check, Loopback-Fallback, Entpacken (E), Liste (L), Standard: TAR schreiben (T)
set -Eeuo pipefail
umask 077
export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null || true)}"
die(){ printf "❌ %s\n" "$*" >&2; exit 1; }
# --- Eingabe: Name oder Pfad, mit/ohne .gpg ---
NAME="${1-}"
if [ -z "$NAME" ]; then
printf "Wie heißt die verschlüsselte Datei (ohne .gpg)? "
IFS= read -r NAME
fi
[ -n "$NAME" ] || die "Kein Name."
# Falls Nutzer doch .gpg mitgegeben hat → abstreifen
NAME="${NAME%.gpg}"
# Kandidaten-Pfade für die .gpg finden
CAND=(
"$HOME/${NAME}.gpg"
"$HOME/Downloads/${NAME}.gpg"
"$PWD/${NAME}.gpg"
)
INPUT=""
for p in "${CAND[@]}"; do
[ -f "$p" ] && INPUT="$p" && break
done
[ -n "$INPUT" ] || die "Nicht gefunden: ${NAME}.gpg (in ~ oder ~/Downloads)."
# Ziele
OUT_TAR="$HOME/${NAME}" # z.B. ~/Verschlüsselt_SAP.tar.gz
STAMP="$(date +%F_%H%M%S)"
RESTORE="$HOME/Restore/${NAME}_${STAMP}"
mkdir -p "$HOME/Restore"
# Optionaler SHA-Check (pfadunabhängig vergleichen)
if [ -f "${INPUT}.sha256" ]; then
echo "🔎 Prüfe SHA256 ..."
exp="$(awk '{print $1}' "${INPUT}.sha256")"
act="$(sha256sum "$INPUT" | awk '{print $1}')"
if [ "$exp" = "$act" ]; then
echo "✅ SHA256 OK"
else
echo "⚠️ SHA256 Mismatch! Weiter mit Vorsicht."
fi
fi
# Modus abfragen
printf "Modus: [T]AR schreiben (Standard) / [E]ntpacken / [L]iste: "
read -r -n1 MODE || true; echo
MODE=${MODE:-T}
# Helfer-Funktionen (mit Loopback-Fallback)
decrypt_to_tar() {
gpg --decrypt "$INPUT" | tar -xz -C "$RESTORE" && return 0
echo "⚠️ Versuch mit loopback …"
gpg --pinentry-mode loopback --decrypt "$INPUT" | tar -xz -C "$RESTORE"
}
decrypt_to_file() {
gpg --output "$OUT_TAR" --decrypt "$INPUT" && return 0
echo "⚠️ Versuch mit loopback …"
gpg --pinentry-mode loopback --output "$OUT_TAR" --decrypt "$INPUT"
}
case "$MODE" in
L|l)
gpg --decrypt "$INPUT" | tar -tz || \
gpg --pinentry-mode loopback --decrypt "$INPUT" | tar -tz
;;
E|e)
mkdir -p "$RESTORE"
echo "📦 Entpacke nach: $RESTORE"
decrypt_to_tar
command -v notify-send >/dev/null && notify-send "✅ Entpackt" "$RESTORE"
echo "✅ Fertig: $RESTORE"
;;
T|t|*)
# Standard: entschlüsselte .tar.gz im HOME schreiben
[ -f "$OUT_TAR" ] && rm -f "$OUT_TAR"
echo "📝 Schreibe: $OUT_TAR"
decrypt_to_file
command -v notify-send >/dev/null && notify-send "✅ Entschlüsselt" "$OUT_TAR"
echo "✅ Fertig: $OUT_TAR"
;;
esac
🧰 Tools for True Owners (Advertising/Affiliate)
Tools I use myself — for Bitcoin self-custody and digital sovereignty:
-
Buy Bitcoin in Europe — 21bitcoin:
Bitcoin-only app from Europe, ideal for DCA and stacking sats regularly — no shitcoins.
Use code ALIENINVESTOR for a permanent 0.2 percentage point fee reduction on instant and savings plan purchases.
https://alien-investor.org/21bitcoin -
₿ Bitcoin in self-custody:
Hardware wallet instead of an exchange account. I use the BitBox — there's the classic BitBox02 and the new BitBox for iPhone (Nova).
https://alien-investor.org/bitbox -
Privacy & Mail:
For email, VPN, and cloud I use Proton — minimal data footprint and no Big Tech dependency.
https://alien-investor.org/proton
Disclosure: Some of these links are affiliate links. If you use them, you support my work at no extra cost to you. Thanks!