KISS

Keep It Simple Stupid

Encryption of a GnuCash file

| comments

Hello, today I’d like to write about a small thing I use to keep my GnuCash’s file secure (on a GNU/Linux platform). But, at first, for those who don’t know, GnuCash is a program for accounting personal finances. A little annoyance with it is that the application can’t protect its files with password, therefore anyone may open your file and count the money.

The solution I selected is to encrypt the file with the help of external tools. I searched after how to do that, and found one and another posts (in Russian) that recommend using openssl. I made use of the information and created a bash-script to simplify the encoding/decoding process:

Updated on Dec 16

A newer version is available here: link.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/bin/bash
# This is a script to work with an encrypted gnucash file. It asks for the
# password, decrypts the file, runs gnucash, and encrypts it back. Logs and
# backups are shredded at the end.
# Author: pluton 
# Version: 0.8 (Thu Dec 16 2010)
# License: GNU GPL 3

CP=/bin/cp
KDIALOG=/usr/bin/kdialog
OPENSSL=/usr/bin/openssl
GNUCASH=/usr/bin/gnucash
SHRED=/bin/shred
BASENAME=/usr/bin/basename

FILE=~/your_encrypted_file
FILETMP="${FILE}.tmp"
TIMEOUT=2   # seconds
TITLE=$($BASENAME $0)

notify() {
    [ -n "$1" ] && text="$1" || text="?"
    $KDIALOG --passivepopup "$text" --title "$TITLE" $TIMEOUT
}

[ -e "$FILE" ] || { notify "File '$FILE' was not found"; exit 1; }

pass=$($KDIALOG --password "Enter the password /GC/")
[ "$pass" == "" ] && { notify "The password is empty"; exit 2; }

$OPENSSL enc -d -aes-256-cbc -k "$pass" -in "$FILE" -out "$FILETMP" || \
    { notify "The password seems to be wrong"; exit 3; }
$CP -f "$FILE" "${FILE}.bkp"
$GNUCASH "$FILETMP"
$OPENSSL enc -e -aes-256-cbc -k "$pass" -in "$FILETMP" -out "$FILE" || \
    { notify "An error occured while encoding (code #$?)"; exit 4; }
unset pass
$SHRED -zun 2 "${FILETMP}"*
notify "Done"

Save the script, then “chmod +x” it. Also, you should prepare the encrypted file in the following way. Run openssl enc -e -aes-256-cbc -in your_file -out your_encrypted_file in the terminal (substitute your_file and your_encrypted_file with your filenames), input password that you’ll use to get access to the file, and delete the original file.

Basically, what the script does is it asks for the password, decrypts the $FILE file and backups it, runs gnucash, and then encrypts it again with the same password. The last command shreds all temporary GnuCash’s files.

I use KDE4, that’s why the script launches kdialog to ask for the password.

IMHO, it’s a good approach to start with, although there is an issue that when the gnucash is running, the decrypted file is available for any program. There should be a solution for this.

Thanks for reading. If you have any questions, leave a comment.

gnucash, linux

Don't hesitate to leave a comment below. NB! If you don't see a comment form under the post, it's most likely that an extension (such as Ghostery, NoScript, or AdBlock) of your browser blocks the scripts from disqus.com, and you can unblock that.

« Anki A tiny userjs (for Yandex's search page) »

Comments