Hello, today I’d like to write about a small thing I use to keep my GnuCash’s file secure (on a GNU/Linux platform). But, at first, for those who don’t know, GnuCash is a program for accounting personal finances. A little annoyance with it is that the application can’t protect its files with password, therefore anyone may open your file and count the money.
The solution I selected is to encrypt the file with the help of external tools. I searched after how to do that, and found one and another posts (in Russian) that recommend using openssl. I made use of the information and created a bash-script to simplify the encoding/decoding process:
#!/bin/bash# This is a script to work with an encrypted gnucash file. It asks for the# password, decrypts the file, runs gnucash, and encrypts it back. Logs and# backups are shredded at the end.# Author: pluton # Version: 0.8 (Thu Dec 16 2010)# License: GNU GPL 3CP=/bin/cp
KDIALOG=/usr/bin/kdialog
OPENSSL=/usr/bin/openssl
GNUCASH=/usr/bin/gnucash
SHRED=/bin/shred
BASENAME=/usr/bin/basename
FILE=~/your_encrypted_file
FILETMP="${FILE}.tmp"TIMEOUT=2# secondsTITLE=$($BASENAME$0)notify(){[ -n "$1"]&&text="$1"||text="?"$KDIALOG --passivepopup "$text" --title "$TITLE"$TIMEOUT}[ -e "$FILE"]||{ notify "File '$FILE' was not found";exit1;}pass=$($KDIALOG --password "Enter the password /GC/")["$pass"==""]&&{ notify "The password is empty";exit2;}$OPENSSL enc -d -aes-256-cbc -k "$pass" -in "$FILE" -out "$FILETMP"||\{ notify "The password seems to be wrong";exit3;}$CP -f "$FILE""${FILE}.bkp"$GNUCASH"$FILETMP"$OPENSSL enc -e -aes-256-cbc -k "$pass" -in "$FILETMP" -out "$FILE"||\{ notify "An error occured while encoding (code #$?)";exit4;}unset pass
$SHRED -zun 2"${FILETMP}"*
notify "Done"
Save the script, then “chmod +x” it. Also, you should prepare the encrypted file in the following way. Run openssl enc -e -aes-256-cbc -in your_file -out your_encrypted_file in the terminal (substitute your_file and your_encrypted_file with your filenames), input password that you’ll use to get access to the file, and delete the original file.
Basically, what the script does is it asks for the password, decrypts the $FILE file and backups it, runs gnucash, and then encrypts it again with the same password. The last command shreds all temporary GnuCash’s files.
I use KDE4, that’s why the script launches kdialog to ask for the password.
IMHO, it’s a good approach to start with, although there is an issue that when the gnucash is running, the decrypted file is available for any program. There should be a solution for this.
Thanks for reading. If you have any questions, leave a comment.