Is it possible to encrypt the communications via netcat?

Question

I know that its possible to chat in linux terminal using netcat. I want to know whether it is possible to encrypt the netcat communications.

I did chat by listening on PC-1

nc -l 1234

And connecting to my IP on the other machine.

nc $IP 1234

Answer 1

It's possible - however I don't think nc does this itself: echo "Words" | gpg -e will produce an encrypted version on stdout; you can specify a receiving user as per usual.
If you pipe this to another copy of gpg as gpg -d then it asks for a passphrase - this will be remembered for a period, so enabling a conversation.

Therefore, echo "words" | gpg -e | nc target 4321 will send, and nc -l 4321 | gpg -d will listen.

Also, see this question which is similar.

Answer 2

TL;DR:

Have destination listen on port 12345:

nc -l 12345 | gpg --decrypt --batch --passphrase "MySuperSecret123" > output.file

Have sender send data to destination port 12345:

cat MyFile | gpg --symmetric --cipher-algo AES256 --batch --passphrase "MySuperSecret123" | nc destination.server.tld 12345

LONG VERSION

Here's a solution I use to copy raw hard disks over netcat (can also be used for physical to virtual operations in Linux, or raw VM copy).

I use to boot the source on a livecd if I happen to read disks, which sometimes lacks openssl binary, but always comes with gpg binary.

Of course, using netcat over internet, I want my data to be at least encrypted using a goodenough(TM) encryption algorithm:

Setup destination side:

nc -l 8888 | gpg --decrypt --batch --passphrase "MySuperSecret123" |zstd -d | pv > output.file

Explanation:

• Setup netcat to lisen on port 8888 (change the port according to your firewal)
• Decrypt data received by netcat
• Uncompress data
• Optional: show statistics using pv, disclaimer: REMOVE IF YOU DONT HAVE PV INSTALLED
• Write output to a file

Note: pv is a program that gives pipe statistics. If not present, just remove it.

on my sender side:

dd id=/dev/sda status=progress | zstd --fast -T0 | gpg --compression-algo none --symmetric --cipher-algo AES256 --batch --passphrase "MySuperSecret123" | nc destination.server.tld 8888

Explanation:

• Read hard drive using dd and show progress
• Compress contents using very fast zstd algo, also using as much threads as cpu cores
• Encrypt data using GPG
• Send via netcat to port 8888 (of course, change port number according to receiver side)

More performance sir ?

GPG is available quite everywhere. If you have openssl available, it will probably speed up encryption / decryption process by alot.

On destination side, run:

nc -l <port> | openssl enc -aes-256-cbc -pbkdf2 -d -k "MySuperSecretPassword" | zstd -d | pv > sda.raw

On sender side, run this:

dd if=/dev/sda status=progress | zstd --fast -T0 | openssl enc -aes-256-cbc -pbkdf2 -k "MySuperSecretPassword" | nc <destination> <port>

Again, more performance sir ?

On some occasions, like zfs send/recv, there might be IO bottlenecks, on receiver side mainly. Replacing netcat with mbuffer might be helpful here, as it will buffer IO instead of letting sender wait. Here's an example of using mbuffer with a 1GB data buffer and 128k send/receive buffer:

On destination side, replace nc -l 1234 with mbuffer -s 128k -m 1G -4 -l 1234

On sender side, replace nc dest.server.tld 1234 with mbuffer -s 128k -m 1G -O dest.server.tld:1234

On a zfs transfer, I could go from 2Gbit/s to 3.5Gbit/s using mbuffer instead of netcat.

Security On both sender and destination, you should disable bash history or at least remove it afterwards with history -c so nobody will find your (one time) password.

As of the writing (2023), AES-256 encryption used by both GPG (since v2.1) and openssl seem fine as per security researchers. This information won't always be true.

Answer 3

By itself netcat doesn't have encryption or authentication controls so while the traffic could be encrypted via OpenSSL or GnuPG with some clever piping and a bit if loops on the listening side, if you're on an untrustworthy network you might lose the race-condition to read using it and netcat doesn't allow multiple clients without clever scripting... but I'm not here to bash a tool but instead notify you of a Bash tool ;-)

Note it's very experimental and you should really check out the Travis-CI build log to find out exactly what it does, hint open a second window/tab and follow along with the travis.yml enabled scripts to see every working/tested feature so far developed.

Second hint, the following command examples are better in my experience with encrypting random strings.

Var_input="$@"
Var_gpg_opts="--armor --batch --no-tty --recipient user@host.domain --encrypt"
Var_log_file="${PWD}/output.enc
## Output to terminal
cat <<<"${Var_input}" | gpg ${Var_gpg_opts}
## Save output to file
cat <<<"${Var_input}" | gpg ${Var_gpg_opts} >> "${Var_log_file}"

However, decryption of multi-armored output file is a bit trickier... so here's the link to the script written for that because it's a bit too long to post here.