#!/usr/bin/env bash
# Decrypt a base64-encoded AES-256-CBC ciphertext produced by encrypt.sh.
# Usage: decrypt.sh <ciphertext> <passphrase>

# -d         : decrypt mode (reverse of encryption)
# -a         : base64-decode the input first; must mirror the -a used at encrypt time
# -pbkdf2    : derive the symmetric key via PBKDF2 rather than the deprecated EVP_BytesToKey;
#              openssl will error if this flag doesn't match what was used to encrypt
# -pass pass : accept the passphrase directly from the CLI argument $2
echo $1 | openssl aes-256-cbc -d -a -pbkdf2 -pass pass:$2