#!/usr/bin/env bash
# Encrypt a plaintext string with AES-256-CBC and output base64-encoded ciphertext.
# Usage: encrypt.sh <plaintext> <passphrase>
# The result can be decrypted with decrypt.sh using the same passphrase.

# -a         : base64-encode the binary ciphertext so the result is printable/copy-pasteable
# -salt      : prepend a random 8-byte salt to prevent identical plaintexts from
#              producing identical outputs (thwarts rainbow-table attacks)
# -pbkdf2    : derive the key via PBKDF2 (Password-Based Key Derivation Function 2);
#              more resistant to brute-force than the deprecated EVP_BytesToKey default
# -pass pass : read the passphrase from CLI argument $2 (avoids an interactive prompt)
echo $1 | openssl aes-256-cbc -a -salt -pbkdf2 -pass pass:$2