DEV Community


Encrypted TMUX scripts for easy SSH keysends

Daniel Mayovsky
A dude. Preaching Mithril.js to be the best MVC framework.
・2 min read


My friend has been working on an experiment of clustering four Raspberry Pi's for a home file server. To connect to all of them at the same time in one tmux session window he wrote a script that would split the window into four panels and then send-keys all the ssh commands with external IP address and port number (since there is four of them, four ports are needed) and the corresponding password to each machine.


Because a tmux script is just an .sh file, it has passwords and ips and ports stored in it in plain text, I decided to somehow create a little hack to make the tmux script unreadable, and only after a password is typed to "unlock" it, you can run it, but still can't read it. So I came to a solution.


gpg encryption and piping the decrypted output to sh

    gpg -d --quiet "./scripts/" | sh


gpg is encryption and signing tool. You can encrypt your files with a passphrase, sign files, check signatures etc.
To encrypt a file in gpg you just run

gpg -c

It will create a file called Which is an encrypted file of At this point, you can delete

Usually a decryption of a file happens like this:

gpg -d

It will create a file that is decryption of our protected file. But you don't have to create a file. If you just run a gpg -d filename.gpg without the output filename it will just return a string into the terminal as echo. And that is what we need. Just pipe that output into shell and it will run the script.


Editing your script like this is a pain.

Hope this thing helps someone :)

Discussion (4)

hoelzro profile image
Rob Hoelz

Neat hack! Out of curiosity, what made you decide to do this rather than use SSH keys and ssh-agent, and what inspired your friend to send the output via tmux send-keys rather than providing the command(s) to run on the ssh command line itself?

weirdmayo profile image
Daniel Mayovsky Author

Honestly, most of the setup is heavily under thought from his side. He first SSH's into his own local machine and from there into his Raspberry Pi's, so the whole external IPs and ports is nonsense, since they suppose to run on a cluster for an external world.

Second, I, myself am unaware of the ssh-agent. Will be from now :). In the long run it doesn't matter if he sends keys or provides an ssh command, he still has to type out a password in the script to avoid typing four different passwords for his cluster internally. This hack still makes sense since you still are running a Tmux script for ease of workflow, but have to avoid any display of information about the RPs inside of the script, hence this whole encryption hack.

Thanks for the info though :)

hoelzro profile image
Rob Hoelz

I'm happy to have helped you learn about ssh-agent - it's such a useful tool!

pklapperich profile image

I use cluster-ssh for stuff like this.

Forem Open with the Forem app