====== Ubuntu - OpenSSL - Encrypt a file ======
===== Get a list of ciphers that OpenSSL supports =====
openssl enc -list
returns:
Supported ciphers:
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ctr -aes-128-ecb
-aes-128-ofb -aes-192-cbc -aes-192-cfb
-aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr
-aes-192-ecb -aes-192-ofb -aes-256-cbc
-aes-256-cfb -aes-256-cfb1 -aes-256-cfb8
-aes-256-ctr -aes-256-ecb -aes-256-ofb
-aes128 -aes128-wrap -aes192
-aes192-wrap -aes256 -aes256-wrap
-aria-128-cbc -aria-128-cfb -aria-128-cfb1
-aria-128-cfb8 -aria-128-ctr -aria-128-ecb
-aria-128-ofb -aria-192-cbc -aria-192-cfb
-aria-192-cfb1 -aria-192-cfb8 -aria-192-ctr
-aria-192-ecb -aria-192-ofb -aria-256-cbc
-aria-256-cfb -aria-256-cfb1 -aria-256-cfb8
-aria-256-ctr -aria-256-ecb -aria-256-ofb
-aria128 -aria192 -aria256
-bf -bf-cbc -bf-cfb
-bf-ecb -bf-ofb -blowfish
-camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1
-camellia-128-cfb8 -camellia-128-ctr -camellia-128-ecb
-camellia-128-ofb -camellia-192-cbc -camellia-192-cfb
-camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ctr
-camellia-192-ecb -camellia-192-ofb -camellia-256-cbc
-camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8
-camellia-256-ctr -camellia-256-ecb -camellia-256-ofb
-camellia128 -camellia192 -camellia256
-cast -cast-cbc -cast5-cbc
-cast5-cfb -cast5-ecb -cast5-ofb
-chacha20 -des -des-cbc
-des-cfb -des-cfb1 -des-cfb8
-des-ecb -des-ede -des-ede-cbc
-des-ede-cfb -des-ede-ecb -des-ede-ofb
-des-ede3 -des-ede3-cbc -des-ede3-cfb
-des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ecb
-des-ede3-ofb -des-ofb -des3
-des3-wrap -desx -desx-cbc
-id-aes128-wrap -id-aes128-wrap-pad -id-aes192-wrap
-id-aes192-wrap-pad -id-aes256-wrap -id-aes256-wrap-pad
-id-smime-alg-CMS3DESwrap -rc2 -rc2-128
-rc2-40 -rc2-40-cbc -rc2-64
-rc2-64-cbc -rc2-cbc -rc2-cfb
-rc2-ecb -rc2-ofb -rc4
-rc4-40 -seed -seed-cbc
-seed-cfb -seed-ecb -seed-ofb
-sm4 -sm4-cbc -sm4-cfb
-sm4-ctr -sm4-ecb -sm4-ofb
----
===== Encode a file using aes256 =====
openssl enc -aes256 -salt -in test1.txt -out test1.enc
**NOTE:** The **-salt** option should ALWAYS be used if the key is being derived from a password.
Without the **-salt** option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data.
The reason for this is that without the salt the same password always generates the same encryption key.
When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
----
===== Decode a file that was encrypted using aes256 =====
openssl enc -aes256 -d -in test1.enc -out test2.txt
----
===== Encrypt using base64 =====
openssl enc -aes256 -a -e -salt -in test1.txt -out test1.enc
**NOTE:** Same as for standard encoding, but with the **-a** option.
----
===== Decrypt a file that was encrypted using base64 =====
openssl enc -aes256 -d -in test1.enc -out test2.txt
**NOTE:** Same as for standard base decoding, but with the **-a** option.
----
===== Encrypt (interactive) =====
openssl enc -aes-256-cbc -in file.txt.enc -out file.txt -iter 29 -k PASS
**NOTE:** The iteration count is for the PBKDF2 hashing algorithm that is designed to make password cracking much much harder.
Using a low iteration count like 29 is not very useful.
The count should be made as large as you can without it becoming too annoying (1 to 2 seconds of iteration).
The current default of 10000 is var too low, even when it was released! 500000 or higher is better.
----
===== Decrypt (interactive) =====
openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -iter 29 -k PASS
----
===== Encrypt (non-interactive) =====
openssl enc -aes-256-cbc -in file.txt.enc -out file.txt -iter 29 -pass pass:mysecret
----
===== Decrypt (non-interactive) =====
openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -iter 29 -pass pass:mysecret