Table of Contents
Ubuntu - OpenSSL - Encrypt a file
Get a list of ciphers that OpenSSL supports
openssl enc -list
returns:
Supported ciphers: -aes-128-cbc -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-ofb -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr -aes-192-ecb -aes-192-ofb -aes-256-cbc -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr -aes-256-ecb -aes-256-ofb -aes128 -aes128-wrap -aes192 -aes192-wrap -aes256 -aes256-wrap -aria-128-cbc -aria-128-cfb -aria-128-cfb1 -aria-128-cfb8 -aria-128-ctr -aria-128-ecb -aria-128-ofb -aria-192-cbc -aria-192-cfb -aria-192-cfb1 -aria-192-cfb8 -aria-192-ctr -aria-192-ecb -aria-192-ofb -aria-256-cbc -aria-256-cfb -aria-256-cfb1 -aria-256-cfb8 -aria-256-ctr -aria-256-ecb -aria-256-ofb -aria128 -aria192 -aria256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ctr -camellia-128-ecb -camellia-128-ofb -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ctr -camellia-192-ecb -camellia-192-ofb -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ctr -camellia-256-ecb -camellia-256-ofb -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc -cast5-cfb -cast5-ecb -cast5-ofb -chacha20 -des -des-cbc -des-cfb -des-cfb1 -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ecb -des-ede-ofb -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ecb -des-ede3-ofb -des-ofb -des3 -des3-wrap -desx -desx-cbc -id-aes128-wrap -id-aes128-wrap-pad -id-aes192-wrap -id-aes192-wrap-pad -id-aes256-wrap -id-aes256-wrap-pad -id-smime-alg-CMS3DESwrap -rc2 -rc2-128 -rc2-40 -rc2-40-cbc -rc2-64 -rc2-64-cbc -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -seed -seed-cbc -seed-cfb -seed-ecb -seed-ofb -sm4 -sm4-cbc -sm4-cfb -sm4-ctr -sm4-ecb -sm4-ofb
Encode a file using aes256
openssl enc -aes256 -salt -in test1.txt -out test1.enc
NOTE: The -salt option should ALWAYS be used if the key is being derived from a password.
Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data.
The reason for this is that without the salt the same password always generates the same encryption key.
When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
Decode a file that was encrypted using aes256
openssl enc -aes256 -d -in test1.enc -out test2.txt
Encrypt using base64
openssl enc -aes256 -a -e -salt -in test1.txt -out test1.enc
NOTE: Same as for standard encoding, but with the -a option.
Decrypt a file that was encrypted using base64
openssl enc -aes256 -d -in test1.enc -out test2.txt
NOTE: Same as for standard base decoding, but with the -a option.
Encrypt (interactive)
openssl enc -aes-256-cbc -in file.txt.enc -out file.txt -iter 29 -k PASS
NOTE: The iteration count is for the PBKDF2 hashing algorithm that is designed to make password cracking much much harder.
Using a low iteration count like 29 is not very useful.
The count should be made as large as you can without it becoming too annoying (1 to 2 seconds of iteration).
The current default of 10000 is var too low, even when it was released! 500000 or higher is better.
Decrypt (interactive)
openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -iter 29 -k PASS
Encrypt (non-interactive)
openssl enc -aes-256-cbc -in file.txt.enc -out file.txt -iter 29 -pass pass:mysecret
Decrypt (non-interactive)
openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -iter 29 -pass pass:mysecret