How to Securely Encrypt and Decrypt Files using OpenSSL

howto

 

Page content

OpenSSL is an open-source software library that provides secure communications over computer networks and is widely used for implementing encryption and decryption for various purposes. In this tutorial, you will learn how to encrypt and decrypt files using OpenSSL on the command line.

Step 1: Install OpenSSL

OpenSSL is typically installed on most Unix-based systems, including Linux and macOS. To verify if OpenSSL is installed on your system, run the following command in the terminal:

$ openssl version
LibreSSL 3.3.6

If OpenSSL is not installed on your system, you can install it using your system’s package manager. For example, on a Debian-based Linux distribution, you can install OpenSSL using the following command:

sudo apt-get install openssl

Step 2: Encrypting a File

To encrypt a file using OpenSSL, you can use the following command:

openssl enc -aes-256-cbc -salt -in [plaintext_file] -out [encrypted_file]

In this command:

  • enc specifies that you want to use the encryption feature of OpenSSL.
  • -aes-256-cbc specifies the encryption algorithm to use. -aes-256-cbc is a very secure encryption algorithm. As an alternative, the encryption algorithm -aes-256-ctr is also highly recommended.
  • -salt specifies to use a random salt for the encryption.
  • -in [plaintext_file] specifies the input file to encrypt.
  • -out [encrypted_file] specifies the output file that will contain the encrypted data.

The encryption process will prompt you to enter a password, which will be used to encrypt the file. This password will be required to decrypt the file later.

Step 3: Decrypting a File

To decrypt a file using OpenSSL, you can use the following command:

openssl enc -d -aes-256-cbc -in [encrypted_file] -out [decrypted_file]

In this command:

  • enc specifies that you want to use the encryption feature of OpenSSL.
  • -d specifies that you want to decrypt the file.
  • -aes-256-cbc specifies the encryption algorithm to use.
  • -in [encrypted_file] specifies the input file to decrypt.
  • -out [decrypted_file] specifies the output file that will contain the decrypted data.

The decryption process will prompt you to enter the password that was used to encrypt the file. If the password is correct, the file will be decrypted and the decrypted data will be written to the output file.

Another encryption mode that is highly recommended and secure, in addition to -aes-256-cbc and -aes-256-ctr, is chacha. This encryption mode operates as a stream cipher and is known for its high speed.

Troubleshooting

-aes-256-gcm reports bad decrypt error

I tried using GCM mode, but it resulted in a “bad decrypt” error, as illustrated below:

$ openssl enc -aes-256-gcm -in x -out x.enc
enter aes-256-gcm encryption password:
Verifying - enter aes-256-gcm encryption password:
bad decrypt

The cause of the issue is that the openssl command line tool does not support GCM mode effectively.

Openssl enc quick reference

$ openssl enc --help
usage: enc -ciphername [-AadePp] [-base64] [-bufsize number] [-debug]
    [-in file] [-iter iterations] [-iv IV] [-K key] [-k password]
    [-kfile file] [-md digest] [-none] [-nopad] [-nosalt]
    [-out file] [-pass source] [-pbkdf2] [-S salt] [-salt]

 -A                 Process base64 data on one line (requires -a)
 -a                 Perform base64 encoding/decoding (alias -base64)
 -bufsize size      Specify the buffer size to use for I/O
 -d                 Decrypt the input data
 -debug             Print debugging information
 -e                 Encrypt the input data (default)
 -in file           Input file to read from (default stdin)
 -iter iterations   Specify iteration count and force use of PBKDF2
 -iv IV             IV to use, specified as a hexadecimal string
 -K key             Key to use, specified as a hexadecimal string
 -md digest         Digest to use to create a key from the passphrase
 -none              Use NULL cipher (no encryption or decryption)
 -nopad             Disable standard block padding
 -out file          Output file to write to (default stdout)
 -P                 Print out the salt, key and IV used, then exit
                      (no encryption or decryption is performed)
 -p                 Print out the salt, key and IV used
 -pass source       Password source
 -pbkdf2            Use the pbkdf2 key derivation function
 -S salt            Salt to use, specified as a hexadecimal string
 -salt              Use a salt in the key derivation routines (default)
 -v                 Verbose

Valid ciphername values:

 -aes-128-cbc              -aes-128-cbc-hmac-sha1    -aes-128-ccm
 -aes-128-cfb              -aes-128-cfb1             -aes-128-cfb8
 -aes-128-ctr              -aes-128-ecb              -aes-128-gcm
 -aes-128-ofb              -aes-128-xts              -aes-192-cbc
 -aes-192-ccm              -aes-192-cfb              -aes-192-cfb1
 -aes-192-cfb8             -aes-192-ctr              -aes-192-ecb
 -aes-192-gcm              -aes-192-ofb              -aes-256-cbc
 -aes-256-cbc-hmac-sha1    -aes-256-ccm              -aes-256-cfb
 -aes-256-cfb1             -aes-256-cfb8             -aes-256-ctr
 -aes-256-ecb              -aes-256-gcm              -aes-256-ofb
 -aes-256-xts              -aes128                   -aes192
 -aes256                   -bf                       -bf-cbc
 -bf-cfb                   -bf-ecb                   -bf-ofb
 -blowfish                 -camellia-128-cbc         -camellia-128-cfb
 -camellia-128-cfb1        -camellia-128-cfb8        -camellia-128-ecb
 -camellia-128-ofb         -camellia-192-cbc         -camellia-192-cfb
 -camellia-192-cfb1        -camellia-192-cfb8        -camellia-192-ecb
 -camellia-192-ofb         -camellia-256-cbc         -camellia-256-cfb
 -camellia-256-cfb1        -camellia-256-cfb8        -camellia-256-ecb
 -camellia-256-ofb         -camellia128              -camellia192
 -camellia256              -cast                     -cast-cbc
 -cast5-cbc                -cast5-cfb                -cast5-ecb
 -cast5-ofb                -chacha                   -des
 -des-cbc                  -des-cfb                  -des-cfb1
 -des-cfb8                 -des-ecb                  -des-ede
 -des-ede-cbc              -des-ede-cfb              -des-ede-ofb
 -des-ede3                 -des-ede3-cbc             -des-ede3-cfb
 -des-ede3-cfb1            -des-ede3-cfb8            -des-ede3-ofb
 -des-ofb                  -des3                     -desx
 -desx-cbc                 -gost89                   -gost89-cnt
 -gost89-ecb               -id-aes128-CCM            -id-aes128-GCM
 -id-aes128-wrap           -id-aes192-CCM            -id-aes192-GCM
 -id-aes192-wrap           -id-aes256-CCM            -id-aes256-GCM
 -id-aes256-wrap           -rc2                      -rc2-40-cbc
 -rc2-64-cbc               -rc2-cbc                  -rc2-cfb
 -rc2-ecb                  -rc2-ofb                  -rc4
 -rc4-40                   -rc4-hmac-md5             -sm4
 -sm4-cbc                  -sm4-cfb                  -sm4-ctr
 -sm4-ecb                  -sm4-ofb

Related pages:

Conclusion

OpenSSL is a powerful tool for implementing encryption and decryption for various purposes. In this tutorial, you learned how to encrypt and decrypt files using OpenSSL on the command line. With the commands shown in this tutorial, you can easily encrypt and decrypt files to secure their contents.