Categories
SysOps

How to encrypt or decrypt files using OpenSSL utility

Use OpenSSL utility to encrypt or decrypt files.

OpenSSL version.

$ openssl version
OpenSSL 1.1.1f  31 Mar 2020

Encrypt archive.tgz and store it as archive.tgz.enc file.

$ openssl enc -aes-256-cbc -in archive.tgz -out archive.tgz.enc -pbkdf2
enter aes-256-cbc encryption password:             ************
Verifying - enter aes-256-cbc encryption password: ************

The encrypted file can be easily identified.

$ file archive.tgz.enc 
archive.tgz.enc: openssl enc'd data with salted password

Decrypt archive.tgz.enc and store it as archive.tgz file.

$ openssl enc -d -aes-256-cbc -in archive.tgz.enc -out archive.tgz -pbkdf2
enter aes-256-cbc decryption password: ************

Display available ciphers.

$ openssl enc -list
Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb              
-aes-128-ofb               -aes-192-cbc               -aes-192-cfb              
-aes-192-cfb1              -aes-192-cfb8              -aes-192-ctr              
-aes-192-ecb               -aes-192-ofb               -aes-256-cbc              
-aes-256-cfb               -aes-256-cfb1              -aes-256-cfb8             
-aes-256-ctr               -aes-256-ecb               -aes-256-ofb              
-aes128                    -aes128-wrap               -aes192                   
-aes192-wrap               -aes256                    -aes256-wrap              
-aria-128-cbc              -aria-128-cfb              -aria-128-cfb1            
-aria-128-cfb8             -aria-128-ctr              -aria-128-ecb             
-aria-128-ofb              -aria-192-cbc              -aria-192-cfb             
-aria-192-cfb1             -aria-192-cfb8             -aria-192-ctr             
-aria-192-ecb              -aria-192-ofb              -aria-256-cbc             
-aria-256-cfb              -aria-256-cfb1             -aria-256-cfb8            
-aria-256-ctr              -aria-256-ecb              -aria-256-ofb             
-aria128                   -aria192                   -aria256                  
-bf                        -bf-cbc                    -bf-cfb                   
-bf-ecb                    -bf-ofb                    -blowfish                 
-camellia-128-cbc          -camellia-128-cfb          -camellia-128-cfb1        
-camellia-128-cfb8         -camellia-128-ctr          -camellia-128-ecb         
-camellia-128-ofb          -camellia-192-cbc          -camellia-192-cfb         
-camellia-192-cfb1         -camellia-192-cfb8         -camellia-192-ctr         
-camellia-192-ecb          -camellia-192-ofb          -camellia-256-cbc         
-camellia-256-cfb          -camellia-256-cfb1         -camellia-256-cfb8        
-camellia-256-ctr          -camellia-256-ecb          -camellia-256-ofb         
-camellia128               -camellia192               -camellia256              
-cast                      -cast-cbc                  -cast5-cbc                
-cast5-cfb                 -cast5-ecb                 -cast5-ofb                
-chacha20                  -des                       -des-cbc                  
-des-cfb                   -des-cfb1                  -des-cfb8                 
-des-ecb                   -des-ede                   -des-ede-cbc              
-des-ede-cfb               -des-ede-ecb               -des-ede-ofb              
-des-ede3                  -des-ede3-cbc              -des-ede3-cfb             
-des-ede3-cfb1             -des-ede3-cfb8             -des-ede3-ecb             
-des-ede3-ofb              -des-ofb                   -des3                     
-des3-wrap                 -desx                      -desx-cbc                 
-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap           
-id-aes192-wrap-pad        -id-aes256-wrap            -id-aes256-wrap-pad       
-id-smime-alg-CMS3DESwrap  -rc2                       -rc2-128                  
-rc2-40                    -rc2-40-cbc                -rc2-64                   
-rc2-64-cbc                -rc2-cbc                   -rc2-cfb                  
-rc2-ecb                   -rc2-ofb                   -rc4                      
-rc4-40                    -seed                      -seed-cbc                 
-seed-cfb                  -seed-ecb                  -seed-ofb                 
-sm4                       -sm4-cbc                   -sm4-cfb                  
-sm4-ctr                   -sm4-ecb                   -sm4-ofb    

Decrypting files that were encrypted using an older OpenSSL version (for example OpenSSL 1.0.1e-fips 11 Feb 2013) requires to provide digest used to create a key from the passphrase.

$ openssl enc -aes-256-cbc -d -in archive.tgz.enc -out archive.tgz
enter aes-256-cbc decryption password: ************
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140577021015360:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:
$ openssl enc -aes-256-cbc -d -in archive.tgz.enc -out archive.tgz -md md5
enter aes-256-cbc decryption password: ************
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

Display available digests.

$ openssl dgst --list
Supported digests:
-blake2b512                -blake2s256                -md4                      
-md5                       -md5-sha1                  -ripemd                   
-ripemd160                 -rmd160                    -sha1                     
-sha224                    -sha256                    -sha3-224                 
-sha3-256                  -sha3-384                  -sha3-512                 
-sha384                    -sha512                    -sha512-224               
-sha512-256                -shake128                  -shake256                 
-sm3                       -ssl3-md5                  -ssl3-sha1                
-whirlpool