Difference between revisions of "Enc"

From OpenSSLWiki
Jump to navigationJump to search
(added some more options, still some are missing)
Line 29: Line 29:
  
 
;-e or -d
 
;-e or -d
: This specifies whether to encrypt ('''-e''') or to decrypt ('''-d'''). Encryption is the default. Of course you have to get all the other options right in order for it to function properly.
+
: This specifies whether to encrypt ('''-e''') or to decrypt ('''-d'''). Encryption is the default. Of course you have to get all the other options right in order for it to function properly. In particular it is necessary to give the correct cipher-name as well as '''-a''', '''-A''' or '''-z''' options.
  
 
;-base64, -a, -A
 
;-base64, -a, -A
: These flags tell OpenSSL to apply [[Base64]]-encoding before or after the cryptographic operation. The '''-a''' and '''-base64''' are equivalent. If you want to decode a base64 file it is necessary to use the '''-d''' option. By default the encoded file has a line break every 64 characters. To suppress this you can use in addition to '''-base64''' the '''-A''' flag. This will produce a file with no line breaks at all. You can use these flags just for [[#Base64 Encoding|encoding Base64]] without any ciphers involved.
+
: These flags tell OpenSSL to apply [[Base64]]-encoding before or after the cryptographic operation. The '''-a''' and '''-base64''' are equivalent. If you want to decode a base64 file it is necessary to use the '''-d''' option. By default the encoded file has a line break every 64 characters. To suppress this you can use ''in addition'' to '''-base64''' the '''-A''' flag. This will produce a file with no line breaks at all. You can use these flags just for [[#Base64 Encoding|encoding Base64]] without any ciphers involved.
  
 
;-pass ''arg''
 
;-pass ''arg''
: This specifies the password source.
+
: This specifies the password source. Possible values for ''arg'' are '''pass:'''''password''''' or '''pass:'''''filename''''', where ''password'' is your password and ''filename'' file containing the password.
  
 
;-k ''password'',  -kfile ''filename''
 
;-k ''password'',  -kfile ''filename''
Line 42: Line 42:
 
;-K ''key''
 
;-K ''key''
 
: This option allows you to set the ''key'' used for encryption or decryption. This is the key directly used by the cipher algorithm. If no key is given OpenSSL will derive it from a password. This process is described in PKCS5#5 (RFC-2898).
 
: This option allows you to set the ''key'' used for encryption or decryption. This is the key directly used by the cipher algorithm. If no key is given OpenSSL will derive it from a password. This process is described in PKCS5#5 (RFC-2898).
 +
 +
;-md ''messagedigest''
 +
: This specifies the message digest which is used for key derivation. It can take one of the values '''md2''', '''md5''', '''sha''' or '''sha1'''.
  
 
;-iv ''IV''
 
;-iv ''IV''
: This specifies the initializaion vector ''IV'' as hexadecimal number. If not explicitly given it will be derived from the password. See key derivation for details.
+
: This specifies the initialization vector ''IV'' as hexadecimal number. If not explicitly given it will be derived from the password. See key derivation for details.
  
 
;-salt, -nosalt, -S ''salt''
 
;-salt, -nosalt, -S ''salt''
 
: These options allow to switch [[Salt|salting]] on or off. With '''-S''' ''salt'' it is possible to explicitly give its value (in hexadecimal).   
 
: These options allow to switch [[Salt|salting]] on or off. With '''-S''' ''salt'' it is possible to explicitly give its value (in hexadecimal).   
 +
 +
;-p, -P
 +
: Additionally to any encryption tasks, this prints the key, initialization vector and salt value (if used). If '''-P''' is used just these values are printed, no encryption will take place.
 +
 +
;-nopad
 +
: This disables standard padding.
 +
 +
;-z
 +
: Use this flag to enable [http://www.zlib.net/ zlib-compression]. After a file is encrypted (and maybe base64 encoded) it will be compressed via zlib. Vice versa while decrypting, zlib will be applied first.
  
 
===Examples===
 
===Examples===

Revision as of 11:29, 5 July 2013

This page describes the command line tools for encryption and decryption. Enc is used for various block and stream ciphers using keys based on passwords or explicitly provided. It can also be used for Base64 encoding or decoding.

Synopsis

The basic usage is to specify a ciphername and various options describing the actual task.

$ openssl enc -ciphername [options]

You can obtain an incomplete help message by using an invalid option, eg. -help.

Cipher alogorithms

To get a list of available ciphers you can use the list-cipher-algorithms command

$ openssl list-cipher-algorithms

The output gives you a list of ciphers with its variations in block size an mode of operation. For example AES-256-CBC for AES with blocksize 256 in CBC-mode. Some ciphers also have short names, for example the one just mentioned is also known as aes256. These names are case insensitive. In addition none is a valid ciphername. This algorithms does nothing at all.

Options

The list of options is rather long.

-in filename
This specifies the input file.
-out filename
This specifies the output file. It will be created or overwritten if it already exists.
-e or -d
This specifies whether to encrypt (-e) or to decrypt (-d). Encryption is the default. Of course you have to get all the other options right in order for it to function properly. In particular it is necessary to give the correct cipher-name as well as -a, -A or -z options.
-base64, -a, -A
These flags tell OpenSSL to apply Base64-encoding before or after the cryptographic operation. The -a and -base64 are equivalent. If you want to decode a base64 file it is necessary to use the -d option. By default the encoded file has a line break every 64 characters. To suppress this you can use in addition to -base64 the -A flag. This will produce a file with no line breaks at all. You can use these flags just for encoding Base64 without any ciphers involved.
-pass arg
This specifies the password source. Possible values for arg are pass:password or pass:filename, where password is your password and filename file containing the password.
-k password, -kfile filename
Both option are used to specify a password or a file containing the password which is used for key derivation. However they are deprecated. You should use the -pass option instead. The equivalents are -pass pass:password and -pass: pass:filename respectively.
-K key
This option allows you to set the key used for encryption or decryption. This is the key directly used by the cipher algorithm. If no key is given OpenSSL will derive it from a password. This process is described in PKCS5#5 (RFC-2898).
-md messagedigest
This specifies the message digest which is used for key derivation. It can take one of the values md2, md5, sha or sha1.
-iv IV
This specifies the initialization vector IV as hexadecimal number. If not explicitly given it will be derived from the password. See key derivation for details.
-salt, -nosalt, -S salt
These options allow to switch salting on or off. With -S salt it is possible to explicitly give its value (in hexadecimal).
-p, -P
Additionally to any encryption tasks, this prints the key, initialization vector and salt value (if used). If -P is used just these values are printed, no encryption will take place.
-nopad
This disables standard padding.
-z
Use this flag to enable zlib-compression. After a file is encrypted (and maybe base64 encoded) it will be compressed via zlib. Vice versa while decrypting, zlib will be applied first.

Examples

Base64 Encoding

To encode a file text.plain you can use

$ openssl enc -base64 -in text.plain -out text.base64

To decode a file the the decrypt option (-d) has to be used

$ openssl enc -d -base64 -in text.base64 -out text.plain

Encryption

The most basic way to encrypt a file is this

$ openssl enc -des -base64 -in some.secret -out some.secret.enc
enter des-cbc encryption password :
Verifying - enter des-cbc encryption password :

It will encrypt the file some.secret using the DES-cipher in CBC-mode. The result will be base64 encoded and written to some.secret.enc. OpenSSL will ask for password which is used to derive a key as well the initialization vector. Since encryption is the default, it is not necessary to use the -e option.