Differences

This shows you the differences between two versions of the page.

--- ubuntu:openssl:encrypt_a_file [2021/01/29 16:12] – created peter
+++ ubuntu:openssl:encrypt_a_file [2021/01/30 18:34] (current) – [Encrypt (interactive)] peter
@@ Line 1: / Line 1: @@
 ====== Ubuntu - OpenSSL - Encrypt a file ======
+===== Get a list of ciphers that OpenSSL supports =====
+<code bash>
+openssl enc -list
+</code>
+returns:
+<code bash>
+Supported ciphers:
+-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1
+-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb
+-aes-128-ofb               -aes-192-cbc               -aes-192-cfb
+-aes-192-cfb1              -aes-192-cfb8              -aes-192-ctr
+-aes-192-ecb               -aes-192-ofb               -aes-256-cbc
+-aes-256-cfb               -aes-256-cfb1              -aes-256-cfb8
+-aes-256-ctr               -aes-256-ecb               -aes-256-ofb
+-aes128                    -aes128-wrap               -aes192
+-aes192-wrap               -aes256                    -aes256-wrap
+-aria-128-cbc              -aria-128-cfb              -aria-128-cfb1
+-aria-128-cfb8             -aria-128-ctr              -aria-128-ecb
+-aria-128-ofb              -aria-192-cbc              -aria-192-cfb
+-aria-192-cfb1             -aria-192-cfb8             -aria-192-ctr
+-aria-192-ecb              -aria-192-ofb              -aria-256-cbc
+-aria-256-cfb              -aria-256-cfb1             -aria-256-cfb8
+-aria-256-ctr              -aria-256-ecb              -aria-256-ofb
+-aria128                   -aria192                   -aria256
+-bf                        -bf-cbc                    -bf-cfb
+-bf-ecb                    -bf-ofb                    -blowfish
+-camellia-128-cbc          -camellia-128-cfb          -camellia-128-cfb1
+-camellia-128-cfb8         -camellia-128-ctr          -camellia-128-ecb
+-camellia-128-ofb          -camellia-192-cbc          -camellia-192-cfb
+-camellia-192-cfb1         -camellia-192-cfb8         -camellia-192-ctr
+-camellia-192-ecb          -camellia-192-ofb          -camellia-256-cbc
+-camellia-256-cfb          -camellia-256-cfb1         -camellia-256-cfb8
+-camellia-256-ctr          -camellia-256-ecb          -camellia-256-ofb
+-camellia128               -camellia192               -camellia256
+-cast                      -cast-cbc                  -cast5-cbc
+-cast5-cfb                 -cast5-ecb                 -cast5-ofb
+-chacha20                  -des                       -des-cbc
+-des-cfb                   -des-cfb1                  -des-cfb8
+-des-ecb                   -des-ede                   -des-ede-cbc
+-des-ede-cfb               -des-ede-ecb               -des-ede-ofb
+-des-ede3                  -des-ede3-cbc              -des-ede3-cfb
+-des-ede3-cfb1             -des-ede3-cfb8             -des-ede3-ecb
+-des-ede3-ofb              -des-ofb                   -des3
+-des3-wrap                 -desx                      -desx-cbc
+-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap
+-id-aes192-wrap-pad        -id-aes256-wrap            -id-aes256-wrap-pad
+-id-smime-alg-CMS3DESwrap  -rc2                       -rc2-128
+-rc2-40                    -rc2-40-cbc                -rc2-64
+-rc2-64-cbc                -rc2-cbc                   -rc2-cfb
+-rc2-ecb                   -rc2-ofb                   -rc4
+-rc4-40                    -seed                      -seed-cbc
+-seed-cfb                  -seed-ecb                  -seed-ofb
+-sm4                       -sm4-cbc                   -sm4-cfb
+-sm4-ctr                   -sm4-ecb                   -sm4-ofb
+</code>
+----
+===== Encode a file using aes256 =====
 <code bash>
 openssl enc -aes256 -salt -in test1.txt -out test1.enc
 </code>
+<WRAP info>
+**NOTE:**  The **-salt** option should ALWAYS be used if the key is being derived from a password.
+Without the **-salt** option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data.
+The reason for this is that without the salt the same password always generates the same encryption key.
+When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
+</WRAP>
+----
+===== Decode a file that was encrypted using aes256 =====
+<code bash>
+openssl enc -aes256 -d -in test1.enc -out test2.txt
+</code>
+----
+===== Encrypt using base64 =====
+<code bash>
+openssl enc -aes256 -a -e -salt -in test1.txt -out test1.enc
+</code>
+<WRAP info>
+**NOTE:**  Same as for standard encoding, but with the **-a** option.
+</WRAP>
+----
+===== Decrypt a file that was encrypted using base64 =====
+<code bash>
+openssl enc -aes256 -d -in test1.enc -out test2.txt
+</code>
+<WRAP info>
+**NOTE:**  Same as for standard base decoding, but with the **-a** option.
+</WRAP>
+----
+===== Encrypt (interactive) =====
+<code bash>
+openssl enc -aes-256-cbc -in file.txt.enc -out file.txt  -iter 29 -k PASS
+</code>
+<WRAP info>
+**NOTE:**  The iteration count is for the PBKDF2 hashing algorithm that is designed to make password cracking much much harder.
+Using a low iteration count like 29 is not very useful.
+The count should be made as large as you can without it becoming too annoying (1 to 2 seconds of iteration).
+The current default of 10000 is var too low, even when it was released!  500000 or higher is better.
+</WRAP>
+----
+===== Decrypt (interactive) =====
+<code bash>
+openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -iter 29 -k PASS
+</code>
+----
+===== Encrypt (non-interactive) =====
+<code bash>
+openssl enc -aes-256-cbc -in file.txt.enc -out file.txt  -iter 29 -pass pass:mysecret
+</code>
+----
+===== Decrypt (non-interactive) =====
+<code bash>
+openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -iter 29 -pass pass:mysecret
+</code>