Linux has plenty of powerful encryption software, but what can you use if you just want to secure a couple files quickly? The OpenSSL toolkit works well for this. It comes installed with Ubuntu and can provide stronger encryption than you would ever need.
This is the basic command to encrypt a file:
openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc
How does this work?
- openssl is the command for the OpenSSL toolkit.
- aes-256-cbc is the encryption cipher to be used. (256bit AES is what the United States government uses to encrypt information at the Top Secret level.)
- -a means that the encrypted output will be base64 encoded, this allows you to view it in a text editor or paste it in an email. This is optional.
- -salt adds strength to the encryption and should always be used.
- -in secrets.txt specifies the input file.
- -out secrets.txt.enc specifies the output file.
- You will be prompted for a password.
It’s not much use unless you can decrypted it:
openssl aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new
- -d decrypts data.
- -a tells OpenSSL that the encrypted data is in base64.
- -in secrets.txt.enc specifies the data to decrypt.
- -out secrets.txt.new specifies the file to put the decrypted data in.
Try out OpenSSL by decrypting this string (the password is pass):
U2FsdGVkX18YcWkbmhsN7M/MP1E+GLf4IqmNsa53T+A=
You can paste it into a text file and use the commands above, or use this command instead:
echo U2FsdGVkX18YcWkbmhsN7M/MP1E+GLf4IqmNsa53T+A= | openssl aes-256-cbc -d -a
See the OpenSSL man page for more detail on what it can do.
Enjoyed this post? 
Hi Tom,
I just wanted to let you know that I highly enjoy your tutorial posts. Like you, I started using Linux about 3 or 4 years ago, and I am by no means an expert! I recently switched to Kubuntu, and while there is a great deal of info on how to do various things, your format is easy to read and makes complete sense!
Keep up the good work!
Cheers,
mkwerner
thanks man, i enjoy your tutorials
this encryption lesson is another one of my faves from your blog
[...] over at tomubuntu.com, has a great refresher on using OpenSSL for encrypting and decrypting [...]
[...] Tombuntu me encuentro un tip muy interesante. Se trata de usar OpenSSL para encriptar nuestros ficheros de [...]
[...] sencilla de ficheros mediante OpenSSL En Tombuntu me encuentro un tip muy interesante. Se trata de usar OpenSSL para encriptar nuestros ficheros de [...]
Great post! Good tip. Works nicely with bash too.
[...] also written previously about simple file encryption with OpenSSL. Enjoyed this post? Subscribe to Tombuntu’s RSS [...]
As you say yourself “(…)[openSSL] can provide stronger encryption than you would ever need.”
True – so true
You also have other alternatives, escpecially ‘bcrypt’. It uses the blowfish algorithm – more than good enough for simple file-encryption. Simply run
$ bcrypt file
enter a passphrase, voila – file is encrypted to file.bfe. To decrypt, same command:
$ bcrypt file.bfe
Quick and clean encryption solution.
Thank you.
[...] Simple File Encryption with OpenSSL | Tombuntu [...]
[...] Reference: link. [...]
[...] ??: http://tombuntu.com/index.php/2007/12/12/simple-file-encryption-with-openssl/ [...]
if you use a suffix such as ‘.enc’ for encrypted files, you can also use VIM to edit an encrypted file. It asks for the password to decrypt then if you write it will ask for the password again to encrypt…
Add the following to your .vimrc file…
” Edit encrypted using openssl aes-256-cbc
augroup enc
autocmd!
autocmd BufReadPre,FileReadPre *.enc set bin
autocmd BufReadPre,FileReadPre *.enc set noswapfile
autocmd BufReadPost,FileReadPost *.enc set shell=sh
autocmd BufReadPost,FileReadPost *.enc set shellredir=>
autocmd BufReadPost,FileReadPost *.enc ‘[,']!openssl aes-256-cbc -d -a
autocmd BufReadPost,FileReadPost *.enc exe “doau BufReadPost “.expand(“%:r”)
autocmd BufReadPost,FileReadPost *.enc set nobin
autocmd BufReadPost,FileReadPost *.enc redraw!
autocmd BufWritePre,FileWritePre *.enc mark z
autocmd BufWritePre,FileWritePre *.enc set bin
autocmd BufWritePre,FileWritePre *.enc ‘[,']!openssl aes-256-cbc -a -salt
autocmd BufWritePost,FileWritePost *.enc undo
autocmd BufWritePost,FileWritePost *.enc set nobin
autocmd BufWritePost,FileWritePost *.enc ‘z
augroup END
To create a new file just start vim without a file name and then ‘write’ it to one ending in ‘.enc’ for example
:w secret_stuff.enc
To look at or modify the file just run vim secret_stuff.enc
WARNING: when saving make sure the file gets written correctly by looking at the output before quitting.
ASIDE: The above was developed from old PGP and GPG encrypted file techniques from vim.
Hi.
I did all that you wrote, but now I can not decrypt, when I open file file.enc and insert the pass it gives me error:
bad decrypt
19687:error:06065064:digital envelope routines:EVP_DecryptFinal:Bad decrypt: evp_enc.c:509:
Could you please advise? Thank you in advance!!
Waiting for your reply.
Addendum — Remove the -a option from the above. When saving to a file there is no need to request ‘base64′ encoding! Save it directly as binary!
Very nice! I added this to my .profile
alias encrypt=”openssl aes-256-cbc -a -salt”
alias decrypt=”openssl aes-256-cbc -d -a -salt”
[...] standard we are using). The following example is cheerfully swiped from the example given over at Tombuntu. ?View Code BASH>openssl aes-256-cbc -a -salt -in config.plain -out [...]
[...] because many computers already have OpenSSL installed, since it is used for numerous services. AES-256 is supported, and note that the -salt option is default but is used in this [...]
[...] to Tombuntu for his great guide here Comment (RSS) [...]
thankzzz…..
[...] Simple File Encryption with OpenSSL. Dryer, Tom. Tombuntu. 12 Dec. 2007. This entry was posted in link and tagged centos, decryption, [...]
[...] because many computers already have OpenSSL installed, since it is used for numerous services. AES-256 is supported, and note that the -salt option is default but is used in this [...]
[...] there's a good cli example of openssl here http://tombuntu.com/index.php/2007/1…-with-openssl/ You need to ask the creator of the Pub key exactly how he created it. [...]
thank you very much , this helped