Tombuntu

Simple File Encryption with OpenSSL

Linux has plenty of powerful encryption software, but what can you use if you just want to secure a couple files quickly? The OpenSSL toolkit works well for this. It comes installed with Ubuntu and can provide stronger encryption than you would ever need.

This is the basic command to encrypt a file:

openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc

How does this work?

It’s not much use unless you can decrypted it:

openssl aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new

Try out OpenSSL by decrypting this string (the password is pass):

U2FsdGVkX18YcWkbmhsN7M/MP1E+GLf4IqmNsa53T+A=

You can paste it into a text file and use the commands above, or use this command instead:

echo U2FsdGVkX18YcWkbmhsN7M/MP1E+GLf4IqmNsa53T+A= | openssl aes-256-cbc -d -a

See the OpenSSL man page for more detail on what it can do.

Archived Comments

mkwerner

Hi Tom,
I just wanted to let you know that I highly enjoy your tutorial posts. Like you, I started using Linux about 3 or 4 years ago, and I am by no means an expert! I recently switched to Kubuntu, and while there is a great deal of info on how to do various things, your format is easy to read and makes complete sense!

Keep up the good work!

Cheers,
mkwerner

me

thanks man, i enjoy your tutorials

this encryption lesson is another one of my faves from your blog

Anonymous

Great post! Good tip. Works nicely with bash too.

firmit

As you say yourself “(…)[openSSL] can provide stronger encryption than you would ever need.”

True - so true :)

You also have other alternatives, escpecially ‘bcrypt’. It uses the blowfish algorithm - more than good enough for simple file-encryption. Simply run

$ bcrypt file

enter a passphrase, voila - file is encrypted to file.bfe. To decrypt, same command:

$ bcrypt file.bfe

Yves

Quick and clean encryption solution.
Thank you.

Anthony thyssen

if you use a suffix such as ‘.enc’ for encrypted files, you can also use VIM to edit an encrypted file. It asks for the password to decrypt then if you write it will ask for the password again to encrypt…

Add the following to your .vimrc file…

” Edit encrypted using openssl aes-256-cbc
augroup enc
autocmd!
autocmd BufReadPre,FileReadPre *.enc set bin
autocmd BufReadPre,FileReadPre *.enc set noswapfile
autocmd BufReadPost,FileReadPost *.enc set shell=sh
autocmd BufReadPost,FileReadPost *.enc set shellredir=>
autocmd BufReadPost,FileReadPost *.enc ‘[,’]!openssl aes-256-cbc -d -a
autocmd BufReadPost,FileReadPost *.enc exe “doau BufReadPost “.expand(”%:r”)
autocmd BufReadPost,FileReadPost *.enc set nobin
autocmd BufReadPost,FileReadPost *.enc redraw!
autocmd BufWritePre,FileWritePre *.enc mark z
autocmd BufWritePre,FileWritePre *.enc set bin
autocmd BufWritePre,FileWritePre *.enc ‘[,’]!openssl aes-256-cbc -a -salt
autocmd BufWritePost,FileWritePost *.enc undo
autocmd BufWritePost,FileWritePost *.enc set nobin
autocmd BufWritePost,FileWritePost *.enc ‘z
augroup END

To create a new file just start vim without a file name and then ‘write’ it to one ending in ‘.enc’ for example
:w secret_stuff.enc

To look at or modify the file just run vim secret_stuff.enc

WARNING: when saving make sure the file gets written correctly by looking at the output before quitting.

ASIDE: The above was developed from old PGP and GPG encrypted file techniques from vim.

Victor

Hi.

I did all that you wrote, but now I can not decrypt, when I open file file.enc and insert the pass it gives me error:

bad decrypt
19687:error:06065064:digital envelope routines:EVP_DecryptFinal:Bad decrypt: evp_enc.c:509:

Could you please advise? Thank you in advance!!

Waiting for your reply.

Anthony thyssen

Addendum – Remove the -a option from the above. When saving to a file there is no need to request ‘base64’ encoding! Save it directly as binary!

Kevin

Very nice! I added this to my .profile

alias encrypt=“openssl aes-256-cbc -a -salt”
alias decrypt=“openssl aes-256-cbc -d -a -salt”

mahesh

thankzzz…..

Mikael

thank you very much , this helped

Azad

Hi,

Good tutorial, I have a question. How do you automate this for encrypting and decrypt more number of files in Directory, and non-interactive for Password ?

Regards

Asif Ali Rizvan

on Fedora 24
$ zip -9 hello.zip *.sh
$ openssl aes-256-cbc -a -in hello.zip -out secret.zip.enc
enter aes-256-cbc encryption password:

$ openssl aes-256-cbc -a -d -in secret.zip.enc -out output.zip

Hunter

I encrypted a .dmg file using openssl encryption on my Macbook Pro, keeping the output name the same as the input name. I didn’t know this would be problematic, as I am now unable to decrypt the .dmg file even with the correct password.

Some folks say it could not be done, but it seemed to have worked for me. Now, I can’t open the file and am afraid it will be impossible to decrypt.

Note: If I use the same code, but change the output name, it can decrypt just fine. My issue was that I encrypted the file using the same output name as the input, which has made it impossible for me to decrypt it.

Here’s what the code looks like:
openssl enc -aes-256-cbc -d -in /Users/huntert/Desktop/IMPT.dmg -out /Users/huntert/Desktop/IMPT.dmg
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

When I tried to decrypt it, I received the folllowing messages:
enter aes-256-cbc decryption password:
error reading input file

I should’ve been more cautious and tried it on a rubbish file. Lesson learned.

Respond via email