Simple File Encryption with OpenSSL
Linux has plenty of powerful encryption software, but what can you use if you just want to secure a couple files quickly? The OpenSSL toolkit works well for this. It comes installed with Ubuntu and can provide stronger encryption than you would ever need.
This is the basic command to encrypt a file:
openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc
How does this work?
openssl
is the command for the OpenSSL toolkit.aes-256-cbc
is the encryption cipher to be used. (256bit AES is what the United States government uses to encrypt information at the Top Secret level.)-a
means that the encrypted output will be base64 encoded, this allows you to view it in a text editor or paste it in an email. This is optional.-salt
adds strength to the encryption and should always be used.-in secrets.txt
specifies the input file.-out secrets.txt.enc
specifies the output file.- You will be prompted for a password.
It’s not much use unless you can decrypted it:
openssl aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new
-d
decrypts data.-a
tells OpenSSL that the encrypted data is in base64.-in secrets.txt.enc
specifies the data to decrypt.-out secrets.txt.new
specifies the file to put the decrypted data in.
Try out OpenSSL by decrypting this string (the password is pass
):
U2FsdGVkX18YcWkbmhsN7M/MP1E+GLf4IqmNsa53T+A=
You can paste it into a text file and use the commands above, or use this command instead:
echo U2FsdGVkX18YcWkbmhsN7M/MP1E+GLf4IqmNsa53T+A= | openssl aes-256-cbc -d -a
See the OpenSSL man page for more detail on what it can do.
Archived Comments
me
thanks man, i enjoy your tutorials
this encryption lesson is another one of my faves from your blog
Anonymous
Great post! Good tip. Works nicely with bash too.
firmit
As you say yourself “(…)[openSSL] can provide stronger encryption than you would ever need.”
True - so true :)
You also have other alternatives, escpecially ‘bcrypt’. It uses the blowfish algorithm - more than good enough for simple file-encryption. Simply run
$ bcrypt file
enter a passphrase, voila - file is encrypted to file.bfe. To decrypt, same command:
$ bcrypt file.bfe
Yves
Quick and clean encryption solution.
Thank you.
Anthony thyssen
if you use a suffix such as ‘.enc’ for encrypted files, you can also use VIM to edit an encrypted file. It asks for the password to decrypt then if you write it will ask for the password again to encrypt…
Add the following to your .vimrc file…
” Edit encrypted using openssl aes-256-cbc
augroup enc
autocmd!
autocmd BufReadPre,FileReadPre *.enc set bin
autocmd BufReadPre,FileReadPre *.enc set noswapfile
autocmd BufReadPost,FileReadPost *.enc set shell=sh
autocmd BufReadPost,FileReadPost *.enc set shellredir=>
autocmd BufReadPost,FileReadPost *.enc ‘[,’]!openssl aes-256-cbc -d -a
autocmd BufReadPost,FileReadPost *.enc exe “doau BufReadPost “.expand(”%:r”)
autocmd BufReadPost,FileReadPost *.enc set nobin
autocmd BufReadPost,FileReadPost *.enc redraw!
autocmd BufWritePre,FileWritePre *.enc mark z
autocmd BufWritePre,FileWritePre *.enc set bin
autocmd BufWritePre,FileWritePre *.enc ‘[,’]!openssl aes-256-cbc -a -salt
autocmd BufWritePost,FileWritePost *.enc undo
autocmd BufWritePost,FileWritePost *.enc set nobin
autocmd BufWritePost,FileWritePost *.enc ‘z
augroup END
To create a new file just start vim without a file name and then ‘write’ it to
one ending in ‘.enc’ for example
:w secret_stuff.enc
To look at or modify the file just run vim secret_stuff.enc
WARNING: when saving make sure the file gets written correctly by looking at the output before quitting.
ASIDE: The above was developed from old PGP and GPG encrypted file techniques from vim.
Victor
Hi.
I did all that you wrote, but now I can not decrypt, when I open file file.enc and insert the pass it gives me error:
bad decrypt
19687:error:06065064:digital envelope routines:EVP_DecryptFinal:Bad decrypt:
evp_enc.c:509:
Could you please advise? Thank you in advance!!
Waiting for your reply.
Anthony thyssen
Addendum – Remove the -a option from the above. When saving to a file there is no need to request ‘base64’ encoding! Save it directly as binary!
Kevin
Very nice! I added this to my .profile
alias encrypt=“openssl aes-256-cbc -a -salt”
alias decrypt=“openssl aes-256-cbc -d -a -salt”
mahesh
thankzzz…..
Mikael
thank you very much , this helped
Azad
Hi,
Good tutorial, I have a question. How do you automate this for encrypting and decrypt more number of files in Directory, and non-interactive for Password ?
Regards
Asif Ali Rizvan
on Fedora 24
$ zip -9 hello.zip *.sh
$ openssl aes-256-cbc -a -in hello.zip -out secret.zip.enc
enter aes-256-cbc encryption password:
$ openssl aes-256-cbc -a -d -in secret.zip.enc -out output.zip
Hunter
I encrypted a .dmg file using openssl encryption on my Macbook Pro, keeping the output name the same as the input name. I didn’t know this would be problematic, as I am now unable to decrypt the .dmg file even with the correct password.
Some folks say it could not be done, but it seemed to have worked for me. Now, I can’t open the file and am afraid it will be impossible to decrypt.
Note: If I use the same code, but change the output name, it can decrypt just fine. My issue was that I encrypted the file using the same output name as the input, which has made it impossible for me to decrypt it.
Here’s what the code looks like:
openssl enc -aes-256-cbc -d -in /Users/huntert/Desktop/IMPT.dmg -out
/Users/huntert/Desktop/IMPT.dmg
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
When I tried to decrypt it, I received the folllowing messages:
enter aes-256-cbc decryption password:
error reading input file
I should’ve been more cautious and tried it on a rubbish file. Lesson learned.
mkwerner
Hi Tom,
I just wanted to let you know that I highly enjoy your tutorial posts. Like you, I started using Linux about 3 or 4 years ago, and I am by no means an expert! I recently switched to Kubuntu, and while there is a great deal of info on how to do various things, your format is easy to read and makes complete sense!
Keep up the good work!
Cheers,
mkwerner