How to use openssl to encrypt a file with an asymmetric public key:
-rsautl option in openssl to encrypt a file using the RSA algorithm asymmetrically. When sharing a secret is not possible or less than ideal, asymmetric encryption is your best solution.
First, if you do not already have a private key, generate one:
openssl genrsa -out private-key.pem 2048
Next, extract your public key and send it to the person that will be encrypting data to send to you:
openssl rsa -pubout -in private-key.pem -out public-key.pem
The data will be encrypted with this command:
openssl rsautl -encrypt -in dt.txt -out dt.txt.enc -inkey public-key.pem -pubin
-encrypt means encrypt,
-in dt.txt is the plain text,
-out dt.txt.enc is the encrypted data file,
-inkey public-key.pem is the public key being used to encrypt, and
-pubin means the input file in an RSA public key.
And you can decrypt the data with this command:
openssl rsautl -decrypt -in dt.txt.enc -out dt.txt -inkey private-key.pem
-decrypt means decrypt,
-in dt.txt.enc is the encrypted cipher data,
-out dt.txt is the decrypted plain text data, and
-inkey private-key.pem is the private key.
How to use openssl to encrypt a file with a symmetric secret key:
When using the following commands, you will be prompted for the password (shared secret key). The shared key can live in a protected file
-kfile, or share by word of mouth. Remember, the encrypted file is only as safe as the secret is truly secret.
While not used in the provided examples,
-salt is recommended and will protect against dictionary attacks.
openssl enc -aes256 -base64 -in dt.txt -out dt.txt.enc
enc means encrypt,
-aes256 is the cipher (defaults to
-in dt.txt is the file to encrypt, and
-out dt.txt.enc is the newly encrypted data file.
To decrypt the data:
openssl enc -d -aes256 -base64 -in dt.txt.enc -out dt.txt
enc -d means decrypt,
-aes256 is the cipher (make sure to use the same cipher as used when encrypting),
-base64 if encoded,
-in dt.txt.enc is the encrypted file, and
-out dt.txt is the result plain text file.
Encrypt with Password-Based Key Derivation Function 2 (pbkdf2):
As you noticed in the previous example without pbkdf2, the key derivation was deprecated and it recommends to use
-pbkdf2 for key derivation. Simply put, Password-Based Key Derivation Function 2 supersedes the same Function 1, is part of PKCS5 (PKCS #5, PKCS 5), and is the recommended practice for password hashing.
Note that the only difference when using pbkdf2 is the corresponding flag. Other flags stay the same.
The default number of PBKDF2 iterations is 10,000, but this can be changed to a higher number using the
-iter flag. For example, the 1Password service derives keys with 100,000 iterations.
openssl enc -pbkdf2 -aes256 -base64 -in dt.txt -out dt.txt.enc
To decrypt the pbkdf2 encrypted data (if using iterations other than the default make sure to include that with
openssl enc -d -pbkdf2 -aes256 -base64 -in dt.txt.enc -out dt.txt
Hopefully, that provides useful examples for how to encrypt and decrypt data using openssl. Please leave comments with any questions or suggestions and improvements. See the official openssl docs for asymmetric encryption and symmetric encryption.
Leave a Reply