• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

openssl encrypt a file

March 16, 2020 by Mister PKI Leave a Comment

How to use openssl to encrypt a file with an asymmetric public key:

Use the -rsautl option in openssl to encrypt a file using the RSA algorithm asymmetrically. When sharing a secret is not possible or less than ideal, asymmetric encryption is your best solution.

First, if you do not already have a private key, generate one:

openssl genrsa -out private-key.pem 2048

Next, extract your public key and send it to the person that will be encrypting data to send to you:

openssl rsa -pubout -in private-key.pem -out public-key.pem

The data will be encrypted with this command:

openssl rsautl -encrypt -in dt.txt -out dt.txt.enc -inkey public-key.pem -pubin

Where -encrypt means encrypt, -in dt.txt is the plain text, -out dt.txt.enc is the encrypted data file, -inkey public-key.pem is the public key being used to encrypt, and -pubin means the input file in an RSA public key.

And you can decrypt the data with this command:

openssl rsautl -decrypt -in dt.txt.enc -out dt.txt -inkey private-key.pem

Where -decrypt means decrypt, -in dt.txt.enc is the encrypted cipher data, -out dt.txt is the decrypted plain text data, and -inkey private-key.pem is the private key.

How to use openssl to encrypt a file with a symmetric secret key:

When using the following commands, you will be prompted for the password (shared secret key). The shared key can live in a protected file -kfile, or share by word of mouth. Remember, the encrypted file is only as safe as the secret is truly secret.

While not used in the provided examples, -salt is recommended and will protect against dictionary attacks.

openssl enc -aes256 -base64 -in dt.txt -out dt.txt.enc

Where enc means encrypt,-aes256 is the cipher (defaults to -aes-256-cbc), -base64 encoded, -in dt.txt is the file to encrypt, and -out dt.txt.enc is the newly encrypted data file.

To decrypt the data:

openssl enc -d -aes256 -base64 -in dt.txt.enc -out dt.txt

Where enc -d means decrypt, -aes256 is the cipher (make sure to use the same cipher as used when encrypting), -base64 if encoded, -in dt.txt.enc is the encrypted file, and -out dt.txt is the result plain text file.

Encrypt with Password-Based Key Derivation Function 2 (pbkdf2):

As you noticed in the previous example without pbkdf2, the key derivation was deprecated and it recommends to use -pbkdf2 for key derivation. Simply put, Password-Based Key Derivation Function 2 supersedes the same Function 1, is part of PKCS5 (PKCS #5, PKCS 5), and is the recommended practice for password hashing.

Note that the only difference when using pbkdf2 is the corresponding flag. Other flags stay the same.

The default number of PBKDF2 iterations is 10,000, but this can be changed to a higher number using the -iter flag. For example, the 1Password service derives keys with 100,000 iterations.

openssl enc -pbkdf2 -aes256 -base64 -in dt.txt -out dt.txt.enc

To decrypt the pbkdf2 encrypted data (if using iterations other than the default make sure to include that with -iter):

openssl enc -d -pbkdf2 -aes256 -base64 -in dt.txt.enc -out dt.txt

Conclusion

Hopefully, that provides useful examples for how to encrypt and decrypt data using openssl. Please leave comments with any questions or suggestions and improvements. See the official openssl docs for asymmetric encryption and symmetric encryption.

Read other blog posts.

openssl

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • pfx password
  • pkcs12
  • Sendmail vs Postfix – Mail Transfer Agent Comparison
  • Python mock datetime now
  • Python get SSL Certificate

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022