How to use openssl to encrypt a file with an asymmetric public key:
Use the -rsautl
option in openssl to encrypt a file using the RSA algorithm asymmetrically. When sharing a secret is not possible or less than ideal, asymmetric encryption is your best solution.
First, if you do not already have a private key, generate one:
openssl genrsa -out private-key.pem 2048
Next, extract your public key and send it to the person that will be encrypting data to send to you:
openssl rsa -pubout -in private-key.pem -out public-key.pem
The data will be encrypted with this command:
openssl rsautl -encrypt -in dt.txt -out dt.txt.enc -inkey public-key.pem -pubin
Where -encrypt
means encrypt, -in dt.txt
is the plain text, -out dt.txt.enc
is the encrypted data file, -inkey public-key.pem
is the public key being used to encrypt, and -pubin
means the input file in an RSA public key.
And you can decrypt the data with this command:
openssl rsautl -decrypt -in dt.txt.enc -out dt.txt -inkey private-key.pem
Where -decrypt
means decrypt, -in dt.txt.enc
is the encrypted cipher data, -out dt.txt
is the decrypted plain text data, and -inkey private-key.pem
is the private key.
How to use openssl to encrypt a file with a symmetric secret key:
When using the following commands, you will be prompted for the password (shared secret key). The shared key can live in a protected file -kfile
, or share by word of mouth. Remember, the encrypted file is only as safe as the secret is truly secret.
While not used in the provided examples, -salt
is recommended and will protect against dictionary attacks.
openssl enc -aes256 -base64 -in dt.txt -out dt.txt.enc
Where enc
means encrypt,-aes256
is the cipher (defaults to -aes-256-cbc
), -base64
encoded, -in dt.txt
is the file to encrypt, and -out dt.txt.enc
is the newly encrypted data file.
To decrypt the data:
openssl enc -d -aes256 -base64 -in dt.txt.enc -out dt.txt
Where enc -d
means decrypt, -aes256
is the cipher (make sure to use the same cipher as used when encrypting), -base64
if encoded, -in dt.txt.enc
is the encrypted file, and -out dt.txt
is the result plain text file.
Encrypt with Password-Based Key Derivation Function 2 (pbkdf2):
As you noticed in the previous example without pbkdf2, the key derivation was deprecated and it recommends to use -pbkdf2
for key derivation. Simply put, Password-Based Key Derivation Function 2 supersedes the same Function 1, is part of PKCS5 (PKCS #5, PKCS 5), and is the recommended practice for password hashing.
Note that the only difference when using pbkdf2 is the corresponding flag. Other flags stay the same.
The default number of PBKDF2 iterations is 10,000, but this can be changed to a higher number using the -iter
flag. For example, the 1Password service derives keys with 100,000 iterations.
openssl enc -pbkdf2 -aes256 -base64 -in dt.txt -out dt.txt.enc
To decrypt the pbkdf2 encrypted data (if using iterations other than the default make sure to include that with -iter
):
openssl enc -d -pbkdf2 -aes256 -base64 -in dt.txt.enc -out dt.txt
Conclusion
Hopefully, that provides useful examples for how to encrypt and decrypt data using openssl. Please leave comments with any questions or suggestions and improvements. See the official openssl docs for asymmetric encryption and symmetric encryption.
Leave a Reply