OpenSSL Encrypt Decrypt

DIY Linux Encrypt / Decrypt:

OpenSSL Encrypt Decrypt0

DISCLAIMER: Uploading to a cloud storage system implies that you trust the maintainers of that system and everyone in-between to not mess with/read your data. If this is a concern for you, but you want to upload to Google Drive, anyway, please consider using some of the encryption methods mentioned here (or another Encrypt Decrypt method of your choosing): “OpenSSL Encrypt Decrypt”

1. Introduction

OpenSSL Encrypt Decrypt is powerful cryptography. Many us OpenSSL for creating RSA Private Keys or CSR (Certificate Signing Request). However,  OpenSSL Encrypt Decrypt is useful to benchmark your computer speed or can also encrypt files or messages? Follow tips on how to encrypt messages and files using OpenSSL Encrypt Decrypt.

2. Encrypt and Decrypt Messages:

OpenSSL Encrypt Decrypt1

First we can start by encrypting simple messages. The following command will encrypt a message “Base64 Encoding” using Base64 Encoding:

$ echo "Base64 Encoding" | openssl enc -base64

The output of the above command is an encrypted string containing encoded message “Base64 Encoding”. To decrypt encoded string back to its original message we need to reverse the order and attach -d option for decryption:

$ echo "V2VsY29tZSB0byBMaW51eENhcmVlci5jb20K" | openssl enc -base64 -d
Base64 Encoding

The above encryption is simple to use, however, it lacks an important feature of a password, which is used for encryption. For example, try to decrypt the following string with a password “pass“:


To do that use OpenSSL again with -d option and encoding method aes-256-cbc:

echo "U2FsdGVkX181xscMhkpIA6J0qd76N/nSjjTc9NrDUC0CBSLpZQxQ2Db7ipd7kexj" | openssl 
enc -aes-256-cbc -d -a

As you have probably already guessed, to create an encrypted message with a password as the one above you can use the following command:

 $ echo "OpenSSL" | openssl enc -aes-256-cbc -a enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

If you wish to store OpenSSL’s output to a file instead of STDOUT simply use STDOUT redirection “>”. When storing encrypted output to a file you can also omit -a option as you no longer need the output is ASCII text based:

$ echo "OpenSSL" | openssl enc -aes-256-cbc > openssl.dat
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
$ file openssl.dat 
openssl.dat: data

To decrypt the openssl.dat file back to its original message use:

$ openssl enc -aes-256-cbc -d -in openssl.dat 
enter aes-256-cbc decryption password:


3. Encrypt and Decrypt File

OpenSSL Encrypt Decrypt2 To encrypt files with OpenSSL is as simple as encrypting messages. The only difference is that instead of the echo command we use the -in option with the real file we would like to encrypt and -out option, which will instruct OpenSSL to store the encrypted file under a given name:

$ openssl enc -aes-256-cbc -in /etc/services -out services.dat

To decrypt back our services file use:

$ openssl enc -aes-256-cbc -d -in services.dat > services.txt
enter aes-256-cbc decryption password:


4. Encrypt and Decrypt Directory

In case that you needed to use OpenSSL to encrypt an entire directory you would, firs,t need to create gzip tarball and then encrypt the tarball with the above method or you can do both at the same time by using pipe:

# tar cz /etc | openssl enc -aes-256-cbc -out etc.tar.gz.dat
tar: Removing leading `/' from member names
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

To decrypt and extract the entire etc/ directory to you current working directory use:

# openssl enc -aes-256-cbc -d -in etc.tar.gz.dat | tar xz
enter aes-256-cbc decryption password:

The above method can be quite useful for automated encrypted backups.

5. Using Public and Private keys

OpenSSL Encrypt Decrypt4

In this section we will show how to encrypt and decrypt files using public and private keys. First we need to generate private and public keys. This can simply be done by:

$ openssl genrsa -out private_key.pem 1024
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)

From the private key we can then generate public key:

$ openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
writing RSA key

At this point yo should have both private and public key available in your current working directory.

$ ls
private_key.pem  public_key.pem

Next, we create some sample file called encrypt.txt with any arbitrary text:

$ echo "Base64 Encoding" > encrypt.txt
$ cat encrypt.txt 
Base64 Encoding

Now we are ready to encrypt this file with public key:

$ openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat 
$ ls
encrypt.dat  encrypt.txt  private_key.pem  public_key.pem
$ file encrypt.dat 
encrypt.dat: data

As you can see our new encrypt.dat file is no longer text files. To decrypt this file we need to use private key:

$ openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out new_encrypt.txt 
$ cat new_encrypt.txt
Base64 Encoding

The above syntax is quite intuitive. As you can see we have decrypted a file encrypt.dat to its original form and save it as new_encrypt.txt. You can combine this syntax with encrypting directories example above to create automated encrypted backup script.

6. Conclusion

OpenSSL Encrypt Decrypt5What you have just read was a basic introduction to OpenSSL Encrypt Decrypt. When it comes to OpenSSL Encrypt Decrypt as an encryption toolkit it literally has no limit on what you can do. To see how to use different encoding methods see OpenSSL Encrypt Decrypt manual page: man

Tuesday-Oct-27th_2015 / Hit = 0

Leave a Reply

Your email address will not be published.