Linux: using openssl to encrypt and decrypt files and strings

If you need a way to simply encrypt and decrypt files or strings with a symmetric key (same password for encryption and decryption), openssl provides this functionality.  Be sure to avoid weak ciphers such as 3DES, and employ salt as well as PBKDF2 iterations to reduce vulnerability to brute force attacks.

Here is a simple example of encrypting a string, and then restoring it.

# write encrypted to file
echo "this is my secret" | openssl enc -aes-256-cbc -pbkdf2 -iter 1234567 -salt -pass pass:mypass > mysecret.enc

# read encrypted file and decrypt
cat mysecret.enc | openssl enc -d -aes-256-cbc -pbkdf2 -iter 1234567 -salt -pass pass:mypass

You should avoid the ‘pass‘ flag that exposes the password at the command line (I used it for simplicity of the example).  By default it prompts for user input but there are also options for specifying via environment variable, file descriptor, and file.

The same logic would apply to a binary file as shown below.

# write encrypted to file
cat mysecret.jpg | openssl enc -aes-256-cbc -pbkdf2 -iter 1234567 -salt -pass pass:mypass > mysecret.jpg.enc

# read encrypted file and decrypt
cat mysecret.jpg.enc | openssl enc -d -aes-256-cbc -pbkdf2 -iter 1234567 -salt -pass pass:mypass > myunencrypted.jpg

And if you need to work with ASCII text (friendly to copy-paste) instead of the encrypted binary, you can always wrap it with Base64 encoding.  Here is the first example again, but this time with a Base64 wrapper.

# write encrypted to file as base64
echo "this is my secret" | openssl enc -aes-256-cbc -pbkdf2 -iter 1234567 -salt -pass pass:mypass | base64 | tee mysecret.encb64

# decode base64 then decrypt
cat mysecret.encb64 | base64 --decode | openssl enc -d -aes-256-cbc -pbkdf2 -iter 1234567 -salt -pass pass:mypass

 

REFERENCES

stackoverflow, use of openssl for encryption/decryption also shows gpg usage

wikipedia, PBKDF2 purpose

1password.com, use of PBKDF2 and costs associated with higher values