Rietta.com Security logo
You are reading The Rietta Blog, a publication about the web since 2005.

OpenSSL: Encrypt a File With a Password From the Command Line

This post is part of our ongoing Encryption Series that provides in-depth coverage of OpenSSL. To learn more about encryption key generation, management, and use please see the posts in the Encryption category. Our tips and tricks are immediately applicable with examples that you can use right away. If you like this article, you may be interested in the Raspberry Pi crypto key management project as well as Rietta’s Application Security Learning Center, our catalog of video resources on how to succeed with web application security.

Do you know how to use OpenSSL to protect sensitive information in storage instead of just in transit across the network? In fact, your can use the OpenSSL command line too to encrypt a file on your Mac OS X, Linux, or FreeBSD based computer. Support for the library are included by default in PHP and Ruby. So there is no reason not to use it to add additional security to your web applications.

Encrypting a File from the Command Line

In terminal, suppose you wanted to encrypt a file with a password (symmetric key encryption).

To do this using the OpenSSL command line tool, you could run this:

openssl aes-128-cbc -in Archive.zip -out Archive.zip.aes128

To decrypt it (notice the addition of the -d flag that triggers a decrypt instead of an encrypt action):

openssl aes-128-cbc -d -in Archive.zip.aes128 -out Archive.zip

This example uses the Advanced Encryption Standard (AES) cipher in cipher-block chaining mode. The file is very strongly encrypted for normal purposes assuming that you picked a good passphrase.

According to Bruce Schneier, “…for new applications I suggest that people don’t use AES-256. AES-128 provides more than enough security margin for the foreseeable future. But if you’re already using AES-256, there’s no reason to change” (Another New AES Attack, July 30, 2009).

Built into Ruby and PHP

The OpenSSL library is a very standardized open source security library. It’s built into the majority of platforms, including Mac OS X, Linux, FreeBSD, iOS, and Android. Compatible SSL libraries are also built into Java and even the Microsoft platforms.

In future articles, we will explore the usage of OpenSSL for encryption and verification in website projects. In the mean time, check out these API references for both PHP and Ruby.

Impressive Array of Options

On my Mac OS X system, the default openssl install supports and impressive set of 49 algorithms to choose from.

  • aes-128-cbc
  • aes-128-ecb
  • aes-192-cbc
  • aes-192-ecb
  • aes-256-cbc
  • aes-256-ecb
  • base64
  • bf
  • bf-cbc
  • bf-cfb
  • bf-ecb
  • bf-ofb
  • camellia-128-cbc
  • camellia-128-ecb
  • camellia-192-cbc
  • camellia-192-ecb
  • camellia-256-cbc
  • camellia-256-ecb
  • cast
  • cast-cbc
  • cast5-cbc
  • cast5-cfb
  • cast5-ecb
  • cast5-ofb
  • des
  • des-cbc
  • des-cfb
  • des-ecb
  • des-ede
  • des-ede-cbc
  • des-ede-cfb
  • des-ede-ofb
  • des-ede3
  • des-ede3-cbc
  • des-ede3-cfb
  • des-ede3-ofb
  • des-ofb
  • des3
  • desx
  • idea
  • idea-cbc
  • idea-cfb
  • idea-ecb
  • idea-ofb
  • rc2
  • rc2-40-cbc
  • rc2-64-cbc
  • rc2-cbc
  • rc2-cfb
  • rc2-ecb
  • rc2-ofb
  • rc4
  • rc4-40
  • seed
  • seed-cbc
  • seed-cfb
  • seed-ecb
  • seed-ofb
  • zlib

This truly is the swiss army knife of encryption tools. You should use it too.

About Frank Rietta

Frank Rietta's photo

Frank Rietta is a web application security architect, author, and speaker. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He speaks about security topics and was a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.

If there is a topic you would like us to cover,