The total idea of encryption is simple to convert readable data into meaningless gibberish using unpredictable math algorithm. However encryption by itself is useless without decryption because the person for whom these data are intended must be able to read them. In other words he/she must be able to convert data back in readable format. Not to be confused with encryption and encoding. Encoding transforms data into not-readable format using well-known methods which are publicly available and it can easily be decoded back by everyone such as Quoted-Printable or Base64 encoding schemes. The simple example of file encryption and decryption using openssl on CentOS 8 is presented below:
Let us create short text file:
|
$ echo ‘Corona virus or Covid19 began in 2019’ > a.a $ cat a.a Corona virus or Covid19 began in 2019 |
Let us select some cipher algorithm for encrypting:
|
# openssl list -cipher-algorithms RC5 => RC5-CBC AES-128-CBC AES-128-CBC-HMAC-SHA1 AES-128-CBC-HMAC-SHA256 …. AES-256-CFB AES-256-CFB1 AES-256-CFB8 AES-256-CTR AES-256-ECB id-aes256-GCM AES-256-OCB AES-256-OFB AES-256-XTS aes128 => AES-128-CBC aes128-wrap => id-aes128-wrap aes192 => AES-192-CBC aes192-wrap => id-aes192-wrap aes256 => AES-256-CBC aes256-wrap => id-aes256-wrap ARIA-128-CBC ARIA-128-CCM ARIA-128-CFB ARIA-128-CFB1 …… ARIA-256-CBC ARIA-256-CCM ARIA-256-CFB ARIA-256-CFB1 ARIA-256-CFB8 ARIA-256-CTR ARIA-256-ECB ARIA-256-GCM ARIA-256-OFB aria128 => ARIA-128-CBC aria192 => ARIA-192-CBC aria256 => ARIA-256-CBC …. CAMELLIA-128-CBC CAMELLIA-128-CFB …… |
Encrypt a.a file ito a.enc using ARIA-256-ECB algorithm:
|
# openssl enc -ARIA-256-ECB -salt -in a.a -out a.enc enter aria-256-ecb encryption password: Verifying – enter aria-256-ecb encryption password: *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. |
We got warning about deprecated key derivation, the last example below shows how to avoid this warning using pbkdf2 option.
Verifying how encrypted file a.enc look like:
|
# cat a.enc Salted__H▒>`0k▒o▒▒▒▒ ▒▒B▒▒▒▒s▒▒i▒ +KY@▒▒Q▒h~ |
It is totally unreadible.
Delete a.a text file:
|
# rm a.a rm: remove regular file ‘a.a’? y |
and decrypt back a.enc file into a.a using the same cipher algorithm and password:
|
# openssl enc -ARIA-256-ECB -d -in a.enc -out a.a enter aria-256-ecb decryption password: *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. |
Verifying decryption result:
|
$ cat a.a Corona virus or Covid19 began in 2019 |
During encryption and decryption openssl command presented several warning, with advice to use different option,. I did not investigate deeply those option I simply tried and they did not work for me. One observation, openssl command is very sensitive to the option you select and some of them may create errors during encryption and decryption processes.
Symmetric AES Encryption/Decryption with secret key
Create random 256 bit number in hex format. This number will be used as secret key for both encryption and decryption instead of password as in previous example:
|
# openssl rand -hex 32 113e04ee495cf718cdf3039376cd6f92d6cb64819e68c19dbe7e3abdfb19dd3a |
Create file for encryption:
|
# echo “Text for AES encryption” > aes.txt # cat aes.txt Text for AES encryption |
Encrypt aes.txt file using previously generated random key and aes-256-ecb cipher, save result in aes.enc file:
|
# openssl enc -aes-256-ecb -in aes.txt -K 113e04ee495cf718cdf3039376cd6f92d6cb64819e68c19dbe7e3abdfb19dd3a > aes.enc |
How encrypted aes.enc file looks like:
|
# cat aes.enc Ȼ????7&?dŽ?ݲ?????\? |
Or in hex output:
|
# xxd aes.enc 00000000: c8bb bcfe f59b 3726 1c12 ec64 c5bd f5dd ……7&…d…. 00000010: b2a5 1ef2 f51a 1e12 f8a2 5cc1 0ca9 525f ……….\…R_ |
Decrypting using the same symmetric 113e04ee495cf718cdf3039376cd6f92d6cb64819e68c19dbe7e3abdfb19dd3a key, but aes.enc must be used as input file with -d (decrypt) option:
|
# openssl enc -aes-256-ecb -d -in aes.enc -K 113e04ee495cf718cdf3039376cd6f92d6cb64819e68c19dbe7e3abdfb19dd3a Text for AES encryption |
The same as the first example but with pbkdf2
pbkdf2 option is used to encrypt with Password-Based Key Derivation Function 2. It is the recommended for password hashing and avoid warning we had in the first example. Hashed password is a more secure way to store a password, because it is transformed it into data that cannot be converted back to the original password:
|
# openssl enc -aes-256-ecb -salt -in aes.txt -pbkdf2 -out aes1.enc enter aes-256-ecb encryption password: Verifying – enter aes-256-ecb encryption password: # xxd aes1.enc 00000000: 5361 6c74 6564 5f5f 8fae 0364 8572 5596 Salted__…d.rU. 00000010: a140 9b1b 893d 60d6 b309 89ce b018 a645 .@…=`……..E 00000020: bbd2 cd2b 0bae 8c9c 828b fda6 f7de 47c4 …+……….G. # openssl enc -aes-256-ecb -salt -in aes1.enc -pbkdf2 -d enter aes-256-ecb decryption password: Text for AES encryption |