Encrypt and Decrypt Data on Linux Devices using OpenSSL

By | September 24, 2020

The total idea of encryption is simple to convert readable data into meaningless gibberish using unpredictable math algorithm. However encryption by itself is useless without decryption because the person for whom these data are intended must be able to read them. In other words he/she must be able to convert data back in readable format. Not to be confused with encryption and encoding. Encoding transforms data into not-readable format using well-known methods which are publicly available and it can easily be decoded back by everyone such as Quoted-Printable or Base64 encoding schemes. The simple example of file encryption and decryption using openssl on CentOS 8 is presented below:
Let us create short text file:

$ echo ‘Corona virus or Covid19 began in 2019’ > a.a
$ cat a.a
Corona virus or Covid19 began in 2019

Let us select some cipher algorithm for encrypting:

# openssl list -cipher-algorithms
RC5 => RC5-CBC
aes128 => AES-128-CBC
aes128-wrap => id-aes128-wrap
aes192 => AES-192-CBC
aes192-wrap => id-aes192-wrap
aes256 => AES-256-CBC
aes256-wrap => id-aes256-wrap
aria128 => ARIA-128-CBC
aria192 => ARIA-192-CBC
aria256 => ARIA-256-CBC

Encrypt a.a file ito a.enc using ARIA-256-ECB algorithm:

# openssl enc -ARIA-256-ECB -salt -in a.a -out a.enc
enter aria-256-ecb encryption password:
Verifying – enter aria-256-ecb encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

We got warning about deprecated key derivation, the last example below shows how to avoid this warning using pbkdf2 option.

Verifying how encrypted file a.enc look like:

# cat a.enc
▒▒B▒▒▒▒s▒▒i▒ +KY@▒▒Q▒h~

It is totally unreadible.
Delete a.a text file:

# rm a.a
rm: remove regular file ‘a.a’? y

and decrypt back a.enc file into a.a using the same cipher algorithm and password:

# openssl enc -ARIA-256-ECB -d -in a.enc -out a.a
enter aria-256-ecb decryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

Verifying decryption result:

$ cat a.a
Corona virus or Covid19 began in 2019

During encryption and decryption openssl command presented several warning, with advice to use different option,. I did not investigate deeply those option I simply tried and they did not work for me. One observation, openssl command is very sensitive to the option you select and some of them may create errors during encryption and decryption processes.

Symmetric AES Encryption/Decryption with secret key

Create random 256 bit number in hex format. This number will be used as secret key for both encryption and decryption instead of password as in previous example:

# openssl rand -hex 32

Create file for encryption:

# echo “Text for AES encryption” > aes.txt
# cat aes.txt
Text for AES encryption

Encrypt aes.txt file using previously generated random key and aes-256-ecb cipher, save result in aes.enc file:

# openssl enc -aes-256-ecb -in aes.txt -K 113e04ee495cf718cdf3039376cd6f92d6cb64819e68c19dbe7e3abdfb19dd3a > aes.enc

How encrypted aes.enc file looks like:

# cat aes.enc

Or in hex output:

# xxd aes.enc
00000000: c8bb bcfe f59b 3726 1c12 ec64 c5bd f5dd ……7&…d….
00000010: b2a5 1ef2 f51a 1e12 f8a2 5cc1 0ca9 525f ……….\…R_

Decrypting using the same symmetric 113e04ee495cf718cdf3039376cd6f92d6cb64819e68c19dbe7e3abdfb19dd3a key, but aes.enc must be used as input file with -d (decrypt) option:

# openssl enc -aes-256-ecb -d -in aes.enc -K 113e04ee495cf718cdf3039376cd6f92d6cb64819e68c19dbe7e3abdfb19dd3a
Text for AES encryption

The same as the first example but with pbkdf2
pbkdf2 option is used to encrypt with Password-Based Key Derivation Function 2. It is the recommended for password hashing and avoid warning we had in the first example. Hashed password is a more secure way to store a password, because it is transformed it into data that cannot be converted back to the original password:

# openssl enc -aes-256-ecb -salt -in aes.txt -pbkdf2 -out aes1.enc
enter aes-256-ecb encryption password:
Verifying – enter aes-256-ecb encryption password:
# xxd aes1.enc
00000000: 5361 6c74 6564 5f5f 8fae 0364 8572 5596 Salted__…d.rU.
00000010: a140 9b1b 893d 60d6 b309 89ce b018 a645 .@…=`……..E
00000020: bbd2 cd2b 0bae 8c9c 828b fda6 f7de 47c4 …+……….G.
# openssl enc -aes-256-ecb -salt -in aes1.enc -pbkdf2 -d
enter aes-256-ecb decryption password:
Text for AES encryption

Leave a Reply

Your email address will not be published. Required fields are marked *