openssl CLI basic

https://wiki.openssl.org/index.php/Command_Line_Utilities

Base64 Encoding Strings

For simple string encoding, you can use "here string" syntax with the base64 command as below. Intuitively, the -e flag specifies the action to be encoding.

$ openssl base64 -e <<< 'Welcome to openssl wiki'
V2VsY29tZSB0byBvcGVuc3NsIHdpa2kK

Similarly, the base64 command's -d flag may be used to indicate decoding mode.

$ openssl base64 -d <<< 'V2VsY29tZSB0byBvcGVuc3NsIHdpa2kK'
Welcome to openssl wiki

Note: base64 line length is limited to 76 characters by default in openssl (and generated with 64 characters per line).

openssl base64 -e <<< 'Welcome to openssl wiki with a very long line that splits...'
V2VsY29tZSB0byBvcGVuc3NsIHdpa2kgd2l0aCBhIHZlcnkgbG9uZyBsaW5lIHRo
YXQgc3BsaXRzLi4uCg==
openssl base64 -d <<< 'V2VsY29tZSB0byBvcGVuc3NsIHdpa2kgd2l0aCBhIHZlcnkgbG9uZyBsaW5lIHRoYXQgc3BsaXRzLi4uCg=='

=> NOTHING!

To be able to decode a base64 line without line feeds that exceeds the default 76 character length restriction use the -A option.

openssl base64 -d -A <<< 'V2VsY29tZSB0byBvcGVuc3NsIHdpa2kgd2l0aCBhIHZlcnkgbG9uZyBsaW5lIHRoYXQgc3BsaXRzLi4uCg=='
Welcome to openssl wiki with a very long line that splits...

It is recommended to actually split base64 strings into multiple lines of 64 characters, however, since the -A option is buggy, particularly with its handling of long files.

Generating a File Hash

One of the most basic uses of the dgst command (short for digest) is viewing the hash of a given file. To do this, simply invoke the command with the specified digest algorithm to use. For this example, I will be hashing an arbitrary file on my system using the MD5, SHA1, and SHA384 algorithms.

$ openssl dgst -md5 primes.dat
MD5(primes.dat)= 7710839bb87d2c4c15a86c2b2c805664

$ openssl dgst -sha1 primes.dat
SHA1(primes.dat)= 5dfab70ce825591689f4a3f65910870a9022cd32

$ openssl dgst -sha384 primes.dat
SHA384(primes.dat)= 41399bdffe6850f5a44852d967f3db415654f20dc2eb6cd231772f6ea411876d85d44091ebbc6b1f4ce8673e64617271

For a list of the available digest algorithms, you can use the following command.

$ openssl list -digest-algorithms
RSA-MD4 => MD4
RSA-MD5 => MD5
RSA-MDC2 => MDC2
RSA-RIPEMD160 => RIPEMD160
RSA-SHA1 => SHA1
RSA-SHA1-2 => RSA-SHA1
...

You can also use a similar command to see the available digest commands:

$ openssl list -digest-commands
blake2b512        blake2s256        gost              md4               
md5               mdc2              rmd160            sha1              
sha224            sha256            sha3-224          sha3-256          
sha3-384          sha3-512          sha384            sha512            
sha512-224        sha512-256        shake128          shake256          
sm3      

Below are three sample invocations of the md5, sha1, and sha384 digest commands using the same file as the dgst command invocation above.

$ openssl md5 primes.dat
MD5(primes.dat)= 7710839bb87d2c4c15a86c2b2c805664

$ openssl sha1 primes.dat
SHA1(primes.dat)= 5dfab70ce825591689f4a3f65910870a9022cd32

$ openssl sha384 primes.dat
SHA384(primes.dat)= 41399bdffe6850f5a44852d967f3db415654f20dc2eb6cd231772f6ea411876d85d44091ebbc6b1f4ce8673e64617271

File Encryption and Decryption

The following example demonstrates a simple file encryption and decryption using the enc command.
The first argument is the cipher algorithm to use for encrypting the file.
For this example I carefully selected the AES-256 algorithm in CBC Mode by looking up the available ciphers and picking out the first one I saw.
To see the list of available ciphers, you can use the following command.

$ openssl enc -ciphers
Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb              
-aes-128-ofb               -aes-192-cbc               -aes-192-cfb              
-aes-192-cfb1              -aes-192-cfb8              -aes-192-ctr
...

You can also use the following command:

$ openssl list -cipher-algorithms
AES-128-CBC
AES-128-CBC-HMAC-SHA1
AES-128-CBC-HMAC-SHA256
id-aes128-CCM
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-CTR
...

Having selected an encryption algorithm,

you must then specify whether the action you are taking is either encryption or decryption via the -e or -d flags, respectively.

The -iter flag specifies the number of iterations on the password used for deriving the encryption key. A higher iteration count increases the time required to brute-force the resulting file. Using this option implies enabling use of the Password-Based Key Derivation Function 2, usually set using the -pbkdf2 flag. We then use the -salt flag to enable the use of a randomly generated salt in the key-derivation function.

Putting it all together, you can see the command to encrypt a file and the corresponding output below. Note that the passwords entered by the user are blank, just as they would usually be in a terminal session.

$ openssl enc -aes-256-cbc -e -iter 1000 -salt -in primes.dat -out primes.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

The analogous decryption command is as follows:

$ openssl enc -aes-256-cbc -d -iter 1000 -in primes.enc -out primes.dec
enter aes-256-cbc decryption password: