Encrypt a string using openssl command line

Question

I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string.

This encrypted string ( in human readable format ) then needs to be supplied to a user who would use it, and the string would be decrypted to its original 16-byte form for comparison and authentication. Could anyone please tell me how this would be possible with openssl commandline.

It is unlikely that encrypting from 16 bytes into 16 bytes will result in a human readable string. — Amardeep AC9MF
– Amardeep AC9MF, Commented Apr 11, 2012 at 15:01
+1 reopen. It is 100% obvious what is being asked here. I'll restate it though: how do you encrypt a string using the openssl command? It is not an obvious task, and the user provides the context of his request. — G-Wiz
– G-Wiz, Commented Aug 6, 2013 at 17:47
@G-Wiz: "how do you encrypt a string using the openssl command" - is that on-topic for Stack Overflow? It does not appear to be programming related. It sounds like a request for help on a command, which would be more appropriate for Super User. — jww
– jww, Commented Jul 31, 2014 at 18:41
@jww, I don't disagree with that. But then the question should be migrated, not closed. — G-Wiz
– G-Wiz, Commented Jul 31, 2014 at 18:46

Mike Edward Moras · Accepted Answer · 2014-07-31 18:29:02Z

34

Here's one way to encrypt a string with openssl on the command line (must enter password twice):

echo -n "aaaabbbbccccdddd" | openssl enc -e -aes-256-cbc -a -salt
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

Here's what the output looks like:

U2FsdGVkX1/6LATntslD80T2HEIn3A0BqxarNfwbg31D2kI00dYbmBo8Mqt42PIm

Edit: To my knowledge, you can't control the number of bytes out. You can b64 or hex encode it, but that's about it. Also, if you want to save that string to a file rather than stdout, use the -out option.

edited Jul 31, 2014 at 18:29

Mike Edward Moras

14.3k10 gold badges40 silver badges57 bronze badges

answered Apr 11, 2012 at 23:29

01100110

2,3444 gold badges24 silver badges32 bronze badges

Sign up to request clarification or add additional context in comments.

8 Comments

arun nath Over a year ago

Thanks, but would there be any other way I can encrypt a 16 character string and generate a 16 character encrypted string in Linux using command line

01100110 Over a year ago

Why must the output be exactly 16 bytes? Why does that matter?

Lucio Over a year ago

Why do you use -aes-256-cbc instead of -aes-256? What is the difference?

alexandre1985 Over a year ago

this gives the warning "Using -iter or -pbkdf2 would be better.". What command should I use instead?

Trect Over a year ago

How would you decrypt the same?

|

Paul Roub · Accepted Answer · 2017-11-27 19:12:51Z

17

Try this:

echo 'foo' | openssl aes-256-cbc -a -salt
echo 'U2FsdGVkX1/QGdl4syQE8bLFSr2HzoAlcG299U/T/Xk=' | openssl aes-256-cbc -a -d -salt

Run

openssl list-cipher-commands

to list all available ciphers.

edited Nov 27, 2017 at 19:12

Paul Roub

36.5k27 gold badges88 silver badges95 bronze badges

answered Nov 27, 2017 at 18:59

bill gott

1711 silver badge2 bronze badges

Comments

jww · Accepted Answer · 2014-07-31 19:18:15Z

12

I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string [in human readable format]

I believe you are looking for Format Preserving Encryption. I think the caveat is you have to start with a 16-byte human readable string. Phillip Rogaway has a paper on the technologies: Synopsis of Format-Preserving Encryption. There's a lot to the paper, and it can't fit into a single paragraph on Stack Overflow.

If you can start with a shorter string and use a streaming mode like OCB, OFB or CTR, then you can Base64 encode the final string so that the result is 16-bytes and human readable. Base64 expands at a rate of 3 → 4 (3 un-encoded expands to 4 encoded), so you'd need a shorter string of length 12 characters to achieve 16 human readable characters.

As far as I know, there are no command line tools that do it natively. You may be able to use OpenSSL on the command line with AES/CTR and pipe it through base64 command. The following gets close, but it starts with 11 characters (and not 12):

$ echo 12345678901 | openssl enc -e -base64 -aes-128-ctr -nopad -nosalt -k secret_password
cSTzU8+UPQQwpRAq

Also, you really need to understand te -k option (and -K for that matter), and how it derives a key so you can do it outside of the OpenSSL command (if needed).

edited Jul 31, 2014 at 19:18

answered Jul 31, 2014 at 18:55

jww

104k107 gold badges453 silver badges975 bronze badges

5 Comments

moudrick Over a year ago

This exact command worked but showed me a warning: *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. so I added -pbkdf2 param and ran $ echo 12345678901 | openssl enc -e -base64 -aes-128-ctr -pbkdf2 -nopad -nosalt -k secret_password iN/tCC7mTw3AWPn2 to avoid this warning

Ross Smith II Over a year ago

-nopad doesn't effect the output, so: echo 12345678901 | openssl enc -e -base64 -aes-128-ctr -nosalt -pbkdf2 -k secret_password produces the same output as echo 12345678901 | openssl enc -e -base64 -aes-128-ctr -nopad -nosalt -pbkdf2 -k secret_password

Zibri Over a year ago

and to decrypt it?

Michal Svorc Over a year ago

echo encrypted string and change -e flag to -d in piped openssl command

yemiteliyadu Over a year ago

Adding ` -iter 10000` to both commands made the "deprecated key derivation" warning go away. I believe the encryption is also more secure. The 10000 can be made larger to increase security but may take more time. Couldn't get -pbkdf2 to work with my setup

Mike Pascual · Accepted Answer · 2022-03-15 03:53:58Z

7

I had trouble getting it working using echo with -n. This worked for me:

To encrypt:

echo "PLAINTEXT_STRING" | openssl enc -aes256 -pbkdf2 -base64

you'll be prompted to provide a decryption password.

To decrypt:

echo "ENCRYPTED_STRING" | openssl aes-256-cbc -d -pbkdf2 -a

enter the decryption password to decrypt.

answered Mar 15, 2022 at 3:53

Mike Pascual

941 silver badge2 bronze badges

3 Comments

Mike Pascual Over a year ago

This will encrypt a string. But it won't meet the requirement from the OP of going from 16 bytes of plaintext to 16 bytes of encrypted text.

mirageglobe Over a year ago

just a note. -a flag in decrypt is base64 encoding alias. better to tally both encrypt and decrypt as the same so not to confuse readers.

mirageglobe Over a year ago

so would probably put it as follows with -d as decrypt flag echo "ENCRYPTED_STRING" | openssl enc -aes-256-cbc -pbkdf2 -base64 -d

NIMISHAN · Accepted Answer · 2019-11-20 11:37:25Z

try this

$ echo "a_byte_character" | openssl enc -base64

and you have 100+ Cipher Types

-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb              
-aes-128-gcm               -aes-128-ofb               -aes-128-xts              
-aes-192-cbc               -aes-192-cfb               -aes-192-cfb1             
-aes-192-cfb8              -aes-192-ctr               -aes-192-ecb              
-aes-192-gcm               -aes-192-ofb               -aes-256-cbc              
-aes-256-cfb               -aes-256-cfb1              -aes-256-cfb8             
-aes-256-ctr               -aes-256-ecb               -aes-256-gcm              
-aes-256-ofb               -aes-256-xts               -aes128                   
-aes192                    -aes256                    -bf                       
-bf-cbc                    -bf-cfb                    -bf-ecb                   
-bf-ofb                    -blowfish                  -camellia-128-cbc         
-camellia-128-cfb          -camellia-128-cfb1         -camellia-128-cfb8        
-camellia-128-ecb          -camellia-128-ofb          -camellia-192-cbc         
-camellia-192-cfb          -camellia-192-cfb1         -camellia-192-cfb8        
-camellia-192-ecb          -camellia-192-ofb          -camellia-256-cbc         
-camellia-256-cfb          -camellia-256-cfb1         -camellia-256-cfb8        
-camellia-256-ecb          -camellia-256-ofb          -camellia128              
-camellia192               -camellia256               -cast                     
-cast-cbc                  -cast5-cbc                 -cast5-cfb                
-cast5-ecb                 -cast5-ofb                 -des                      
-des-cbc                   -des-cfb                   -des-cfb1                 
-des-cfb8                  -des-ecb                   -des-ede                  
-des-ede-cbc               -des-ede-cfb               -des-ede-ofb              
-des-ede3                  -des-ede3-cbc              -des-ede3-cfb             
-des-ede3-cfb1             -des-ede3-cfb8             -des-ede3-ofb             
-des-ofb                   -des3                      -desx                     
-desx-cbc                  -id-aes128-GCM             -id-aes192-GCM            
-id-aes256-GCM             -rc2                       -rc2-40-cbc               
-rc2-64-cbc                -rc2-cbc                   -rc2-cfb                  
-rc2-ecb                   -rc2-ofb                   -rc4                      
-rc4-40                    -rc4-hmac-md5              -seed                     
-seed-cbc                  -seed-cfb                  -seed-ecb                 
-seed-ofb

Note that "Ciphers in XTS mode are not supported by the enc utility."
As Mr. Meyer said, it is a real pity, that the best ciphers, that do encryption AND authentication in the same run, like -aes-256-gcm, are not supported on the command line.

Collectives™ on Stack Overflow

Encrypt a string using openssl command line

5 Answers 5

8 Comments

Comments

5 Comments

3 Comments

2 Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

8 Comments

Comments

5 Comments

3 Comments

2 Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related