How To Encrypt Files With OpenSSL

Learning how to encrypt files is extremely useful in today’s world. In addition to encrypting files, you can also password protect your files with OpenSSL. By encrypting files, no one would be able to read or open your files without first decrypting them. OpenSSL allows you to use excellent encryption on your files, and if you use it correctly, even if someone does intercept some of your data or hack your computer, it might not be worth it for them to decrypt the data due to the huge amount of time and computing power required to do so. In some cases, it might take a supercomputer years to decrypt a well encrypted file, or it may even be essentially impossible due to how much time it would take to do so. Banks, corporations, and governments around the world use encryption, and it is a very good practice to do so to protect yourself and your essential data.

(Note that OpenSSL is the name of the tool but the actual command is called openssl. It is case sensitive.)

Installation of OpenSSL

Linux Users

Almost all modern Linux distros come with OpenSSL installed with them. But just in case, check to make sure it is installed. If it isn’t, you can install it in Ubuntu or Debian by doing:

sudo apt-get install openssl

Windows and Mac OS X users

For Windows and Mac OS X users, you can download OpenSSL here:

Here is how you encrypt files with OpenSSL

Step 1: Encrypting your file

First, let’s assume that your file is located in ~/ (or choose another location of your choice). Open up a terminal and navigate to where the file is. Assuming it is in ~/
type:

cd ~/

First, check your version of OpenSSL. Things changed a little from version 1.1.0 to version 1.1.1, and I will give instructions on how to do this for the newer version and the older version
Type the following command in a terminal.

openssl version
I got the following output:

OpenSSL 1.1.1f 31 Mar 2020

Your output should look similar. That command should give you the version number and date of the
version of OpenSSL that you are using.

Next, I describe how to encrypt a file with OpenSSL for versions 1.1.1 and later, and versions 1.1.0 and before. The commands I use are similar, but there are some differences. Just find your version of OpenSSL, and read the section on your version of OpenSSL. You can ignore the other one.

Encrypting / Decrypting files with OpenSSL versions 1.1.1 and after

Let’s say that your file is called file1. And assume that you want to call the encrypted version of the file, file1_encrypted. (Adjust for what your actual file is called and what you want the output file to be called). The full command would be:
openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -in file1 -out file1_encrypted

And to decrypt the encrypted file and get back your original unencrypted file, you can do the following:
openssl enc -aes-256-cbc -d -md sha512 -pbkdf2 -iter 100000 -salt -in file1_encrypted -out file1

Now I will explain what each part of the encrypt command means:
openssl is the actual command.

enc means encoding with a cipher.

-aes-256-cbc means using the AES-256 CBC cipher-md sha512 is optional. It is the faster variant of SHA-2 functions family compared to SHA-256
-pbkdf2 stands for Password-Based Key Derivation Function 2, which is another way to reduce vulnerability of brute-force attacks.

-iter some_number tells the command to use that number of iterations on the password in deriving the encryption key. Generally, the higher the value after iter, the better in terms of security, but also the longer it may take to compute.

The purpose of -salt is to prevent precomputation attacks (dictionary attacks), such as using rainbow tables.

After typing the encrypt command, you will be prompted to enter a password twice. Generally the longer and more complex the password, the better.

The only difference between the encrypt and decrypt commands above, besides the names of the input and output files, is that the addition of -d for decrypt, in the decrypt command.

Encrypting / Decrypting files with OpenSSL versions 1.1.0 and before

Let’s say that your file is called file1. And assume that you want to call the encrypted version of the file, file1_encrypted. (Adjust for what your actual file is called and what you want the output file to be called). The full command would be:

openssl enc -aes-256-cbc -e -in file1 -out file1_encrypted

Now I will walk through what each part of that command means.
openssl is the actual command.
enc means encoding with a cipher.
-aes-256-cbc is an option we give it.
aes-256-cbc is a common and secure cipher. We are telling it we want to use the cipher aes-256-cbc. To learn more about ciphers go here.

The -e option tells openssl that you want to encrypt. The -in option means the input file you are giving openssl to encrypt. -out means the output file you want created after your input file is encrypted.
Once you do the command:

You will be asked twice to enter in a password. First it will say:
enter aes-256-cbc encryption password:
The second time it will say:
Verifying – enter aes-256-cbc encryption password

As for what you should choose as a password, the longer and more complex the password, the better. Assuming you navigated to where your file is and you entered the command as I described, you should now have an encrypted file called file1_encrypted (or whatever you chose to name it).

Step 2: Decrypt your encrypted file

Now, just to make sure you encrypted your file correctly, we want to copy that file to /tmp/ (or a different folder of your choice)
Do:

cp file1_encrypted /tmp

then go into /tmp  by doing:

cd /tmp/

Now we will decrypt the encrypted file
The decrypting command is almost identical to the encrypting command except for a few small differences. We substitute -d (-d means decrypt) for -e and your input file is now file1_encrypted and your output file is file1. Here is the command for decrypting that file:

openssl enc -aes-256-cbc -d -in file1_encrypted -out file1

Once you type in that command, you will get a message saying:
enter aes-256-cbc decryption password:
Enter your password that you chose for encrypting the file

If you don’t get a message that says something like bad decrypt it should have decrypted correctly.

But, if you get a message saying “bad decrypt” followed by a longer message, you either typed in the wrong password or you made a mistake with the command.

Step 3: Check to make sure the decrypted file and your original file are the same

Now, you are still in /tmp/ (or wherever you chose to copy your encrypted file). Let’s assume you chose to have your original file in ~/
Check to make sure that the decrypted file and your original file are the same by doing

diff file1 ~/file1/

I use this command all the time to encrypt my files. While I also use other security measures like using HTTPS, VPNs and Tor, I have piece of mind that even if someone intercepts my data, they won’t be able to read it. What did you think of this article? Let’s discuss this topic in the comments below.