Learning how to encrypt files is extremely useful in today’s world. In addition to encrypting files, you can also password protect your files with OpenSSL. By encrypting files, no one would be able to read or open your files without first decrypting them. OpenSSL allows you to use excellent encryption on your files, and if you use it correctly, even if someone does intercept some of your data or hack your computer, it might not be worth it for them to decrypt the data due to the huge amount of time and computing power required to do so. In some cases, it might take a supercomputer years to decrypt a well encrypted file, or it may even be essentially impossible due to how much time it would take to do so. Banks, corporations, and governments around the world use encryption, and it is a very good practice to do so to protect yourself and your essential data.
(Note that OpenSSL is the name of the tool but the actual command is called openssl. It is case sensitive.)
Installation of OpenSSL
Linux Users
Almost all modern Linux distros come with OpenSSL installed with them. But just in case, check to make sure it is installed. If it isn’t, you can install it in Ubuntu or Debian by doing:
sudo apt-get install openssl
Windows and Mac OS X users
For Windows and Mac OS X users, you can download OpenSSL here:
Here is how you encrypt files with OpenSSL
Step 1: Encrypting your file
First, let’s assume that your file is located in ~/ (or choose another location of your choice). Open up a terminal and navigate to where the file is. Assuming it is in ~/
type:
cd ~/
First, check your version of OpenSSL. Things changed a little from version 1.1.0 to version 1.1.1, and I will give instructions on how to do this for the newer version and the older version
Type the following command in a terminal.
openssl version
I got the following output:
OpenSSL 1.1.1f 31 Mar 2020
Your output should look similar. That command should give you the version number and date of the
version of OpenSSL that you are using.
Next, I describe how to encrypt a file with OpenSSL for versions 1.1.1 and later, and versions 1.1.0 and before. The commands I use are similar, but there are some differences. Just find your version of OpenSSL, and read the section on your version of OpenSSL. You can ignore the other one.
Encrypting / Decrypting files with OpenSSL versions 1.1.1 and after
Let’s say that your file is called file1. And assume that you want to call the encrypted version of the file, file1_encrypted. (Adjust for what your actual file is called and what you want the output file to be called). The full command would be:
openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -in file1 -out file1_encrypted
And to decrypt the encrypted file and get back your original unencrypted file, you can do the following:
openssl enc -aes-256-cbc -d -md sha512 -pbkdf2 -iter 100000 -salt -in file1_encrypted -out file1
Now I will explain what each part of the encrypt command means:
openssl is the actual command.
enc means encoding with a cipher.
-aes-256-cbc means using the AES-256 CBC cipher-md sha512 is optional. It is the faster variant of SHA-2 functions family compared to SHA-256
-pbkdf2 stands for Password-Based Key Derivation Function 2, which is another way to reduce vulnerability of brute-force attacks.
-iter some_number tells the command to use that number of iterations on the password in deriving the encryption key. Generally, the higher the value after iter, the better in terms of security, but also the longer it may take to compute.
The purpose of -salt is to prevent precomputation attacks (dictionary attacks), such as using rainbow tables.
After typing the encrypt command, you will be prompted to enter a password twice. Generally the longer and more complex the password, the better.
The only difference between the encrypt and decrypt commands above, besides the names of the input and output files, is that the addition of -d for decrypt, in the decrypt command.
Encrypting / Decrypting files with OpenSSL versions 1.1.0 and before
Let’s say that your file is called file1. And assume that you want to call the encrypted version of the file, file1_encrypted. (Adjust for what your actual file is called and what you want the output file to be called). The full command would be:
openssl enc -aes-256-cbc -e -in file1 -out file1_encrypted
Now I will walk through what each part of that command means.
openssl is the actual command.
enc means encoding with a cipher.
-aes-256-cbc is an option we give it.
aes-256-cbc is a common and secure cipher. We are telling it we want to use the cipher aes-256-cbc. To learn more about ciphers go here.
The -e option tells openssl that you want to encrypt. The -in option means the input file you are giving openssl to encrypt. -out means the output file you want created after your input file is encrypted.
Once you do the command:
You will be asked twice to enter in a password. First it will say:
enter aes-256-cbc encryption password:
The second time it will say:
Verifying – enter aes-256-cbc encryption password
As for what you should choose as a password, the longer and more complex the password, the better. Assuming you navigated to where your file is and you entered the command as I described, you should now have an encrypted file called file1_encrypted (or whatever you chose to name it).
Step 2: Decrypt your encrypted file
Now, just to make sure you encrypted your file correctly, we want to copy that file to /tmp/ (or a different folder of your choice)
Do:
cp file1_encrypted /tmp
then go into /tmp by doing:
cd /tmp/
Now we will decrypt the encrypted file
The decrypting command is almost identical to the encrypting command except for a few small differences. We substitute -d (-d means decrypt) for -e and your input file is now file1_encrypted and your output file is file1. Here is the command for decrypting that file:
openssl enc -aes-256-cbc -d -in file1_encrypted -out file1
Once you type in that command, you will get a message saying:
enter aes-256-cbc decryption password:
Enter your password that you chose for encrypting the file
If you don’t get a message that says something like bad decrypt it should have decrypted correctly.
But, if you get a message saying “bad decrypt” followed by a longer message, you either typed in the wrong password or you made a mistake with the command.
Step 3: Check to make sure the decrypted file and your original file are the same
Now, you are still in /tmp/ (or wherever you chose to copy your encrypted file). Let’s assume you chose to have your original file in ~/
Check to make sure that the decrypted file and your original file are the same by doing
diff file1 ~/file1/
I use this command all the time to encrypt my files. While I also use other security measures like using HTTPS, VPNs and Tor, I have piece of mind that even if someone intercepts my data, they won’t be able to read it. What did you think of this article? Let’s discuss this topic in the comments below.
This is not working: openssl enc -aes-256-cbc -e -in file1 -out file1_encrypted
Shows:
Verifying – enter aes-256-cbc encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
OpenSSL changed a bit from version 1.1.0 to version 1.1.1. The commands I had in this article worked well before the update.
This warning is one of the changes. You probably can ignore the warning. But, to be very sure it is super secure, for encrypting a file you can modify the openssl command as follows:
openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -in file1 -out file1_encrypted
And to decrypt the file, you can have a line like the following.
openssl enc -aes-256-cbc -d -md sha512 -pbkdf2 -iter 100000 -salt -in file1_encrypted -out file1
-aes-256-cbc means using the AES-256 CBC cipher
-md sha512 is optional. It is the faster variant of SHA-2 functions family compared to SHA-256
-pbkdf2 stands for Password-Based Key Derivation Function 2, which is another way to reduce vulnerability of brute-force attacks.
-iter some_number tells the command to use that number of iterations on the password in deriving the encryption key. Generally, the higher the value after iter, the better in terms of security, but also the longer it may take to compute.
The purpose of -salt is to prevent precomputation attacks (dictionary attacks), such as using rainbow tables.
The only difference between the encrypt and decrypt commands, besides the names of the input and output files, is that the addition of -d for decrypt, in the decrypt command.
I’ll update this article soon, with this updated information.
Thanks for the comment.
I got some info to write this comment in the following link:
https://askubuntu.com/questions/1093591/how-should-i-change-encryption-according-to-warning-deprecated-key-derivat