1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-enc - symmetric cipher routines 7 8=head1 SYNOPSIS 9 10B<openssl> B<enc>|I<cipher> 11[B<-I<cipher>>] 12[B<-help>] 13[B<-list>] 14[B<-ciphers>] 15[B<-in> I<filename>] 16[B<-out> I<filename>] 17[B<-pass> I<arg>] 18[B<-e>] 19[B<-d>] 20[B<-a>] 21[B<-base64>] 22[B<-A>] 23[B<-k> I<password>] 24[B<-kfile> I<filename>] 25[B<-K> I<key>] 26[B<-iv> I<IV>] 27[B<-S> I<salt>] 28[B<-salt>] 29[B<-nosalt>] 30[B<-z>] 31[B<-md> I<digest>] 32[B<-iter> I<count>] 33[B<-pbkdf2>] 34[B<-saltlen> I<size>] 35[B<-p>] 36[B<-P>] 37[B<-bufsize> I<number>] 38[B<-nopad>] 39[B<-v>] 40[B<-debug>] 41[B<-none>] 42{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} 43{- $OpenSSL::safe::opt_provider_synopsis -} 44 45B<openssl> I<cipher> [B<...>] 46 47=head1 DESCRIPTION 48 49The symmetric cipher commands allow data to be encrypted or decrypted 50using various block and stream ciphers using keys based on passwords 51or explicitly provided. Base64 encoding or decoding can also be performed 52either by itself or in addition to the encryption or decryption. 53 54=head1 OPTIONS 55 56=over 4 57 58=item B<-I<cipher>> 59 60The cipher to use. 61 62=item B<-help> 63 64Print out a usage message. 65 66=item B<-list> 67 68List all supported ciphers. 69 70=item B<-ciphers> 71 72Alias of -list to display all supported ciphers. 73 74=item B<-in> I<filename> 75 76The input filename, standard input by default. 77 78=item B<-out> I<filename> 79 80The output filename, standard output by default. 81 82=item B<-pass> I<arg> 83 84The password source. For more information about the format of I<arg> 85see L<openssl-passphrase-options(1)>. 86 87=item B<-e> 88 89Encrypt the input data: this is the default. 90 91=item B<-d> 92 93Decrypt the input data. 94 95=item B<-a> 96 97Base64 process the data. This means that if encryption is taking place 98the data is base64 encoded after encryption. If decryption is set then 99the input data is base64 decoded before being decrypted. 100 101=item B<-base64> 102 103Same as B<-a> 104 105=item B<-A> 106 107If the B<-a> option is set then base64 process the data on one line. 108 109=item B<-k> I<password> 110 111The password to derive the key from. This is for compatibility with previous 112versions of OpenSSL. Superseded by the B<-pass> argument. 113 114=item B<-kfile> I<filename> 115 116Read the password to derive the key from the first line of I<filename>. 117This is for compatibility with previous versions of OpenSSL. Superseded by 118the B<-pass> argument. 119 120=item B<-md> I<digest> 121 122Use the specified digest to create the key from the passphrase. 123The default algorithm is sha-256. 124 125=item B<-iter> I<count> 126 127Use a given number of iterations on the password in deriving the encryption key. 128High values increase the time required to brute-force the resulting file. 129This option enables the use of PBKDF2 algorithm to derive the key. 130 131=item B<-pbkdf2> 132 133Use PBKDF2 algorithm with a default iteration count of 10000 134unless otherwise specified by the B<-iter> command line option. 135 136=item B<-saltlen> 137 138Set the salt length to use when using the B<-pbkdf2> option. 139For compatibility reasons, the default is 8 bytes. 140The maximum value is currently 16 bytes. 141If the B<-pbkdf2> option is not used, then this option is ignored 142and a fixed salt length of 8 is used. The salt length used when 143encrypting must also be used when decrypting. 144 145=item B<-nosalt> 146 147Don't use a salt in the key derivation routines. This option B<SHOULD NOT> be 148used except for test purposes or compatibility with ancient versions of 149OpenSSL. 150 151=item B<-salt> 152 153Use salt (randomly generated or provide with B<-S> option) when 154encrypting, this is the default. 155 156=item B<-S> I<salt> 157 158The actual salt to use: this must be represented as a string of hex digits. 159If this option is used while encrypting, the same exact value will be needed 160again during decryption. This salt may be truncated or zero padded to 161match the salt length (See B<-saltlen>). 162 163=item B<-K> I<key> 164 165The actual key to use: this must be represented as a string comprised only 166of hex digits. If only the key is specified, the IV must additionally specified 167using the B<-iv> option. When both a key and a password are specified, the 168key given with the B<-K> option will be used and the IV generated from the 169password will be taken. It does not make much sense to specify both key 170and password. 171 172=item B<-iv> I<IV> 173 174The actual IV to use: this must be represented as a string comprised only 175of hex digits. When only the key is specified using the B<-K> option, the 176IV must explicitly be defined. When a password is being specified using 177one of the other options, the IV is generated from this password. 178 179=item B<-p> 180 181Print out the key and IV used. 182 183=item B<-P> 184 185Print out the key and IV used then immediately exit: don't do any encryption 186or decryption. 187 188=item B<-bufsize> I<number> 189 190Set the buffer size for I/O. 191 192=item B<-nopad> 193 194Disable standard block padding. 195 196=item B<-v> 197 198Verbose print; display some statistics about I/O and buffer sizes. 199 200=item B<-debug> 201 202Debug the BIOs used for I/O. 203 204=item B<-z> 205 206Compress or decompress encrypted data using zlib after encryption or before 207decryption. This option exists only if OpenSSL was compiled with the zlib 208or zlib-dynamic option. 209 210=item B<-none> 211 212Use NULL cipher (no encryption or decryption of input). 213 214{- $OpenSSL::safe::opt_r_item -} 215 216{- $OpenSSL::safe::opt_provider_item -} 217 218{- $OpenSSL::safe::opt_engine_item -} 219 220=back 221 222=head1 NOTES 223 224The program can be called either as C<openssl I<cipher>> or 225C<openssl enc -I<cipher>>. The first form doesn't work with 226engine-provided ciphers, because this form is processed before the 227configuration file is read and any ENGINEs loaded. 228Use the L<openssl-list(1)> command to get a list of supported ciphers. 229 230Engines which provide entirely new encryption algorithms (such as the ccgost 231engine which provides gost89 algorithm) should be configured in the 232configuration file. Engines specified on the command line using B<-engine> 233option can only be used for hardware-assisted implementations of 234ciphers which are supported by the OpenSSL core or another engine specified 235in the configuration file. 236 237When the enc command lists supported ciphers, ciphers provided by engines, 238specified in the configuration files are listed too. 239 240A password will be prompted for to derive the key and IV if necessary. 241 242The B<-salt> option should B<ALWAYS> be used if the key is being derived 243from a password unless you want compatibility with previous versions of 244OpenSSL. 245 246Without the B<-salt> option it is possible to perform efficient dictionary 247attacks on the password and to attack stream cipher encrypted data. The reason 248for this is that without the salt the same password always generates the same 249encryption key. 250 251When the salt is generated at random (that means when encrypting using a 252passphrase without explicit salt given using B<-S> option), the first bytes 253of the encrypted data are reserved to store the salt for later decrypting. 254 255Some of the ciphers do not have large keys and others have security 256implications if not used correctly. A beginner is advised to just use 257a strong block cipher, such as AES, in CBC mode. 258 259All the block ciphers normally use PKCS#5 padding, also known as standard 260block padding. This allows a rudimentary integrity or password check to 261be performed. However, since the chance of random data passing the test 262is better than 1 in 256 it isn't a very good test. 263 264If padding is disabled then the input data must be a multiple of the cipher 265block length. 266 267All RC2 ciphers have the same key and effective key length. 268 269Blowfish and RC5 algorithms use a 128 bit key. 270 271Please note that OpenSSL 3.0 changed the effect of the B<-S> option. 272Any explicit salt value specified via this option is no longer prepended to the 273ciphertext when encrypting, and must again be explicitly provided when decrypting. 274Conversely, when the B<-S> option is used during decryption, the ciphertext 275is expected to not have a prepended salt value. 276 277When using OpenSSL 3.0 or later to decrypt data that was encrypted with an 278explicit salt under OpenSSL 1.1.1 do not use the B<-S> option, the salt will 279then be read from the ciphertext. 280To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use 281the B<-S> option, the salt will be then be generated randomly and prepended 282to the output. 283 284=head1 SUPPORTED CIPHERS 285 286Note that some of these ciphers can be disabled at compile time 287and some are available only if an appropriate engine is configured 288in the configuration file. The output when invoking this command 289with the B<-list> option (that is C<openssl enc -list>) is 290a list of ciphers, supported by your version of OpenSSL, including 291ones provided by configured engines. 292 293This command does not support authenticated encryption modes 294like CCM and GCM, and will not support such modes in the future. 295This is due to having to begin streaming output (e.g., to standard output 296when B<-out> is not used) before the authentication tag could be validated. 297When this command is used in a pipeline, the receiving end will not be 298able to roll back upon authentication failure. The AEAD modes currently in 299common use also suffer from catastrophic failure of confidentiality and/or 300integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the 301entire burden of key/iv/nonce management upon the user, the risk of 302exposing AEAD modes is too great to allow. These key/iv/nonce 303management issues also affect other modes currently exposed in this command, 304but the failure modes are less extreme in these cases, and the 305functionality cannot be removed with a stable release branch. 306For bulk encryption of data, whether using authenticated encryption 307modes or other modes, L<openssl-cms(1)> is recommended, as it provides a 308standard data format and performs the needed key/iv/nonce management. 309 310When enc is used with key wrapping modes the input data cannot be streamed, 311meaning it must be processed in a single pass. 312Consequently, the input data size must be less than 313the buffer size (-bufsize arg, default to 8*1024 bytes). 314The '*-wrap' ciphers require the input to be a multiple of 8 bytes long, 315because no padding is involved. 316The '*-wrap-pad' ciphers allow any input length. 317In both cases, no IV is needed. See example below. 318 319 320 base64 Base 64 321 322 bf-cbc Blowfish in CBC mode 323 bf Alias for bf-cbc 324 blowfish Alias for bf-cbc 325 bf-cfb Blowfish in CFB mode 326 bf-ecb Blowfish in ECB mode 327 bf-ofb Blowfish in OFB mode 328 329 cast-cbc CAST in CBC mode 330 cast Alias for cast-cbc 331 cast5-cbc CAST5 in CBC mode 332 cast5-cfb CAST5 in CFB mode 333 cast5-ecb CAST5 in ECB mode 334 cast5-ofb CAST5 in OFB mode 335 336 chacha20 ChaCha20 algorithm 337 338 des-cbc DES in CBC mode 339 des Alias for des-cbc 340 des-cfb DES in CFB mode 341 des-ofb DES in OFB mode 342 des-ecb DES in ECB mode 343 344 des-ede-cbc Two key triple DES EDE in CBC mode 345 des-ede Two key triple DES EDE in ECB mode 346 des-ede-cfb Two key triple DES EDE in CFB mode 347 des-ede-ofb Two key triple DES EDE in OFB mode 348 349 des-ede3-cbc Three key triple DES EDE in CBC mode 350 des-ede3 Three key triple DES EDE in ECB mode 351 des3 Alias for des-ede3-cbc 352 des-ede3-cfb Three key triple DES EDE CFB mode 353 des-ede3-ofb Three key triple DES EDE in OFB mode 354 355 desx DESX algorithm. 356 357 gost89 GOST 28147-89 in CFB mode (provided by ccgost engine) 358 gost89-cnt GOST 28147-89 in CNT mode (provided by ccgost engine) 359 360 idea-cbc IDEA algorithm in CBC mode 361 idea same as idea-cbc 362 idea-cfb IDEA in CFB mode 363 idea-ecb IDEA in ECB mode 364 idea-ofb IDEA in OFB mode 365 366 rc2-cbc 128 bit RC2 in CBC mode 367 rc2 Alias for rc2-cbc 368 rc2-cfb 128 bit RC2 in CFB mode 369 rc2-ecb 128 bit RC2 in ECB mode 370 rc2-ofb 128 bit RC2 in OFB mode 371 rc2-64-cbc 64 bit RC2 in CBC mode 372 rc2-40-cbc 40 bit RC2 in CBC mode 373 374 rc4 128 bit RC4 375 rc4-64 64 bit RC4 376 rc4-40 40 bit RC4 377 378 rc5-cbc RC5 cipher in CBC mode 379 rc5 Alias for rc5-cbc 380 rc5-cfb RC5 cipher in CFB mode 381 rc5-ecb RC5 cipher in ECB mode 382 rc5-ofb RC5 cipher in OFB mode 383 384 seed-cbc SEED cipher in CBC mode 385 seed Alias for seed-cbc 386 seed-cfb SEED cipher in CFB mode 387 seed-ecb SEED cipher in ECB mode 388 seed-ofb SEED cipher in OFB mode 389 390 sm4-cbc SM4 cipher in CBC mode 391 sm4 Alias for sm4-cbc 392 sm4-cfb SM4 cipher in CFB mode 393 sm4-ctr SM4 cipher in CTR mode 394 sm4-ecb SM4 cipher in ECB mode 395 sm4-ofb SM4 cipher in OFB mode 396 397 aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode 398 aes[128|192|256] Alias for aes-[128|192|256]-cbc 399 aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode 400 aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode 401 aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode 402 aes-[128|192|256]-ctr 128/192/256 bit AES in CTR mode 403 aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode 404 aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode 405 406 aes-[128|192|256]-wrap key wrapping using 128/192/256 bit AES 407 aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES 408 409 aria-[128|192|256]-cbc 128/192/256 bit ARIA in CBC mode 410 aria[128|192|256] Alias for aria-[128|192|256]-cbc 411 aria-[128|192|256]-cfb 128/192/256 bit ARIA in 128 bit CFB mode 412 aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode 413 aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode 414 aria-[128|192|256]-ctr 128/192/256 bit ARIA in CTR mode 415 aria-[128|192|256]-ecb 128/192/256 bit ARIA in ECB mode 416 aria-[128|192|256]-ofb 128/192/256 bit ARIA in OFB mode 417 418 camellia-[128|192|256]-cbc 128/192/256 bit Camellia in CBC mode 419 camellia[128|192|256] Alias for camellia-[128|192|256]-cbc 420 camellia-[128|192|256]-cfb 128/192/256 bit Camellia in 128 bit CFB mode 421 camellia-[128|192|256]-cfb1 128/192/256 bit Camellia in 1 bit CFB mode 422 camellia-[128|192|256]-cfb8 128/192/256 bit Camellia in 8 bit CFB mode 423 camellia-[128|192|256]-ctr 128/192/256 bit Camellia in CTR mode 424 camellia-[128|192|256]-ecb 128/192/256 bit Camellia in ECB mode 425 camellia-[128|192|256]-ofb 128/192/256 bit Camellia in OFB mode 426 427=head1 EXAMPLES 428 429Just base64 encode a binary file: 430 431 openssl base64 -in file.bin -out file.b64 432 433Decode the same file 434 435 openssl base64 -d -in file.b64 -out file.bin 436 437Encrypt a file using AES-128 using a prompted password 438and PBKDF2 key derivation: 439 440 openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128 441 442Decrypt a file using a supplied password: 443 444 openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \ 445 -pass pass:<password> 446 447Encrypt a file then base64 encode it (so it can be sent via mail for example) 448using AES-256 in CTR mode and PBKDF2 key derivation: 449 450 openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256 451 452Base64 decode a file then decrypt it using a password supplied in a file: 453 454 openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \ 455 -pass file:<passfile> 456 457AES key wrapping: 458 459 openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin 460or 461 openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin 462 463=head1 BUGS 464 465The B<-A> option when used with large files doesn't work properly. 466 467The B<openssl enc> command only supports a fixed number of algorithms with 468certain parameters. So if, for example, you want to use RC2 with a 46976 bit key or RC4 with an 84 bit key you can't use this program. 470 471=head1 HISTORY 472 473The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. 474 475The B<-list> option was added in OpenSSL 1.1.1e. 476 477The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0. 478 479The B<-saltlen> option was added in OpenSSL 3.2. 480 481=head1 COPYRIGHT 482 483Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. 484 485Licensed under the Apache License 2.0 (the "License"). You may not use 486this file except in compliance with the License. You can obtain a copy 487in the file LICENSE in the source distribution or at 488L<https://www.openssl.org/source/license.html>. 489 490=cut 491