xref: /openssl/doc/man1/openssl-enc.pod.in (revision e3994583) 
1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=head1 NAME
5
6openssl-enc - symmetric cipher routines
7
8=head1 SYNOPSIS
9
10B<openssl> B<enc>|I<cipher>
11[B<-I<cipher>>]
12[B<-help>]
13[B<-list>]
14[B<-ciphers>]
15[B<-in> I<filename>]
16[B<-out> I<filename>]
17[B<-pass> I<arg>]
18[B<-e>]
19[B<-d>]
20[B<-a>]
21[B<-base64>]
22[B<-A>]
23[B<-k> I<password>]
24[B<-kfile> I<filename>]
25[B<-K> I<key>]
26[B<-iv> I<IV>]
27[B<-S> I<salt>]
28[B<-salt>]
29[B<-nosalt>]
30[B<-z>]
31[B<-md> I<digest>]
32[B<-iter> I<count>]
33[B<-pbkdf2>]
34[B<-saltlen> I<size>]
35[B<-p>]
36[B<-P>]
37[B<-bufsize> I<number>]
38[B<-nopad>]
39[B<-v>]
40[B<-debug>]
41[B<-none>]
42{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
43{- $OpenSSL::safe::opt_provider_synopsis -}
44
45B<openssl> I<cipher> [B<...>]
46
47=head1 DESCRIPTION
48
49The symmetric cipher commands allow data to be encrypted or decrypted
50using various block and stream ciphers using keys based on passwords
51or explicitly provided. Base64 encoding or decoding can also be performed
52either by itself or in addition to the encryption or decryption.
53
54=head1 OPTIONS
55
56=over 4
57
58=item B<-I<cipher>>
59
60The cipher to use.
61
62=item B<-help>
63
64Print out a usage message.
65
66=item B<-list>
67
68List all supported ciphers.
69
70=item B<-ciphers>
71
72Alias of -list to display all supported ciphers.
73
74=item B<-in> I<filename>
75
76The input filename, standard input by default.
77
78=item B<-out> I<filename>
79
80The output filename, standard output by default.
81
82=item B<-pass> I<arg>
83
84The password source. For more information about the format of I<arg>
85see L<openssl-passphrase-options(1)>.
86
87=item B<-e>
88
89Encrypt the input data: this is the default.
90
91=item B<-d>
92
93Decrypt the input data.
94
95=item B<-a>
96
97Base64 process the data. This means that if encryption is taking place
98the data is base64 encoded after encryption. If decryption is set then
99the input data is base64 decoded before being decrypted.
100
101=item B<-base64>
102
103Same as B<-a>
104
105=item B<-A>
106
107If the B<-a> option is set then base64 process the data on one line.
108
109=item B<-k> I<password>
110
111The password to derive the key from. This is for compatibility with previous
112versions of OpenSSL. Superseded by the B<-pass> argument.
113
114=item B<-kfile> I<filename>
115
116Read the password to derive the key from the first line of I<filename>.
117This is for compatibility with previous versions of OpenSSL. Superseded by
118the B<-pass> argument.
119
120=item B<-md> I<digest>
121
122Use the specified digest to create the key from the passphrase.
123The default algorithm is sha-256.
124
125=item B<-iter> I<count>
126
127Use a given number of iterations on the password in deriving the encryption key.
128High values increase the time required to brute-force the resulting file.
129This option enables the use of PBKDF2 algorithm to derive the key.
130
131=item B<-pbkdf2>
132
133Use PBKDF2 algorithm with a default iteration count of 10000
134unless otherwise specified by the B<-iter> command line option.
135
136=item B<-saltlen>
137
138Set the salt length to use when using the B<-pbkdf2> option.
139For compatibility reasons, the default is 8 bytes.
140The maximum value is currently 16 bytes.
141If the B<-pbkdf2> option is not used, then this option is ignored
142and a fixed salt length of 8 is used. The salt length used when
143encrypting must also be used when decrypting.
144
145=item B<-nosalt>
146
147Don't use a salt in the key derivation routines. This option B<SHOULD NOT> be
148used except for test purposes or compatibility with ancient versions of
149OpenSSL.
150
151=item B<-salt>
152
153Use salt (randomly generated or provide with B<-S> option) when
154encrypting, this is the default.
155
156=item B<-S> I<salt>
157
158The actual salt to use: this must be represented as a string of hex digits.
159If this option is used while encrypting, the same exact value will be needed
160again during decryption. This salt may be truncated or zero padded to
161match the salt length (See B<-saltlen>).
162
163=item B<-K> I<key>
164
165The actual key to use: this must be represented as a string comprised only
166of hex digits. If only the key is specified, the IV must additionally specified
167using the B<-iv> option. When both a key and a password are specified, the
168key given with the B<-K> option will be used and the IV generated from the
169password will be taken. It does not make much sense to specify both key
170and password.
171
172=item B<-iv> I<IV>
173
174The actual IV to use: this must be represented as a string comprised only
175of hex digits. When only the key is specified using the B<-K> option, the
176IV must explicitly be defined. When a password is being specified using
177one of the other options, the IV is generated from this password.
178
179=item B<-p>
180
181Print out the key and IV used.
182
183=item B<-P>
184
185Print out the key and IV used then immediately exit: don't do any encryption
186or decryption.
187
188=item B<-bufsize> I<number>
189
190Set the buffer size for I/O.
191
192=item B<-nopad>
193
194Disable standard block padding.
195
196=item B<-v>
197
198Verbose print; display some statistics about I/O and buffer sizes.
199
200=item B<-debug>
201
202Debug the BIOs used for I/O.
203
204=item B<-z>
205
206Compress or decompress encrypted data using zlib after encryption or before
207decryption. This option exists only if OpenSSL was compiled with the zlib
208or zlib-dynamic option.
209
210=item B<-none>
211
212Use NULL cipher (no encryption or decryption of input).
213
214{- $OpenSSL::safe::opt_r_item -}
215
216{- $OpenSSL::safe::opt_provider_item -}
217
218{- $OpenSSL::safe::opt_engine_item -}
219
220=back
221
222=head1 NOTES
223
224The program can be called either as C<openssl I<cipher>> or
225C<openssl enc -I<cipher>>. The first form doesn't work with
226engine-provided ciphers, because this form is processed before the
227configuration file is read and any ENGINEs loaded.
228Use the L<openssl-list(1)> command to get a list of supported ciphers.
229
230Engines which provide entirely new encryption algorithms (such as the ccgost
231engine which provides gost89 algorithm) should be configured in the
232configuration file. Engines specified on the command line using B<-engine>
233option can only be used for hardware-assisted implementations of
234ciphers which are supported by the OpenSSL core or another engine specified
235in the configuration file.
236
237When the enc command lists supported ciphers, ciphers provided by engines,
238specified in the configuration files are listed too.
239
240A password will be prompted for to derive the key and IV if necessary.
241
242The B<-salt> option should B<ALWAYS> be used if the key is being derived
243from a password unless you want compatibility with previous versions of
244OpenSSL.
245
246Without the B<-salt> option it is possible to perform efficient dictionary
247attacks on the password and to attack stream cipher encrypted data. The reason
248for this is that without the salt the same password always generates the same
249encryption key.
250
251When the salt is generated at random (that means when encrypting using a
252passphrase without explicit salt given using B<-S> option), the first bytes
253of the encrypted data are reserved to store the salt for later decrypting.
254
255Some of the ciphers do not have large keys and others have security
256implications if not used correctly. A beginner is advised to just use
257a strong block cipher, such as AES, in CBC mode.
258
259All the block ciphers normally use PKCS#5 padding, also known as standard
260block padding. This allows a rudimentary integrity or password check to
261be performed. However, since the chance of random data passing the test
262is better than 1 in 256 it isn't a very good test.
263
264If padding is disabled then the input data must be a multiple of the cipher
265block length.
266
267All RC2 ciphers have the same key and effective key length.
268
269Blowfish and RC5 algorithms use a 128 bit key.
270
271Please note that OpenSSL 3.0 changed the effect of the B<-S> option.
272Any explicit salt value specified via this option is no longer prepended to the
273ciphertext when encrypting, and must again be explicitly provided when decrypting.
274Conversely, when the B<-S> option is used during decryption, the ciphertext
275is expected to not have a prepended salt value.
276
277When using OpenSSL 3.0 or later to decrypt data that was encrypted with an
278explicit salt under OpenSSL 1.1.1 do not use the B<-S> option, the salt will
279then be read from the ciphertext.
280To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use
281the B<-S> option, the salt will be then be generated randomly and prepended
282to the output.
283
284=head1 SUPPORTED CIPHERS
285
286Note that some of these ciphers can be disabled at compile time
287and some are available only if an appropriate engine is configured
288in the configuration file. The output when invoking this command
289with the B<-list> option (that is C<openssl enc -list>) is
290a list of ciphers, supported by your version of OpenSSL, including
291ones provided by configured engines.
292
293This command does not support authenticated encryption modes
294like CCM and GCM, and will not support such modes in the future.
295This is due to having to begin streaming output (e.g., to standard output
296when B<-out> is not used) before the authentication tag could be validated.
297When this command is used in a pipeline, the receiving end will not be
298able to roll back upon authentication failure.  The AEAD modes currently in
299common use also suffer from catastrophic failure of confidentiality and/or
300integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the
301entire burden of key/iv/nonce management upon the user, the risk of
302exposing AEAD modes is too great to allow. These key/iv/nonce
303management issues also affect other modes currently exposed in this command,
304but the failure modes are less extreme in these cases, and the
305functionality cannot be removed with a stable release branch.
306For bulk encryption of data, whether using authenticated encryption
307modes or other modes, L<openssl-cms(1)> is recommended, as it provides a
308standard data format and performs the needed key/iv/nonce management.
309
310When enc is used with key wrapping modes the input data cannot be streamed,
311meaning it must be processed in a single pass.
312Consequently, the input data size must be less than
313the buffer size (-bufsize arg, default to 8*1024 bytes).
314The '*-wrap' ciphers require the input to be a multiple of 8 bytes long,
315because no padding is involved.
316The '*-wrap-pad' ciphers allow any input length.
317In both cases, no IV is needed. See example below.
318
319
320 base64             Base 64
321
322 bf-cbc             Blowfish in CBC mode
323 bf                 Alias for bf-cbc
324 blowfish           Alias for bf-cbc
325 bf-cfb             Blowfish in CFB mode
326 bf-ecb             Blowfish in ECB mode
327 bf-ofb             Blowfish in OFB mode
328
329 cast-cbc           CAST in CBC mode
330 cast               Alias for cast-cbc
331 cast5-cbc          CAST5 in CBC mode
332 cast5-cfb          CAST5 in CFB mode
333 cast5-ecb          CAST5 in ECB mode
334 cast5-ofb          CAST5 in OFB mode
335
336 chacha20           ChaCha20 algorithm
337
338 des-cbc            DES in CBC mode
339 des                Alias for des-cbc
340 des-cfb            DES in CFB mode
341 des-ofb            DES in OFB mode
342 des-ecb            DES in ECB mode
343
344 des-ede-cbc        Two key triple DES EDE in CBC mode
345 des-ede            Two key triple DES EDE in ECB mode
346 des-ede-cfb        Two key triple DES EDE in CFB mode
347 des-ede-ofb        Two key triple DES EDE in OFB mode
348
349 des-ede3-cbc       Three key triple DES EDE in CBC mode
350 des-ede3           Three key triple DES EDE in ECB mode
351 des3               Alias for des-ede3-cbc
352 des-ede3-cfb       Three key triple DES EDE CFB mode
353 des-ede3-ofb       Three key triple DES EDE in OFB mode
354
355 desx               DESX algorithm.
356
357 gost89             GOST 28147-89 in CFB mode (provided by ccgost engine)
358 gost89-cnt         GOST 28147-89 in CNT mode (provided by ccgost engine)
359
360 idea-cbc           IDEA algorithm in CBC mode
361 idea               same as idea-cbc
362 idea-cfb           IDEA in CFB mode
363 idea-ecb           IDEA in ECB mode
364 idea-ofb           IDEA in OFB mode
365
366 rc2-cbc            128 bit RC2 in CBC mode
367 rc2                Alias for rc2-cbc
368 rc2-cfb            128 bit RC2 in CFB mode
369 rc2-ecb            128 bit RC2 in ECB mode
370 rc2-ofb            128 bit RC2 in OFB mode
371 rc2-64-cbc         64 bit RC2 in CBC mode
372 rc2-40-cbc         40 bit RC2 in CBC mode
373
374 rc4                128 bit RC4
375 rc4-64             64 bit RC4
376 rc4-40             40 bit RC4
377
378 rc5-cbc            RC5 cipher in CBC mode
379 rc5                Alias for rc5-cbc
380 rc5-cfb            RC5 cipher in CFB mode
381 rc5-ecb            RC5 cipher in ECB mode
382 rc5-ofb            RC5 cipher in OFB mode
383
384 seed-cbc           SEED cipher in CBC mode
385 seed               Alias for seed-cbc
386 seed-cfb           SEED cipher in CFB mode
387 seed-ecb           SEED cipher in ECB mode
388 seed-ofb           SEED cipher in OFB mode
389
390 sm4-cbc            SM4 cipher in CBC mode
391 sm4                Alias for sm4-cbc
392 sm4-cfb            SM4 cipher in CFB mode
393 sm4-ctr            SM4 cipher in CTR mode
394 sm4-ecb            SM4 cipher in ECB mode
395 sm4-ofb            SM4 cipher in OFB mode
396
397 aes-[128|192|256]-cbc  128/192/256 bit AES in CBC mode
398 aes[128|192|256]       Alias for aes-[128|192|256]-cbc
399 aes-[128|192|256]-cfb  128/192/256 bit AES in 128 bit CFB mode
400 aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
401 aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
402 aes-[128|192|256]-ctr  128/192/256 bit AES in CTR mode
403 aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
404 aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode
405
406 aes-[128|192|256]-wrap     key wrapping using 128/192/256 bit AES
407 aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES
408
409 aria-[128|192|256]-cbc  128/192/256 bit ARIA in CBC mode
410 aria[128|192|256]       Alias for aria-[128|192|256]-cbc
411 aria-[128|192|256]-cfb  128/192/256 bit ARIA in 128 bit CFB mode
412 aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
413 aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
414 aria-[128|192|256]-ctr  128/192/256 bit ARIA in CTR mode
415 aria-[128|192|256]-ecb  128/192/256 bit ARIA in ECB mode
416 aria-[128|192|256]-ofb  128/192/256 bit ARIA in OFB mode
417
418 camellia-[128|192|256]-cbc  128/192/256 bit Camellia in CBC mode
419 camellia[128|192|256]       Alias for camellia-[128|192|256]-cbc
420 camellia-[128|192|256]-cfb  128/192/256 bit Camellia in 128 bit CFB mode
421 camellia-[128|192|256]-cfb1 128/192/256 bit Camellia in 1 bit CFB mode
422 camellia-[128|192|256]-cfb8 128/192/256 bit Camellia in 8 bit CFB mode
423 camellia-[128|192|256]-ctr  128/192/256 bit Camellia in CTR mode
424 camellia-[128|192|256]-ecb  128/192/256 bit Camellia in ECB mode
425 camellia-[128|192|256]-ofb  128/192/256 bit Camellia in OFB mode
426
427=head1 EXAMPLES
428
429Just base64 encode a binary file:
430
431 openssl base64 -in file.bin -out file.b64
432
433Decode the same file
434
435 openssl base64 -d -in file.b64 -out file.bin
436
437Encrypt a file using AES-128 using a prompted password
438and PBKDF2 key derivation:
439
440 openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128
441
442Decrypt a file using a supplied password:
443
444 openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \
445    -pass pass:<password>
446
447Encrypt a file then base64 encode it (so it can be sent via mail for example)
448using AES-256 in CTR mode and PBKDF2 key derivation:
449
450 openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256
451
452Base64 decode a file then decrypt it using a password supplied in a file:
453
454 openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \
455    -pass file:<passfile>
456
457AES key wrapping:
458
459 openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin
460or
461 openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin
462
463=head1 BUGS
464
465The B<-A> option when used with large files doesn't work properly.
466
467The B<openssl enc> command only supports a fixed number of algorithms with
468certain parameters. So if, for example, you want to use RC2 with a
46976 bit key or RC4 with an 84 bit key you can't use this program.
470
471=head1 HISTORY
472
473The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
474
475The B<-list> option was added in OpenSSL 1.1.1e.
476
477The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0.
478
479The B<-saltlen> option was added in OpenSSL 3.2.
480
481=head1 COPYRIGHT
482
483Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
484
485Licensed under the Apache License 2.0 (the "License").  You may not use
486this file except in compliance with the License.  You can obtain a copy
487in the file LICENSE in the source distribution or at
488L<https://www.openssl.org/source/license.html>.
489
490=cut
491