1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-enc - symmetric cipher routines 7 8=head1 SYNOPSIS 9 10B<openssl> B<enc>|I<cipher> 11[B<-I<cipher>>] 12[B<-help>] 13[B<-list>] 14[B<-ciphers>] 15[B<-in> I<filename>] 16[B<-out> I<filename>] 17[B<-pass> I<arg>] 18[B<-e>] 19[B<-d>] 20[B<-a>] 21[B<-base64>] 22[B<-A>] 23[B<-k> I<password>] 24[B<-kfile> I<filename>] 25[B<-K> I<key>] 26[B<-iv> I<IV>] 27[B<-S> I<salt>] 28[B<-salt>] 29[B<-nosalt>] 30[B<-z>] 31[B<-md> I<digest>] 32[B<-iter> I<count>] 33[B<-pbkdf2>] 34[B<-p>] 35[B<-P>] 36[B<-bufsize> I<number>] 37[B<-nopad>] 38[B<-v>] 39[B<-debug>] 40[B<-none>] 41{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} 42{- $OpenSSL::safe::opt_provider_synopsis -} 43 44B<openssl> I<cipher> [B<...>] 45 46=head1 DESCRIPTION 47 48The symmetric cipher commands allow data to be encrypted or decrypted 49using various block and stream ciphers using keys based on passwords 50or explicitly provided. Base64 encoding or decoding can also be performed 51either by itself or in addition to the encryption or decryption. 52 53=head1 OPTIONS 54 55=over 4 56 57=item B<-I<cipher>> 58 59The cipher to use. 60 61=item B<-help> 62 63Print out a usage message. 64 65=item B<-list> 66 67List all supported ciphers. 68 69=item B<-ciphers> 70 71Alias of -list to display all supported ciphers. 72 73=item B<-in> I<filename> 74 75The input filename, standard input by default. 76 77=item B<-out> I<filename> 78 79The output filename, standard output by default. 80 81=item B<-pass> I<arg> 82 83The password source. For more information about the format of I<arg> 84see L<openssl-passphrase-options(1)>. 85 86=item B<-e> 87 88Encrypt the input data: this is the default. 89 90=item B<-d> 91 92Decrypt the input data. 93 94=item B<-a> 95 96Base64 process the data. This means that if encryption is taking place 97the data is base64 encoded after encryption. If decryption is set then 98the input data is base64 decoded before being decrypted. 99 100=item B<-base64> 101 102Same as B<-a> 103 104=item B<-A> 105 106If the B<-a> option is set then base64 process the data on one line. 107 108=item B<-k> I<password> 109 110The password to derive the key from. This is for compatibility with previous 111versions of OpenSSL. Superseded by the B<-pass> argument. 112 113=item B<-kfile> I<filename> 114 115Read the password to derive the key from the first line of I<filename>. 116This is for compatibility with previous versions of OpenSSL. Superseded by 117the B<-pass> argument. 118 119=item B<-md> I<digest> 120 121Use the specified digest to create the key from the passphrase. 122The default algorithm is sha-256. 123 124=item B<-iter> I<count> 125 126Use a given number of iterations on the password in deriving the encryption key. 127High values increase the time required to brute-force the resulting file. 128This option enables the use of PBKDF2 algorithm to derive the key. 129 130=item B<-pbkdf2> 131 132Use PBKDF2 algorithm with default iteration count unless otherwise specified. 133 134=item B<-nosalt> 135 136Don't use a salt in the key derivation routines. This option B<SHOULD NOT> be 137used except for test purposes or compatibility with ancient versions of 138OpenSSL. 139 140=item B<-salt> 141 142Use salt (randomly generated or provide with B<-S> option) when 143encrypting, this is the default. 144 145=item B<-S> I<salt> 146 147The actual salt to use: this must be represented as a string of hex digits. 148If this option is used while encrypting, the same exact value will be needed 149again during decryption. 150 151=item B<-K> I<key> 152 153The actual key to use: this must be represented as a string comprised only 154of hex digits. If only the key is specified, the IV must additionally specified 155using the B<-iv> option. When both a key and a password are specified, the 156key given with the B<-K> option will be used and the IV generated from the 157password will be taken. It does not make much sense to specify both key 158and password. 159 160=item B<-iv> I<IV> 161 162The actual IV to use: this must be represented as a string comprised only 163of hex digits. When only the key is specified using the B<-K> option, the 164IV must explicitly be defined. When a password is being specified using 165one of the other options, the IV is generated from this password. 166 167=item B<-p> 168 169Print out the key and IV used. 170 171=item B<-P> 172 173Print out the key and IV used then immediately exit: don't do any encryption 174or decryption. 175 176=item B<-bufsize> I<number> 177 178Set the buffer size for I/O. 179 180=item B<-nopad> 181 182Disable standard block padding. 183 184=item B<-v> 185 186Verbose print; display some statistics about I/O and buffer sizes. 187 188=item B<-debug> 189 190Debug the BIOs used for I/O. 191 192=item B<-z> 193 194Compress or decompress encrypted data using zlib after encryption or before 195decryption. This option exists only if OpenSSL was compiled with the zlib 196or zlib-dynamic option. 197 198=item B<-none> 199 200Use NULL cipher (no encryption or decryption of input). 201 202{- $OpenSSL::safe::opt_r_item -} 203 204{- $OpenSSL::safe::opt_provider_item -} 205 206{- $OpenSSL::safe::opt_engine_item -} 207 208=back 209 210=head1 NOTES 211 212The program can be called either as C<openssl I<cipher>> or 213C<openssl enc -I<cipher>>. The first form doesn't work with 214engine-provided ciphers, because this form is processed before the 215configuration file is read and any ENGINEs loaded. 216Use the L<openssl-list(1)> command to get a list of supported ciphers. 217 218Engines which provide entirely new encryption algorithms (such as the ccgost 219engine which provides gost89 algorithm) should be configured in the 220configuration file. Engines specified on the command line using B<-engine> 221option can only be used for hardware-assisted implementations of 222ciphers which are supported by the OpenSSL core or another engine specified 223in the configuration file. 224 225When the enc command lists supported ciphers, ciphers provided by engines, 226specified in the configuration files are listed too. 227 228A password will be prompted for to derive the key and IV if necessary. 229 230The B<-salt> option should B<ALWAYS> be used if the key is being derived 231from a password unless you want compatibility with previous versions of 232OpenSSL. 233 234Without the B<-salt> option it is possible to perform efficient dictionary 235attacks on the password and to attack stream cipher encrypted data. The reason 236for this is that without the salt the same password always generates the same 237encryption key. 238 239When the salt is generated at random (that means when encrypting using a 240passphrase without explicit salt given using B<-S> option), the first bytes 241of the encrypted data are reserved to store the salt for later decrypting. 242 243Some of the ciphers do not have large keys and others have security 244implications if not used correctly. A beginner is advised to just use 245a strong block cipher, such as AES, in CBC mode. 246 247All the block ciphers normally use PKCS#5 padding, also known as standard 248block padding. This allows a rudimentary integrity or password check to 249be performed. However, since the chance of random data passing the test 250is better than 1 in 256 it isn't a very good test. 251 252If padding is disabled then the input data must be a multiple of the cipher 253block length. 254 255All RC2 ciphers have the same key and effective key length. 256 257Blowfish and RC5 algorithms use a 128 bit key. 258 259=head1 SUPPORTED CIPHERS 260 261Note that some of these ciphers can be disabled at compile time 262and some are available only if an appropriate engine is configured 263in the configuration file. The output when invoking this command 264with the B<-list> option (that is C<openssl enc -list>) is 265a list of ciphers, supported by your version of OpenSSL, including 266ones provided by configured engines. 267 268This command does not support authenticated encryption modes 269like CCM and GCM, and will not support such modes in the future. 270This is due to having to begin streaming output (e.g., to standard output 271when B<-out> is not used) before the authentication tag could be validated. 272When this command is used in a pipeline, the receiving end will not be 273able to roll back upon authentication failure. The AEAD modes currently in 274common use also suffer from catastrophic failure of confidentiality and/or 275integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the 276entire burden of key/iv/nonce management upon the user, the risk of 277exposing AEAD modes is too great to allow. These key/iv/nonce 278management issues also affect other modes currently exposed in this command, 279but the failure modes are less extreme in these cases, and the 280functionality cannot be removed with a stable release branch. 281For bulk encryption of data, whether using authenticated encryption 282modes or other modes, L<openssl-cms(1)> is recommended, as it provides a 283standard data format and performs the needed key/iv/nonce management. 284 285When enc is used with key wrapping modes the input data cannot be streamed, 286meaning it must be processed in a single pass. 287Consequently, the input data size must be less than 288the buffer size (-bufsize arg, default to 8*1024 bytes). 289The '*-wrap' ciphers require the input to be a multiple of 8 bytes long, 290because no padding is involved. 291The '*-wrap-pad' ciphers allow any input length. 292In both cases, no IV is needed. See example below. 293 294 295 base64 Base 64 296 297 bf-cbc Blowfish in CBC mode 298 bf Alias for bf-cbc 299 blowfish Alias for bf-cbc 300 bf-cfb Blowfish in CFB mode 301 bf-ecb Blowfish in ECB mode 302 bf-ofb Blowfish in OFB mode 303 304 cast-cbc CAST in CBC mode 305 cast Alias for cast-cbc 306 cast5-cbc CAST5 in CBC mode 307 cast5-cfb CAST5 in CFB mode 308 cast5-ecb CAST5 in ECB mode 309 cast5-ofb CAST5 in OFB mode 310 311 chacha20 ChaCha20 algorithm 312 313 des-cbc DES in CBC mode 314 des Alias for des-cbc 315 des-cfb DES in CFB mode 316 des-ofb DES in OFB mode 317 des-ecb DES in ECB mode 318 319 des-ede-cbc Two key triple DES EDE in CBC mode 320 des-ede Two key triple DES EDE in ECB mode 321 des-ede-cfb Two key triple DES EDE in CFB mode 322 des-ede-ofb Two key triple DES EDE in OFB mode 323 324 des-ede3-cbc Three key triple DES EDE in CBC mode 325 des-ede3 Three key triple DES EDE in ECB mode 326 des3 Alias for des-ede3-cbc 327 des-ede3-cfb Three key triple DES EDE CFB mode 328 des-ede3-ofb Three key triple DES EDE in OFB mode 329 330 desx DESX algorithm. 331 332 gost89 GOST 28147-89 in CFB mode (provided by ccgost engine) 333 gost89-cnt GOST 28147-89 in CNT mode (provided by ccgost engine) 334 335 idea-cbc IDEA algorithm in CBC mode 336 idea same as idea-cbc 337 idea-cfb IDEA in CFB mode 338 idea-ecb IDEA in ECB mode 339 idea-ofb IDEA in OFB mode 340 341 rc2-cbc 128 bit RC2 in CBC mode 342 rc2 Alias for rc2-cbc 343 rc2-cfb 128 bit RC2 in CFB mode 344 rc2-ecb 128 bit RC2 in ECB mode 345 rc2-ofb 128 bit RC2 in OFB mode 346 rc2-64-cbc 64 bit RC2 in CBC mode 347 rc2-40-cbc 40 bit RC2 in CBC mode 348 349 rc4 128 bit RC4 350 rc4-64 64 bit RC4 351 rc4-40 40 bit RC4 352 353 rc5-cbc RC5 cipher in CBC mode 354 rc5 Alias for rc5-cbc 355 rc5-cfb RC5 cipher in CFB mode 356 rc5-ecb RC5 cipher in ECB mode 357 rc5-ofb RC5 cipher in OFB mode 358 359 seed-cbc SEED cipher in CBC mode 360 seed Alias for seed-cbc 361 seed-cfb SEED cipher in CFB mode 362 seed-ecb SEED cipher in ECB mode 363 seed-ofb SEED cipher in OFB mode 364 365 sm4-cbc SM4 cipher in CBC mode 366 sm4 Alias for sm4-cbc 367 sm4-cfb SM4 cipher in CFB mode 368 sm4-ctr SM4 cipher in CTR mode 369 sm4-ecb SM4 cipher in ECB mode 370 sm4-ofb SM4 cipher in OFB mode 371 372 aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode 373 aes[128|192|256] Alias for aes-[128|192|256]-cbc 374 aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode 375 aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode 376 aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode 377 aes-[128|192|256]-ctr 128/192/256 bit AES in CTR mode 378 aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode 379 aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode 380 381 aes-[128|192|256]-wrap key wrapping using 128/192/256 bit AES 382 aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES 383 384 aria-[128|192|256]-cbc 128/192/256 bit ARIA in CBC mode 385 aria[128|192|256] Alias for aria-[128|192|256]-cbc 386 aria-[128|192|256]-cfb 128/192/256 bit ARIA in 128 bit CFB mode 387 aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode 388 aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode 389 aria-[128|192|256]-ctr 128/192/256 bit ARIA in CTR mode 390 aria-[128|192|256]-ecb 128/192/256 bit ARIA in ECB mode 391 aria-[128|192|256]-ofb 128/192/256 bit ARIA in OFB mode 392 393 camellia-[128|192|256]-cbc 128/192/256 bit Camellia in CBC mode 394 camellia[128|192|256] Alias for camellia-[128|192|256]-cbc 395 camellia-[128|192|256]-cfb 128/192/256 bit Camellia in 128 bit CFB mode 396 camellia-[128|192|256]-cfb1 128/192/256 bit Camellia in 1 bit CFB mode 397 camellia-[128|192|256]-cfb8 128/192/256 bit Camellia in 8 bit CFB mode 398 camellia-[128|192|256]-ctr 128/192/256 bit Camellia in CTR mode 399 camellia-[128|192|256]-ecb 128/192/256 bit Camellia in ECB mode 400 camellia-[128|192|256]-ofb 128/192/256 bit Camellia in OFB mode 401 402=head1 EXAMPLES 403 404Just base64 encode a binary file: 405 406 openssl base64 -in file.bin -out file.b64 407 408Decode the same file 409 410 openssl base64 -d -in file.b64 -out file.bin 411 412Encrypt a file using AES-128 using a prompted password 413and PBKDF2 key derivation: 414 415 openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128 416 417Decrypt a file using a supplied password: 418 419 openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \ 420 -pass pass:<password> 421 422Encrypt a file then base64 encode it (so it can be sent via mail for example) 423using AES-256 in CTR mode and PBKDF2 key derivation: 424 425 openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256 426 427Base64 decode a file then decrypt it using a password supplied in a file: 428 429 openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \ 430 -pass file:<passfile> 431 432AES key wrapping: 433 434 openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin 435or 436 openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin 437 438=head1 BUGS 439 440The B<-A> option when used with large files doesn't work properly. 441 442The B<openssl enc> command only supports a fixed number of algorithms with 443certain parameters. So if, for example, you want to use RC2 with a 44476 bit key or RC4 with an 84 bit key you can't use this program. 445 446=head1 HISTORY 447 448The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. 449 450The B<-list> option was added in OpenSSL 1.1.1e. 451 452The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0. 453 454=head1 COPYRIGHT 455 456Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. 457 458Licensed under the Apache License 2.0 (the "License"). You may not use 459this file except in compliance with the License. You can obtain a copy 460in the file LICENSE in the source distribution or at 461L<https://www.openssl.org/source/license.html>. 462 463=cut 464