xref: /openssl/doc/man1/openssl-enc.pod.in (revision 7ed6de99) 
1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=head1 NAME
5
6openssl-enc - symmetric cipher routines
7
8=head1 SYNOPSIS
9
10B<openssl> B<enc>|I<cipher>
11[B<-I<cipher>>]
12[B<-help>]
13[B<-list>]
14[B<-ciphers>]
15[B<-in> I<filename>]
16[B<-out> I<filename>]
17[B<-pass> I<arg>]
18[B<-e>]
19[B<-d>]
20[B<-a>]
21[B<-base64>]
22[B<-A>]
23[B<-k> I<password>]
24[B<-kfile> I<filename>]
25[B<-K> I<key>]
26[B<-iv> I<IV>]
27[B<-S> I<salt>]
28[B<-salt>]
29[B<-nosalt>]
30[B<-z>]
31[B<-md> I<digest>]
32[B<-iter> I<count>]
33[B<-pbkdf2>]
34[B<-saltlen> I<size>]
35[B<-p>]
36[B<-P>]
37[B<-bufsize> I<number>]
38[B<-nopad>]
39[B<-v>]
40[B<-debug>]
41[B<-none>]
42{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
43{- $OpenSSL::safe::opt_provider_synopsis -}
44
45B<openssl> I<cipher> [B<...>]
46
47=head1 DESCRIPTION
48
49The symmetric cipher commands allow data to be encrypted or decrypted
50using various block and stream ciphers using keys based on passwords
51or explicitly provided. Base64 encoding or decoding can also be performed
52either by itself or in addition to the encryption or decryption.
53
54=head1 OPTIONS
55
56=over 4
57
58=item B<-I<cipher>>
59
60The cipher to use.
61
62=item B<-help>
63
64Print out a usage message.
65
66=item B<-list>
67
68List all supported ciphers.
69
70=item B<-ciphers>
71
72Alias of -list to display all supported ciphers.
73
74=item B<-in> I<filename>
75
76The input filename, standard input by default.
77
78=item B<-out> I<filename>
79
80The output filename, standard output by default.
81
82=item B<-pass> I<arg>
83
84The password source. For more information about the format of I<arg>
85see L<openssl-passphrase-options(1)>.
86
87=item B<-e>
88
89Encrypt the input data: this is the default.
90
91=item B<-d>
92
93Decrypt the input data.
94
95=item B<-a>
96
97Base64 process the data. This means that if encryption is taking place
98the data is base64 encoded after encryption. If decryption is set then
99the input data is base64 decoded before being decrypted.
100
101When the B<-A> option not given,
102on encoding a newline is inserted after each 64 characters, and
103on decoding a newline is expected among the first 1024 bytes of input.
104
105=item B<-base64>
106
107Same as B<-a>
108
109=item B<-A>
110
111If the B<-a> option is set then base64 encoding produces output without any
112newline character, and base64 decoding does not require any newlines.
113Therefore it can be helpful to use the B<-A> option when decoding unknown input.
114
115=item B<-k> I<password>
116
117The password to derive the key from. This is for compatibility with previous
118versions of OpenSSL. Superseded by the B<-pass> argument.
119
120=item B<-kfile> I<filename>
121
122Read the password to derive the key from the first line of I<filename>.
123This is for compatibility with previous versions of OpenSSL. Superseded by
124the B<-pass> argument.
125
126=item B<-md> I<digest>
127
128Use the specified digest to create the key from the passphrase.
129The default algorithm is sha-256.
130
131=item B<-iter> I<count>
132
133Use a given number of iterations on the password in deriving the encryption key.
134High values increase the time required to brute-force the resulting file.
135This option enables the use of PBKDF2 algorithm to derive the key.
136
137=item B<-pbkdf2>
138
139Use PBKDF2 algorithm with a default iteration count of 10000
140unless otherwise specified by the B<-iter> command line option.
141
142=item B<-saltlen>
143
144Set the salt length to use when using the B<-pbkdf2> option.
145For compatibility reasons, the default is 8 bytes.
146The maximum value is currently 16 bytes.
147If the B<-pbkdf2> option is not used, then this option is ignored
148and a fixed salt length of 8 is used. The salt length used when
149encrypting must also be used when decrypting.
150
151=item B<-nosalt>
152
153Don't use a salt in the key derivation routines. This option B<SHOULD NOT> be
154used except for test purposes or compatibility with ancient versions of
155OpenSSL.
156
157=item B<-salt>
158
159Use salt (randomly generated or provide with B<-S> option) when
160encrypting, this is the default.
161
162=item B<-S> I<salt>
163
164The actual salt to use: this must be represented as a string of hex digits.
165If this option is used while encrypting, the same exact value will be needed
166again during decryption. This salt may be truncated or zero padded to
167match the salt length (See B<-saltlen>).
168
169=item B<-K> I<key>
170
171The actual key to use: this must be represented as a string comprised only
172of hex digits. If only the key is specified, the IV must additionally specified
173using the B<-iv> option. When both a key and a password are specified, the
174key given with the B<-K> option will be used and the IV generated from the
175password will be taken. It does not make much sense to specify both key
176and password.
177
178=item B<-iv> I<IV>
179
180The actual IV to use: this must be represented as a string comprised only
181of hex digits. When only the key is specified using the B<-K> option, the
182IV must explicitly be defined. When a password is being specified using
183one of the other options, the IV is generated from this password.
184
185=item B<-p>
186
187Print out the key and IV used.
188
189=item B<-P>
190
191Print out the key and IV used then immediately exit: don't do any encryption
192or decryption.
193
194=item B<-bufsize> I<number>
195
196Set the buffer size for I/O.
197
198=item B<-nopad>
199
200Disable standard block padding.
201
202=item B<-v>
203
204Verbose print; display some statistics about I/O and buffer sizes.
205
206=item B<-debug>
207
208Debug the BIOs used for I/O.
209
210=item B<-z>
211
212Compress or decompress encrypted data using zlib after encryption or before
213decryption. This option exists only if OpenSSL was compiled with the zlib
214or zlib-dynamic option.
215
216=item B<-none>
217
218Use NULL cipher (no encryption or decryption of input).
219
220{- $OpenSSL::safe::opt_r_item -}
221
222{- $OpenSSL::safe::opt_provider_item -}
223
224{- $OpenSSL::safe::opt_engine_item -}
225
226=back
227
228=head1 NOTES
229
230The program can be called either as C<openssl I<cipher>> or
231C<openssl enc -I<cipher>>. The first form doesn't work with
232engine-provided ciphers, because this form is processed before the
233configuration file is read and any ENGINEs loaded.
234Use the L<openssl-list(1)> command to get a list of supported ciphers.
235
236Engines which provide entirely new encryption algorithms (such as the ccgost
237engine which provides gost89 algorithm) should be configured in the
238configuration file. Engines specified on the command line using B<-engine>
239option can only be used for hardware-assisted implementations of
240ciphers which are supported by the OpenSSL core or another engine specified
241in the configuration file.
242
243When the enc command lists supported ciphers, ciphers provided by engines,
244specified in the configuration files are listed too.
245
246A password will be prompted for to derive the key and IV if necessary.
247
248The B<-salt> option should B<ALWAYS> be used if the key is being derived
249from a password unless you want compatibility with previous versions of
250OpenSSL.
251
252Without the B<-salt> option it is possible to perform efficient dictionary
253attacks on the password and to attack stream cipher encrypted data. The reason
254for this is that without the salt the same password always generates the same
255encryption key.
256
257When the salt is generated at random (that means when encrypting using a
258passphrase without explicit salt given using B<-S> option), the first bytes
259of the encrypted data are reserved to store the salt for later decrypting.
260
261Some of the ciphers do not have large keys and others have security
262implications if not used correctly. A beginner is advised to just use
263a strong block cipher, such as AES, in CBC mode.
264
265All the block ciphers normally use PKCS#5 padding, also known as standard
266block padding. This allows a rudimentary integrity or password check to
267be performed. However, since the chance of random data passing the test
268is better than 1 in 256 it isn't a very good test.
269
270If padding is disabled then the input data must be a multiple of the cipher
271block length.
272
273All RC2 ciphers have the same key and effective key length.
274
275Blowfish and RC5 algorithms use a 128 bit key.
276
277Please note that OpenSSL 3.0 changed the effect of the B<-S> option.
278Any explicit salt value specified via this option is no longer prepended to the
279ciphertext when encrypting, and must again be explicitly provided when decrypting.
280Conversely, when the B<-S> option is used during decryption, the ciphertext
281is expected to not have a prepended salt value.
282
283When using OpenSSL 3.0 or later to decrypt data that was encrypted with an
284explicit salt under OpenSSL 1.1.1 do not use the B<-S> option, the salt will
285then be read from the ciphertext.
286To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use
287the B<-S> option, the salt will be then be generated randomly and prepended
288to the output.
289
290=head1 SUPPORTED CIPHERS
291
292Note that some of these ciphers can be disabled at compile time
293and some are available only if an appropriate engine is configured
294in the configuration file. The output when invoking this command
295with the B<-list> option (that is C<openssl enc -list>) is
296a list of ciphers, supported by your version of OpenSSL, including
297ones provided by configured engines.
298
299This command does not support authenticated encryption modes
300like CCM and GCM, and will not support such modes in the future.
301This is due to having to begin streaming output (e.g., to standard output
302when B<-out> is not used) before the authentication tag could be validated.
303When this command is used in a pipeline, the receiving end will not be
304able to roll back upon authentication failure.  The AEAD modes currently in
305common use also suffer from catastrophic failure of confidentiality and/or
306integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the
307entire burden of key/iv/nonce management upon the user, the risk of
308exposing AEAD modes is too great to allow. These key/iv/nonce
309management issues also affect other modes currently exposed in this command,
310but the failure modes are less extreme in these cases, and the
311functionality cannot be removed with a stable release branch.
312For bulk encryption of data, whether using authenticated encryption
313modes or other modes, L<openssl-cms(1)> is recommended, as it provides a
314standard data format and performs the needed key/iv/nonce management.
315
316When enc is used with key wrapping modes the input data cannot be streamed,
317meaning it must be processed in a single pass.
318Consequently, the input data size must be less than
319the buffer size (-bufsize arg, default to 8*1024 bytes).
320The '*-wrap' ciphers require the input to be a multiple of 8 bytes long,
321because no padding is involved.
322The '*-wrap-pad' ciphers allow any input length.
323In both cases, no IV is needed. See example below.
324
325
326 base64             Base 64
327
328 bf-cbc             Blowfish in CBC mode
329 bf                 Alias for bf-cbc
330 blowfish           Alias for bf-cbc
331 bf-cfb             Blowfish in CFB mode
332 bf-ecb             Blowfish in ECB mode
333 bf-ofb             Blowfish in OFB mode
334
335 cast-cbc           CAST in CBC mode
336 cast               Alias for cast-cbc
337 cast5-cbc          CAST5 in CBC mode
338 cast5-cfb          CAST5 in CFB mode
339 cast5-ecb          CAST5 in ECB mode
340 cast5-ofb          CAST5 in OFB mode
341
342 chacha20           ChaCha20 algorithm
343
344 des-cbc            DES in CBC mode
345 des                Alias for des-cbc
346 des-cfb            DES in CFB mode
347 des-ofb            DES in OFB mode
348 des-ecb            DES in ECB mode
349
350 des-ede-cbc        Two key triple DES EDE in CBC mode
351 des-ede            Two key triple DES EDE in ECB mode
352 des-ede-cfb        Two key triple DES EDE in CFB mode
353 des-ede-ofb        Two key triple DES EDE in OFB mode
354
355 des-ede3-cbc       Three key triple DES EDE in CBC mode
356 des-ede3           Three key triple DES EDE in ECB mode
357 des3               Alias for des-ede3-cbc
358 des-ede3-cfb       Three key triple DES EDE CFB mode
359 des-ede3-ofb       Three key triple DES EDE in OFB mode
360
361 desx               DESX algorithm.
362
363 gost89             GOST 28147-89 in CFB mode (provided by ccgost engine)
364 gost89-cnt         GOST 28147-89 in CNT mode (provided by ccgost engine)
365
366 idea-cbc           IDEA algorithm in CBC mode
367 idea               same as idea-cbc
368 idea-cfb           IDEA in CFB mode
369 idea-ecb           IDEA in ECB mode
370 idea-ofb           IDEA in OFB mode
371
372 rc2-cbc            128 bit RC2 in CBC mode
373 rc2                Alias for rc2-cbc
374 rc2-cfb            128 bit RC2 in CFB mode
375 rc2-ecb            128 bit RC2 in ECB mode
376 rc2-ofb            128 bit RC2 in OFB mode
377 rc2-64-cbc         64 bit RC2 in CBC mode
378 rc2-40-cbc         40 bit RC2 in CBC mode
379
380 rc4                128 bit RC4
381 rc4-64             64 bit RC4
382 rc4-40             40 bit RC4
383
384 rc5-cbc            RC5 cipher in CBC mode
385 rc5                Alias for rc5-cbc
386 rc5-cfb            RC5 cipher in CFB mode
387 rc5-ecb            RC5 cipher in ECB mode
388 rc5-ofb            RC5 cipher in OFB mode
389
390 seed-cbc           SEED cipher in CBC mode
391 seed               Alias for seed-cbc
392 seed-cfb           SEED cipher in CFB mode
393 seed-ecb           SEED cipher in ECB mode
394 seed-ofb           SEED cipher in OFB mode
395
396 sm4-cbc            SM4 cipher in CBC mode
397 sm4                Alias for sm4-cbc
398 sm4-cfb            SM4 cipher in CFB mode
399 sm4-ctr            SM4 cipher in CTR mode
400 sm4-ecb            SM4 cipher in ECB mode
401 sm4-ofb            SM4 cipher in OFB mode
402
403 aes-[128|192|256]-cbc  128/192/256 bit AES in CBC mode
404 aes[128|192|256]       Alias for aes-[128|192|256]-cbc
405 aes-[128|192|256]-cfb  128/192/256 bit AES in 128 bit CFB mode
406 aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
407 aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
408 aes-[128|192|256]-ctr  128/192/256 bit AES in CTR mode
409 aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
410 aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode
411
412 aes-[128|192|256]-wrap     key wrapping using 128/192/256 bit AES
413 aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES
414
415 aria-[128|192|256]-cbc  128/192/256 bit ARIA in CBC mode
416 aria[128|192|256]       Alias for aria-[128|192|256]-cbc
417 aria-[128|192|256]-cfb  128/192/256 bit ARIA in 128 bit CFB mode
418 aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
419 aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
420 aria-[128|192|256]-ctr  128/192/256 bit ARIA in CTR mode
421 aria-[128|192|256]-ecb  128/192/256 bit ARIA in ECB mode
422 aria-[128|192|256]-ofb  128/192/256 bit ARIA in OFB mode
423
424 camellia-[128|192|256]-cbc  128/192/256 bit Camellia in CBC mode
425 camellia[128|192|256]       Alias for camellia-[128|192|256]-cbc
426 camellia-[128|192|256]-cfb  128/192/256 bit Camellia in 128 bit CFB mode
427 camellia-[128|192|256]-cfb1 128/192/256 bit Camellia in 1 bit CFB mode
428 camellia-[128|192|256]-cfb8 128/192/256 bit Camellia in 8 bit CFB mode
429 camellia-[128|192|256]-ctr  128/192/256 bit Camellia in CTR mode
430 camellia-[128|192|256]-ecb  128/192/256 bit Camellia in ECB mode
431 camellia-[128|192|256]-ofb  128/192/256 bit Camellia in OFB mode
432
433=head1 EXAMPLES
434
435Just base64 encode a binary file:
436
437 openssl base64 -in file.bin -out file.b64
438
439Decode the same file
440
441 openssl base64 -d -in file.b64 -out file.bin
442
443Encrypt a file using AES-128 using a prompted password
444and PBKDF2 key derivation:
445
446 openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128
447
448Decrypt a file using a supplied password:
449
450 openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \
451    -pass pass:<password>
452
453Encrypt a file then base64 encode it (so it can be sent via mail for example)
454using AES-256 in CTR mode and PBKDF2 key derivation:
455
456 openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256
457
458Base64 decode a file then decrypt it using a password supplied in a file:
459
460 openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \
461    -pass file:<passfile>
462
463AES key wrapping:
464
465 openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin
466or
467 openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin
468
469=head1 BUGS
470
471The B<-A> option when used with large files doesn't work properly.
472On the other hand, when base64 decoding without the B<-A> option,
473if the first 1024 bytes of input do not include a newline character
474the first two lines of input are ignored.
475
476The B<openssl enc> command only supports a fixed number of algorithms with
477certain parameters. So if, for example, you want to use RC2 with a
47876 bit key or RC4 with an 84 bit key you can't use this program.
479
480=head1 HISTORY
481
482The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
483
484The B<-list> option was added in OpenSSL 1.1.1e.
485
486The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0.
487
488The B<-saltlen> option was added in OpenSSL 3.2.
489
490=head1 COPYRIGHT
491
492Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
493
494Licensed under the Apache License 2.0 (the "License").  You may not use
495this file except in compliance with the License.  You can obtain a copy
496in the file LICENSE in the source distribution or at
497L<https://www.openssl.org/source/license.html>.
498
499=cut
500