2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-enc - symmetric cipher routines
10 B<openssl> B<enc>|I<cipher>
24 [B<-kfile> I<filename>]
37 [B<-bufsize> I<number>]
42 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
43 {- $OpenSSL::safe::opt_provider_synopsis -}
45 B<openssl> I<cipher> [B<...>]
49 The symmetric cipher commands allow data to be encrypted or decrypted
50 using various block and stream ciphers using keys based on passwords
51 or explicitly provided. Base64 encoding or decoding can also be performed
52 either by itself or in addition to the encryption or decryption.
64 Print out a usage message.
68 List all supported ciphers.
72 Alias of -list to display all supported ciphers.
74 =item B<-in> I<filename>
76 The input filename, standard input by default.
78 =item B<-out> I<filename>
80 The output filename, standard output by default.
84 The password source. For more information about the format of I<arg>
85 see L<openssl-passphrase-options(1)>.
89 Encrypt the input data: this is the default.
93 Decrypt the input data.
97 Base64 process the data. This means that if encryption is taking place
98 the data is base64 encoded after encryption. If decryption is set then
99 the input data is base64 decoded before being decrypted.
107 If the B<-a> option is set then base64 process the data on one line.
109 =item B<-k> I<password>
111 The password to derive the key from. This is for compatibility with previous
112 versions of OpenSSL. Superseded by the B<-pass> argument.
114 =item B<-kfile> I<filename>
116 Read the password to derive the key from the first line of I<filename>.
117 This is for compatibility with previous versions of OpenSSL. Superseded by
118 the B<-pass> argument.
120 =item B<-md> I<digest>
122 Use the specified digest to create the key from the passphrase.
123 The default algorithm is sha-256.
125 =item B<-iter> I<count>
127 Use a given number of iterations on the password in deriving the encryption key.
128 High values increase the time required to brute-force the resulting file.
129 This option enables the use of PBKDF2 algorithm to derive the key.
133 Use PBKDF2 algorithm with a default iteration count of 10000
134 unless otherwise specified by the B<-iter> command line option.
138 Set the salt length to use when using the B<-pbkdf2> option.
139 For compatibility reasons, the default is 8 bytes.
140 The maximum value is currently 16 bytes.
141 If the B<-pbkdf2> option is not used, then this option is ignored
142 and a fixed salt length of 8 is used. The salt length used when
143 encrypting must also be used when decrypting.
147 Don't use a salt in the key derivation routines. This option B<SHOULD NOT> be
148 used except for test purposes or compatibility with ancient versions of
153 Use salt (randomly generated or provide with B<-S> option) when
154 encrypting, this is the default.
158 The actual salt to use: this must be represented as a string of hex digits.
159 If this option is used while encrypting, the same exact value will be needed
160 again during decryption. This salt may be truncated or zero padded to
161 match the salt length (See B<-saltlen>).
165 The actual key to use: this must be represented as a string comprised only
166 of hex digits. If only the key is specified, the IV must additionally specified
167 using the B<-iv> option. When both a key and a password are specified, the
168 key given with the B<-K> option will be used and the IV generated from the
169 password will be taken. It does not make much sense to specify both key
174 The actual IV to use: this must be represented as a string comprised only
175 of hex digits. When only the key is specified using the B<-K> option, the
176 IV must explicitly be defined. When a password is being specified using
177 one of the other options, the IV is generated from this password.
181 Print out the key and IV used.
185 Print out the key and IV used then immediately exit: don't do any encryption
188 =item B<-bufsize> I<number>
190 Set the buffer size for I/O.
194 Disable standard block padding.
198 Verbose print; display some statistics about I/O and buffer sizes.
202 Debug the BIOs used for I/O.
206 Compress or decompress encrypted data using zlib after encryption or before
207 decryption. This option exists only if OpenSSL was compiled with the zlib
208 or zlib-dynamic option.
212 Use NULL cipher (no encryption or decryption of input).
214 {- $OpenSSL::safe::opt_r_item -}
216 {- $OpenSSL::safe::opt_provider_item -}
218 {- $OpenSSL::safe::opt_engine_item -}
224 The program can be called either as C<openssl I<cipher>> or
225 C<openssl enc -I<cipher>>. The first form doesn't work with
226 engine-provided ciphers, because this form is processed before the
227 configuration file is read and any ENGINEs loaded.
228 Use the L<openssl-list(1)> command to get a list of supported ciphers.
230 Engines which provide entirely new encryption algorithms (such as the ccgost
231 engine which provides gost89 algorithm) should be configured in the
232 configuration file. Engines specified on the command line using B<-engine>
233 option can only be used for hardware-assisted implementations of
234 ciphers which are supported by the OpenSSL core or another engine specified
235 in the configuration file.
237 When the enc command lists supported ciphers, ciphers provided by engines,
238 specified in the configuration files are listed too.
240 A password will be prompted for to derive the key and IV if necessary.
242 The B<-salt> option should B<ALWAYS> be used if the key is being derived
243 from a password unless you want compatibility with previous versions of
246 Without the B<-salt> option it is possible to perform efficient dictionary
247 attacks on the password and to attack stream cipher encrypted data. The reason
248 for this is that without the salt the same password always generates the same
251 When the salt is generated at random (that means when encrypting using a
252 passphrase without explicit salt given using B<-S> option), the first bytes
253 of the encrypted data are reserved to store the salt for later decrypting.
255 Some of the ciphers do not have large keys and others have security
256 implications if not used correctly. A beginner is advised to just use
257 a strong block cipher, such as AES, in CBC mode.
259 All the block ciphers normally use PKCS#5 padding, also known as standard
260 block padding. This allows a rudimentary integrity or password check to
261 be performed. However, since the chance of random data passing the test
262 is better than 1 in 256 it isn't a very good test.
264 If padding is disabled then the input data must be a multiple of the cipher
267 All RC2 ciphers have the same key and effective key length.
269 Blowfish and RC5 algorithms use a 128 bit key.
271 Please note that OpenSSL 3.0 changed the effect of the B<-S> option.
272 Any explicit salt value specified via this option is no longer prepended to the
273 ciphertext when encrypting, and must again be explicitly provided when decrypting.
274 Conversely, when the B<-S> option is used during decryption, the ciphertext
275 is expected to not have a prepended salt value.
277 When using OpenSSL 3.0 or later to decrypt data that was encrypted with an
278 explicit salt under OpenSSL 1.1.1 do not use the B<-S> option, the salt will
279 then be read from the ciphertext.
280 To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use
281 the B<-S> option, the salt will be then be generated randomly and prepended
284 =head1 SUPPORTED CIPHERS
286 Note that some of these ciphers can be disabled at compile time
287 and some are available only if an appropriate engine is configured
288 in the configuration file. The output when invoking this command
289 with the B<-list> option (that is C<openssl enc -list>) is
290 a list of ciphers, supported by your version of OpenSSL, including
291 ones provided by configured engines.
293 This command does not support authenticated encryption modes
294 like CCM and GCM, and will not support such modes in the future.
295 This is due to having to begin streaming output (e.g., to standard output
296 when B<-out> is not used) before the authentication tag could be validated.
297 When this command is used in a pipeline, the receiving end will not be
298 able to roll back upon authentication failure. The AEAD modes currently in
299 common use also suffer from catastrophic failure of confidentiality and/or
300 integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the
301 entire burden of key/iv/nonce management upon the user, the risk of
302 exposing AEAD modes is too great to allow. These key/iv/nonce
303 management issues also affect other modes currently exposed in this command,
304 but the failure modes are less extreme in these cases, and the
305 functionality cannot be removed with a stable release branch.
306 For bulk encryption of data, whether using authenticated encryption
307 modes or other modes, L<openssl-cms(1)> is recommended, as it provides a
308 standard data format and performs the needed key/iv/nonce management.
310 When enc is used with key wrapping modes the input data cannot be streamed,
311 meaning it must be processed in a single pass.
312 Consequently, the input data size must be less than
313 the buffer size (-bufsize arg, default to 8*1024 bytes).
314 The '*-wrap' ciphers require the input to be a multiple of 8 bytes long,
315 because no padding is involved.
316 The '*-wrap-pad' ciphers allow any input length.
317 In both cases, no IV is needed. See example below.
322 bf-cbc Blowfish in CBC mode
324 blowfish Alias for bf-cbc
325 bf-cfb Blowfish in CFB mode
326 bf-ecb Blowfish in ECB mode
327 bf-ofb Blowfish in OFB mode
329 cast-cbc CAST in CBC mode
330 cast Alias for cast-cbc
331 cast5-cbc CAST5 in CBC mode
332 cast5-cfb CAST5 in CFB mode
333 cast5-ecb CAST5 in ECB mode
334 cast5-ofb CAST5 in OFB mode
336 chacha20 ChaCha20 algorithm
338 des-cbc DES in CBC mode
339 des Alias for des-cbc
340 des-cfb DES in CFB mode
341 des-ofb DES in OFB mode
342 des-ecb DES in ECB mode
344 des-ede-cbc Two key triple DES EDE in CBC mode
345 des-ede Two key triple DES EDE in ECB mode
346 des-ede-cfb Two key triple DES EDE in CFB mode
347 des-ede-ofb Two key triple DES EDE in OFB mode
349 des-ede3-cbc Three key triple DES EDE in CBC mode
350 des-ede3 Three key triple DES EDE in ECB mode
351 des3 Alias for des-ede3-cbc
352 des-ede3-cfb Three key triple DES EDE CFB mode
353 des-ede3-ofb Three key triple DES EDE in OFB mode
357 gost89 GOST 28147-89 in CFB mode (provided by ccgost engine)
358 gost89-cnt GOST 28147-89 in CNT mode (provided by ccgost engine)
360 idea-cbc IDEA algorithm in CBC mode
361 idea same as idea-cbc
362 idea-cfb IDEA in CFB mode
363 idea-ecb IDEA in ECB mode
364 idea-ofb IDEA in OFB mode
366 rc2-cbc 128 bit RC2 in CBC mode
367 rc2 Alias for rc2-cbc
368 rc2-cfb 128 bit RC2 in CFB mode
369 rc2-ecb 128 bit RC2 in ECB mode
370 rc2-ofb 128 bit RC2 in OFB mode
371 rc2-64-cbc 64 bit RC2 in CBC mode
372 rc2-40-cbc 40 bit RC2 in CBC mode
378 rc5-cbc RC5 cipher in CBC mode
379 rc5 Alias for rc5-cbc
380 rc5-cfb RC5 cipher in CFB mode
381 rc5-ecb RC5 cipher in ECB mode
382 rc5-ofb RC5 cipher in OFB mode
384 seed-cbc SEED cipher in CBC mode
385 seed Alias for seed-cbc
386 seed-cfb SEED cipher in CFB mode
387 seed-ecb SEED cipher in ECB mode
388 seed-ofb SEED cipher in OFB mode
390 sm4-cbc SM4 cipher in CBC mode
391 sm4 Alias for sm4-cbc
392 sm4-cfb SM4 cipher in CFB mode
393 sm4-ctr SM4 cipher in CTR mode
394 sm4-ecb SM4 cipher in ECB mode
395 sm4-ofb SM4 cipher in OFB mode
397 aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode
398 aes[128|192|256] Alias for aes-[128|192|256]-cbc
399 aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode
400 aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
401 aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
402 aes-[128|192|256]-ctr 128/192/256 bit AES in CTR mode
403 aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode
404 aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode
406 aes-[128|192|256]-wrap key wrapping using 128/192/256 bit AES
407 aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES
409 aria-[128|192|256]-cbc 128/192/256 bit ARIA in CBC mode
410 aria[128|192|256] Alias for aria-[128|192|256]-cbc
411 aria-[128|192|256]-cfb 128/192/256 bit ARIA in 128 bit CFB mode
412 aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
413 aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
414 aria-[128|192|256]-ctr 128/192/256 bit ARIA in CTR mode
415 aria-[128|192|256]-ecb 128/192/256 bit ARIA in ECB mode
416 aria-[128|192|256]-ofb 128/192/256 bit ARIA in OFB mode
418 camellia-[128|192|256]-cbc 128/192/256 bit Camellia in CBC mode
419 camellia[128|192|256] Alias for camellia-[128|192|256]-cbc
420 camellia-[128|192|256]-cfb 128/192/256 bit Camellia in 128 bit CFB mode
421 camellia-[128|192|256]-cfb1 128/192/256 bit Camellia in 1 bit CFB mode
422 camellia-[128|192|256]-cfb8 128/192/256 bit Camellia in 8 bit CFB mode
423 camellia-[128|192|256]-ctr 128/192/256 bit Camellia in CTR mode
424 camellia-[128|192|256]-ecb 128/192/256 bit Camellia in ECB mode
425 camellia-[128|192|256]-ofb 128/192/256 bit Camellia in OFB mode
429 Just base64 encode a binary file:
431 openssl base64 -in file.bin -out file.b64
435 openssl base64 -d -in file.b64 -out file.bin
437 Encrypt a file using AES-128 using a prompted password
438 and PBKDF2 key derivation:
440 openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128
442 Decrypt a file using a supplied password:
444 openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \
445 -pass pass:<password>
447 Encrypt a file then base64 encode it (so it can be sent via mail for example)
448 using AES-256 in CTR mode and PBKDF2 key derivation:
450 openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256
452 Base64 decode a file then decrypt it using a password supplied in a file:
454 openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \
455 -pass file:<passfile>
459 openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin
461 openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin
465 The B<-A> option when used with large files doesn't work properly.
467 The B<openssl enc> command only supports a fixed number of algorithms with
468 certain parameters. So if, for example, you want to use RC2 with a
469 76 bit key or RC4 with an 84 bit key you can't use this program.
473 The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
475 The B<-list> option was added in OpenSSL 1.1.1e.
477 The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0.
479 The B<-saltlen> option was added in OpenSSL 3.2.
483 Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
485 Licensed under the Apache License 2.0 (the "License"). You may not use
486 this file except in compliance with the License. You can obtain a copy
487 in the file LICENSE in the source distribution or at
488 L<https://www.openssl.org/source/license.html>.