- Encrypt a string using openssl command line
- 5 Answers 5
- Encrypting and Decrypting Files in Linux
- 1. Overview
- 2. Basics of Encryption
- 2.1. Types of Encryption
- 2.2. Types of Keys
- 3. GPG Installation
- 4. Symmetric Encryption
- 4.1. Encrypting Files
- 4.2. Decrypting Files
- 5. Asymmetric Encryption
- 5.1. Generating a Public/Private Key Pair
- 5.2. Sharing Public Key
- 5.3. Importing Public Key
- 5.4. Encrypting Files
- 5.5. Decrypting Files
- 5.6. Two-Way Communications
- 6. Conclusion
Encrypt a string using openssl command line
I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string. This encrypted string ( in human readable format ) then needs to be supplied to a user who would use it, and the string would be decrypted to its original 16-byte form for comparison and authentication. Could anyone please tell me how this would be possible with openssl commandline.
+1 reopen. It is 100% obvious what is being asked here. I’ll restate it though: how do you encrypt a string using the openssl command? It is not an obvious task, and the user provides the context of his request.
@G-Wiz: «how do you encrypt a string using the openssl command» — is that on-topic for Stack Overflow? It does not appear to be programming related. It sounds like a request for help on a command, which would be more appropriate for Super User.
5 Answers 5
Here’s one way to encrypt a string with openssl on the command line (must enter password twice):
echo -n "aaaabbbbccccdddd" | openssl enc -e -aes-256-cbc -a -salt enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password:
Here’s what the output looks like:
U2FsdGVkX1/6LATntslD80T2HEIn3A0BqxarNfwbg31D2kI00dYbmBo8Mqt42PIm
Edit: To my knowledge, you can’t control the number of bytes out. You can b64 or hex encode it, but that’s about it. Also, if you want to save that string to a file rather than stdout, use the -out option.
Thanks, but would there be any other way I can encrypt a 16 character string and generate a 16 character encrypted string in Linux using command line
echo 'foo' | openssl aes-256-cbc -a -salt echo 'U2FsdGVkX1/QGdl4syQE8bLFSr2HzoAlcG299U/T/Xk=' | openssl aes-256-cbc -a -d -salt
openssl list-cipher-commands
to list all available ciphers.
I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string [in human readable format]
I believe you are looking for Format Preserving Encryption. I think the caveat is you have to start with a 16-byte human readable string. Phillip Rogaway has a paper on the technologies: Synopsis of Format-Preserving Encryption. There’s a lot to the paper, and it can’t fit into a single paragraph on Stack Overflow.
If you can start with a shorter string and use a streaming mode like OCB, OFB or CTR, then you can Base64 encode the final string so that the result is 16-bytes and human readable. Base64 expands at a rate of 3 → 4 (3 un-encoded expands to 4 encoded), so you’d need a shorter string of length 12 characters to achieve 16 human readable characters.
As far as I know, there are no command line tools that do it natively. You may be able to use OpenSSL on the command line with AES/CTR and pipe it through base64 command. The following gets close, but it starts with 11 characters (and not 12):
$ echo 12345678901 | openssl enc -e -base64 -aes-128-ctr -nopad -nosalt -k secret_password cSTzU8+UPQQwpRAq
Also, you really need to understand te -k option (and -K for that matter), and how it derives a key so you can do it outside of the OpenSSL command (if needed).
Encrypting and Decrypting Files in Linux
The Kubernetes ecosystem is huge and quite complex, so it’s easy to forget about costs when trying out all of the exciting tools.
To avoid overspending on your Kubernetes cluster, definitely have a look at the free K8s cost monitoring tool from the automation platform CAST AI. You can view your costs in real time, allocate them, calculate burn rates for projects, spot anomalies or spikes, and get insightful reports you can share with your team.
Connect your cluster and start monitoring your K8s costs right away:
1. Overview
Encryption is the process of encoding data with the intent of keeping it safe from unauthorized access.
In this quick tutorial, we’ll learn how to encrypt and decrypt files in Linux systems using GPG (GNU Privacy Guard), which is popular and free software.
2. Basics of Encryption
Before we start, let’s try to understand some basic concepts.
Basically, all types of encryption (and decryption) primarily involve either a passphrase or a key, which are simply data strings.
2.1. Types of Encryption
Depending on the number of data strings involved in the encryption and decryption process, we have two kinds of encryption.
When only one data string – a passphrase – is used for both encryption and decryption, it’s called symmetric encryption. We generally use symmetric encryption when we don’t need to share the encrypted files with anyone else. If we do share, then we’d need to share the passphrase as well, which can be a potential risk factor.
On the other hand, when two data strings are involved, one for encryption and another for decryption, it’s called asymmetric encryption. Accordingly, the pair of data strings are called key pairs.
Asymmetric encryption is more suitable for the sharing of encrypted files, as it requires sharing only one of the two data strings. We’ll discuss this later in the tutorial.
2.2. Types of Keys
In asymmetric encryption, a key pair consists of two keys — a public key and a private key.
The public key is not confidential. Therefore, we can share the public key with stakeholders without any risk.
On the contrary, we should always keep the private key a secret and never share it with anyone.
Public keys are always used for encryption and private keys for decryption when it comes to data encryption/decryption.
It might be worthwhile to know that public/private keys can also be used in the field of digital signatures. In such cases, we use the private key to create the signature and its corresponding public key to verify its authenticity.
3. GPG Installation
Let’s open a terminal window and check if GPG is installed:
> gpg --version gpg (GnuPG) 2.2.4
If it’s not installed, let’s go ahead and install it using the package manager of our Linux distribution.
For apt based distributions:
Or, for yum based distributions:
The GPG tool comes with both GUI and CLI, but we’ll be using the command line for our examples.
Additionally, we’ll be using the appropriate options to run the commands in unattended mode.
4. Symmetric Encryption
4.1. Encrypting Files
Let’s now try encrypting a file by first creating a sample file:
> echo "Hello, Baeldung!" > greetings.txt
Next, let’s run the gpg command to encrypt the file using a passphrase:
> gpg --batch --output greetings.txt.gpg --passphrase mypassword --symmetric greetings.txt
Subsequently, this will create the encrypted file greetings.txt.gpg in the same location using the default AES256 algorithm. To use a different algorithm, we can use the option —cipher-algo.
4.2. Decrypting Files
Let’s now try to decrypt the encrypted file from the previous example:
> gpg --batch --output greetings1.txt --passphrase mypassword --decrypt greetings.txt.gpg gpg: AES256 encrypted data gpg: encrypted with 1 passphrase
This will create the decrypted file greetings1.txt in the same location.
Note that if we omit the –batch option, the system prompts us to enter the passphrase and then stores it in the session.
Therefore, to clear the password stored in the session, we can run:
echo RELOADAGENT | gpg-connect-agent
Let’s now get back to our decrypted file and verify that the decryption was successful:
> diff -s greetings.txt greetings1.txt Files greetings.txt and greetings1.txt are identical
5. Asymmetric Encryption
In this type of encryption, there are two roles involved — a sender and a receiver.
The receiver decrypts the received file. Thus, the receiver is responsible for generating the key pair. Above all, the receiver would safely keep the private key secret and share only the public key with the sender.
The sender encrypts the file to be sent using the public key shared by the receiver.
Let’s see how this works using an example where Ryan is the receiver, and Sam is the sender.
To simplify things, let’s create two work folders for each of them, which, in the real-world, would represent two different systems:
5.1. Generating a Public/Private Key Pair
The first step is for Ryan, as the receiver, to generate a key pair in his folder:
> cd ryan > gpg --batch --generate-key [email protected] Passphrase: ryanpassword Expire-Date: 30 %pubring ryanpubring.kbx %commit EOF
This will generate the key pair and store it in the ryanpubring.kbx keyring file in the same location.
Let’s view the public key entry made to the keyring file:
> gpg --keyring ./ryanpubring.kbx --no-default-keyring --list-keys ./ryanpubring.kbx ----------------- pub rsa3072 2019-10-27 [SCEA] [expires: 2019-11-26] 120C528F1D136BCF7AAACEE6D6BA055613B064D7 uid [ unknown] Ryan [email protected]> sub rsa3072 2019-10-27 [SEA] [expires: 2019-11-26]
The pub indicator is for the public key.
Similarly, we can view the private key entry:
> gpg --keyring ./ryanpubring.kbx --no-default-keyring --list-secret-keys ./ryanpubring.kbx ----------------- sec rsa3072 2019-10-27 [SCEA] [expires: 2019-11-26] 120C528F1D136BCF7AAACEE6D6BA055613B064D7 uid [ultimate] Ryan [email protected]> ssb rsa3072 2019-10-27 [SEA] [expires: 2019-11-26]
Here, sec indicates that this is a secret or private key.
5.2. Sharing Public Key
After a successful key generation, Ryan can export the public key from his keyring into a file:
This will generate a new file ryanpubkey.gpg containing the public key. Let’s take a peek at the file content:
> cat ryanpubkey.gpg -----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBF21KQoBDACs7bgjl22TPyQDKjLTMlZrBgQrXZOIkNcH3z1f87XQYoLjVPU3 ymg1hweHm1RsIxO+GdD42pkU/ob5YdWgvVBRdIZPeTXciTa8TtxZKNNtr+IL0pwY . -----END PGP PUBLIC KEY BLOCK-----
Ryan can now share this file with Sam via secured or unsecured channels.
In our example, let’s do a simple file copy for sharing the public key:
5.3. Importing Public Key
Let’s now see what Sam has to do after receiving the public key from Ryan.
First, let’s switch to Sam’s folder:
Then, let’s import Ryan’s public key into Sam’s keyring file:
> gpg --keyring ./sampubring.kbx --no-default-keyring --import ryanpubkey.gpg gpg: keybox './sampubring.kbx' created gpg: key D6BA055613B064D7: public key "Ryan [email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: public key of ultimately trusted key 01220F5773165740 not found gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2019-11-26
This will create a new keyring file sampubring.kbx and add the public key to it.
We can now view the imported key:
The [ unknown] indicates that information regarding the key’s trustworthiness is not available. To avoid warnings in the future, let’s change this to trusted:
In the trust level question that is asked, let’s specify our choice as 5 = I trust ultimately and confirm as yes. After that, let’s type quit to exit from the shell.
5.4. Encrypting Files
Sam is now all set to encrypt a file that only Ryan can read. Let’s create a sample file:
> echo "Hello, Baeldung!" > greetings.txt
Afterward, let’s specify Ryan as the recipient in the encrypt command:
This creates the file greetings.txt.gpg in the same location and encrypted using Ryan’s public key. Sam can now share this file with Ryan via secured or unsecured channels.
As before, let’s do a simple file copy for sharing the encrypted file:
5.5. Decrypting Files
Let’s now return to Ryan’s folder to read the encrypted file he received from Sam:
We can use the decrypt command:
This will create a new file greetings.txt decrypted using Ryan’s private key.
We can quickly check if decryption was successful:
> diff -s greetings.txt ../sam/greetings.txt Files greetings.txt and ../sam/greetings.txt are identical
5.6. Two-Way Communications
In the previous example, the communication is unidirectional, as the sender and receiver roles are static.
What this means is that for enabling bidirectional communication, all we need to do is reverse the roles by generating a second key pair. We can follow the same steps listed in the previous section.
6. Conclusion
In this article, we learned how to encrypt files using two different approaches so that, depending on the requirement, we can decide upon the most suitable one for the task.
We also learned about public/private keys and how to use them practically for file encryption/decryption.