The OpenSSL command is built into most Linux distributions, and can be used for encrypted and encoding things.

Encrypting a message

OpenSSL can be used to encrypt and decrypt messages. The following command will encrypt a message:

echo "Hello" | openssl enc -bf -pass pass:abc123

I chose to use blowfish, but you can get a list of all available ciphers with:

openssl --show-ciphers

However, you’ll notice it gives you non-unicode characters:

Salted__XᲡ��N��2�[���

To fix this, simply tell OpenSSL to use base64 encoding:

echo "Hello" | openssl enc -a -bf -pass pass:abc123

this will return something like:

U2FsdGVkX1+gY6RSJ4HUntrKFFzJbdQt

but, it will be different each time because OpenSSL adds a salt to make it harder to crack.

Decrypting a message

To decrypt a message, simple run the same thing, but with the -d flag:

echo "U2FsdGVkX1+gY6RSJ4HUntrKFFzJbdQt" | openssl enc -d -a -bf -pass pass:abc123

this should return:

Hello

Encrypting a file

To encrypt a file, you simply need to add a few options to OpenSSL. First, make a file:

echo "test" > test.txt

then, let’s encrypt it with blowfish:

openssl enc -a -bf -in test.txt -out test.enc -pass pass:abc123

The file test.enc will now contain:

U2FsdGVkX19l7MAkosqzp+oAjBeaRM3P

While you don’t really need to use base64 since it’s in a file, I still recommend it because it makes copying and pasting possible.

Decrypting a file

Simply run the same command to encrypt, but with the -d flag.

openssl enc -d -a -bf -in test.enc -out test.dec -pass pass:abc123

and, check test.dec, ad you should see:

test

This means everything worked! Also, if you don’t use the -pass flag, OpenSSL will automatically ask you for the password, so it’s not needed, but it makes copying and pasting the commands easier.

Hashing

If you ever need to hash something, to verify it hasn’t been tampered with, OpenSSL can also help you out. Simply use openssl dgst:

echo "test" | openssl dgst -sha512

will return:

(stdin)= 0e3e75234abc68f4378a86b3f4b32a198ba301845b0cd6e50106e874345700cc6663a86c1ea125dc5e92be17c98f9a0f85ca9d5f595db2012f7cc3571945c123

there are other hashing algorithms, but SHA512 is currently the most secure one.

Hashing files

To get the hash of a file, simply use the cat command, as I couldn’t find a way to hash a file directly with OpenSSL, as the help page returns:

options are
-c              to output the digest with separating colons
-r              to output the digest in coreutils format
-d              to output debug info
-hex            output as hex dump
-binary         output in binary form
-hmac arg       set the HMAC key to arg
-non-fips-allow allow use of non FIPS digest
-sign   file    sign digest using private key in file
-verify file    verify a signature using public key in file
-prverify file  verify a signature using private key in file
-keyform arg    key file format (PEM or ENGINE)
-out filename   output to filename rather than stdout
-signature file signature to verify
-sigopt nm:v    signature parameter
-hmac key       create hashed MAC with key
-mac algorithm  create MAC (not neccessarily HMAC)
-macopt nm:v    MAC algorithm parameters or key
-engine e       use engine e, possibly a hardware device.
-md4            to use the md4 message digest algorithm
-md5            to use the md5 message digest algorithm
-ripemd160      to use the ripemd160 message digest algorithm
-sha            to use the sha message digest algorithm
-sha1           to use the sha1 message digest algorithm
-sha224         to use the sha224 message digest algorithm
-sha256         to use the sha256 message digest algorithm
-sha384         to use the sha384 message digest algorithm
-sha512         to use the sha512 message digest algorithm
-whirlpool      to use the whirlpool message digest algorithm

so, just run:

cat file | openssl dgst -sha512

Also, if you want to get just the hash, run:

echo "test" | openssl dgst -sha512 | cut -d " " -f 2

which returns:

0e3e75234abc68f4378a86b3f4b32a198ba301845b0cd6e50106e874345700cc6663a86c1ea125dc5e92be17c98f9a0f85ca9d5f595db2012f7cc3571945c123

instead of (stdin)= and then the hash.


Leave a Reply(Markdown is On)

%d bloggers like this: