1 .\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.30)
4 .\" ========================================================================
5 .de Sp \" Vertical space (when we can't use .PP)
9 .de Vb \" Begin verbatim text
14 .de Ve \" End verbatim text
18 .\" Set up some character translations and predefined strings. \*(-- will
19 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
20 .\" double quote, and \*(R" will give a right double quote. \*(C+ will
21 .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22 .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23 .\" nothing in troff, for use with C<>.
25 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
45 .\" Escape single quotes in literal strings from groff's Unicode transform.
49 .\" If the F register is turned on, we'll generate index entries on stderr for
50 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
51 .\" entries marked with X<> in POD. Of course, you'll have to process the
52 .\" output yourself in some meaningful fashion.
54 .\" Avoid warning from groff about undefined register 'F'.
58 .if \n(.g .if rF .nr rF 1
59 .if (\n(rF:(\n(.g==0)) \{
62 . tm Index:\\$1\t\\n%\t"\\$2"
72 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
73 .\" Fear. Run. Save yourself. No user-serviceable parts.
74 . \" fudge factors for nroff and troff
83 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
89 . \" simple accents for nroff and troff
99 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
100 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
101 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
102 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
103 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
104 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
106 . \" troff and (daisy-wheel) nroff accents
107 .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
108 .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
109 .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
110 .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
111 .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
112 .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
113 .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
114 .ds ae a\h'-(\w'a'u*4/10)'e
115 .ds Ae A\h'-(\w'A'u*4/10)'E
116 . \" corrections for vroff
117 .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
118 .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
119 . \" for low resolution devices (crt and lpr)
120 .if \n(.H>23 .if \n(.V>19 \
133 .\" ========================================================================
136 .TH ENC 1 "2015-06-11" "0.9.8zg" "OpenSSL"
137 .\" For nroff, turn off justification. Always turn off hyphenation; it makes
138 .\" way too many mistakes in technical documents.
142 enc \- symmetric cipher routines
144 .IX Header "SYNOPSIS"
145 \&\fBopenssl enc \-ciphername\fR
146 [\fB\-in filename\fR]
147 [\fB\-out filename\fR]
154 [\fB\-kfile filename\fR]
156 [\fB\-iv \s-1IV\s0\fR]
159 [\fB\-bufsize number\fR]
163 .IX Header "DESCRIPTION"
164 The symmetric cipher commands allow data to be encrypted or decrypted
165 using various block and stream ciphers using keys based on passwords
166 or explicitly provided. Base64 encoding or decoding can also be performed
167 either by itself or in addition to the encryption or decryption.
170 .IP "\fB\-in filename\fR" 4
171 .IX Item "-in filename"
172 the input filename, standard input by default.
173 .IP "\fB\-out filename\fR" 4
174 .IX Item "-out filename"
175 the output filename, standard output by default.
176 .IP "\fB\-pass arg\fR" 4
178 the password source. For more information about the format of \fBarg\fR
179 see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
182 use a salt in the key derivation routines. This is the default.
183 .IP "\fB\-nosalt\fR" 4
185 don't use a salt in the key derivation routines. This option \fB\s-1SHOULD NOT\s0\fR be
186 used except for test purposes or compatibility with ancient versions of OpenSSL
190 encrypt the input data: this is the default.
193 decrypt the input data.
196 base64 process the data. This means that if encryption is taking place
197 the data is base64 encoded after encryption. If decryption is set then
198 the input data is base64 decoded before being decrypted.
201 if the \fB\-a\fR option is set then base64 process the data on one line.
202 .IP "\fB\-k password\fR" 4
203 .IX Item "-k password"
204 the password to derive the key from. This is for compatibility with previous
205 versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
206 .IP "\fB\-kfile filename\fR" 4
207 .IX Item "-kfile filename"
208 read the password to derive the key from the first line of \fBfilename\fR.
209 This is for compatibility with previous versions of OpenSSL. Superseded by
210 the \fB\-pass\fR argument.
211 .IP "\fB\-S salt\fR" 4
213 the actual salt to use: this must be represented as a string comprised only
215 .IP "\fB\-K key\fR" 4
217 the actual key to use: this must be represented as a string comprised only
218 of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
219 using the \fB\-iv\fR option. When both a key and a password are specified, the
220 key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
221 password will be taken. It probably does not make much sense to specify
222 both key and password.
223 .IP "\fB\-iv \s-1IV\s0\fR" 4
225 the actual \s-1IV\s0 to use: this must be represented as a string comprised only
226 of hex digits. When only the key is specified using the \fB\-K\fR option, the
227 \&\s-1IV\s0 must explicitly be defined. When a password is being specified using
228 one of the other options, the \s-1IV\s0 is generated from this password.
231 print out the key and \s-1IV\s0 used.
234 print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
236 .IP "\fB\-bufsize number\fR" 4
237 .IX Item "-bufsize number"
238 set the buffer size for I/O
239 .IP "\fB\-nopad\fR" 4
241 disable standard block padding
242 .IP "\fB\-debug\fR" 4
244 debug the BIOs used for I/O.
247 The program can be called either as \fBopenssl ciphername\fR or
248 \&\fBopenssl enc \-ciphername\fR.
250 A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
252 The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived
253 from a password unless you want compatibility with previous versions of
256 Without the \fB\-salt\fR option it is possible to perform efficient dictionary
257 attacks on the password and to attack stream cipher encrypted data. The reason
258 for this is that without the salt the same password always generates the same
259 encryption key. When the salt is being used the first eight bytes of the
260 encrypted data are reserved for the salt: it is generated at random when
261 encrypting a file and read from the encrypted file when it is decrypted.
263 Some of the ciphers do not have large keys and others have security
264 implications if not used correctly. A beginner is advised to just use
265 a strong block cipher in \s-1CBC\s0 mode such as bf or des3.
267 All the block ciphers normally use PKCS#5 padding also known as standard block
268 padding: this allows a rudimentary integrity or password check to be
269 performed. However since the chance of random data passing the test is
270 better than 1 in 256 it isn't a very good test.
272 If padding is disabled then the input data must be a multiple of the cipher
275 All \s-1RC2\s0 ciphers have the same key and effective key length.
277 Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
278 .SH "SUPPORTED CIPHERS"
279 .IX Header "SUPPORTED CIPHERS"
283 \& bf\-cbc Blowfish in CBC mode
284 \& bf Alias for bf\-cbc
285 \& bf\-cfb Blowfish in CFB mode
286 \& bf\-ecb Blowfish in ECB mode
287 \& bf\-ofb Blowfish in OFB mode
289 \& cast\-cbc CAST in CBC mode
290 \& cast Alias for cast\-cbc
291 \& cast5\-cbc CAST5 in CBC mode
292 \& cast5\-cfb CAST5 in CFB mode
293 \& cast5\-ecb CAST5 in ECB mode
294 \& cast5\-ofb CAST5 in OFB mode
296 \& des\-cbc DES in CBC mode
297 \& des Alias for des\-cbc
298 \& des\-cfb DES in CBC mode
299 \& des\-ofb DES in OFB mode
300 \& des\-ecb DES in ECB mode
302 \& des\-ede\-cbc Two key triple DES EDE in CBC mode
303 \& des\-ede Two key triple DES EDE in ECB mode
304 \& des\-ede\-cfb Two key triple DES EDE in CFB mode
305 \& des\-ede\-ofb Two key triple DES EDE in OFB mode
307 \& des\-ede3\-cbc Three key triple DES EDE in CBC mode
308 \& des\-ede3 Three key triple DES EDE in ECB mode
309 \& des3 Alias for des\-ede3\-cbc
310 \& des\-ede3\-cfb Three key triple DES EDE CFB mode
311 \& des\-ede3\-ofb Three key triple DES EDE in OFB mode
313 \& desx DESX algorithm.
315 \& idea\-cbc IDEA algorithm in CBC mode
316 \& idea same as idea\-cbc
317 \& idea\-cfb IDEA in CFB mode
318 \& idea\-ecb IDEA in ECB mode
319 \& idea\-ofb IDEA in OFB mode
321 \& rc2\-cbc 128 bit RC2 in CBC mode
322 \& rc2 Alias for rc2\-cbc
323 \& rc2\-cfb 128 bit RC2 in CFB mode
324 \& rc2\-ecb 128 bit RC2 in ECB mode
325 \& rc2\-ofb 128 bit RC2 in OFB mode
326 \& rc2\-64\-cbc 64 bit RC2 in CBC mode
327 \& rc2\-40\-cbc 40 bit RC2 in CBC mode
330 \& rc4\-64 64 bit RC4
331 \& rc4\-40 40 bit RC4
333 \& rc5\-cbc RC5 cipher in CBC mode
334 \& rc5 Alias for rc5\-cbc
335 \& rc5\-cfb RC5 cipher in CFB mode
336 \& rc5\-ecb RC5 cipher in ECB mode
337 \& rc5\-ofb RC5 cipher in OFB mode
339 \& aes\-[128|192|256]\-cbc 128/192/256 bit AES in CBC mode
340 \& aes\-[128|192|256] Alias for aes\-[128|192|256]\-cbc
341 \& aes\-[128|192|256]\-cfb 128/192/256 bit AES in 128 bit CFB mode
342 \& aes\-[128|192|256]\-cfb1 128/192/256 bit AES in 1 bit CFB mode
343 \& aes\-[128|192|256]\-cfb8 128/192/256 bit AES in 8 bit CFB mode
344 \& aes\-[128|192|256]\-ecb 128/192/256 bit AES in ECB mode
345 \& aes\-[128|192|256]\-ofb 128/192/256 bit AES in OFB mode
348 .IX Header "EXAMPLES"
349 Just base64 encode a binary file:
352 \& openssl base64 \-in file.bin \-out file.b64
358 \& openssl base64 \-d \-in file.b64 \-out file.bin
361 Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password:
364 \& openssl des3 \-salt \-in file.txt \-out file.des3
367 Decrypt a file using a supplied password:
370 \& openssl des3 \-d \-salt \-in file.des3 \-out file.txt \-k mypassword
373 Encrypt a file then base64 encode it (so it can be sent via mail for example)
374 using Blowfish in \s-1CBC\s0 mode:
377 \& openssl bf \-a \-salt \-in file.txt \-out file.bf
380 Base64 decode a file then decrypt it:
383 \& openssl bf \-d \-salt \-a \-in file.bf \-out file.txt
386 Decrypt some data using a supplied 40 bit \s-1RC4\s0 key:
389 \& openssl rc4\-40 \-in file.rc4 \-out file.txt \-K 0102030405
393 The \fB\-A\fR option when used with large files doesn't work properly.
395 There should be an option to allow an iteration count to be included.
397 The \fBenc\fR program only supports a fixed number of algorithms with
398 certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
399 76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.