1 .\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.35)
4 .\" ========================================================================
5 .de Sp \" Vertical space (when we can't use .PP)
9 .de Vb \" Begin verbatim text
14 .de Ve \" End verbatim text
18 .\" Set up some character translations and predefined strings. \*(-- will
19 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
20 .\" double quote, and \*(R" will give a right double quote. \*(C+ will
21 .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22 .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23 .\" nothing in troff, for use with C<>.
25 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
45 .\" Escape single quotes in literal strings from groff's Unicode transform.
49 .\" If the F register is >0, we'll generate index entries on stderr for
50 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
51 .\" entries marked with X<> in POD. Of course, you'll have to process the
52 .\" output yourself in some meaningful fashion.
54 .\" Avoid warning from groff about undefined register 'F'.
60 . tm Index:\\$1\t\\n%\t"\\$2"
68 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69 .\" Fear. Run. Save yourself. No user-serviceable parts.
70 . \" fudge factors for nroff and troff
79 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
85 . \" simple accents for nroff and troff
95 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
102 . \" troff and (daisy-wheel) nroff accents
103 .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104 .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105 .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106 .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107 .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108 .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109 .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110 .ds ae a\h'-(\w'a'u*4/10)'e
111 .ds Ae A\h'-(\w'A'u*4/10)'E
112 . \" corrections for vroff
113 .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114 .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
115 . \" for low resolution devices (crt and lpr)
116 .if \n(.H>23 .if \n(.V>19 \
129 .\" ========================================================================
132 .TH ENC 1 "2017-05-25" "1.0.2l" "OpenSSL"
133 .\" For nroff, turn off justification. Always turn off hyphenation; it makes
134 .\" way too many mistakes in technical documents.
138 enc \- symmetric cipher routines
140 .IX Header "SYNOPSIS"
141 \&\fBopenssl enc \-ciphername\fR
142 [\fB\-in filename\fR]
143 [\fB\-out filename\fR]
150 [\fB\-kfile filename\fR]
152 [\fB\-iv \s-1IV\s0\fR]
160 [\fB\-bufsize number\fR]
166 .IX Header "DESCRIPTION"
167 The symmetric cipher commands allow data to be encrypted or decrypted
168 using various block and stream ciphers using keys based on passwords
169 or explicitly provided. Base64 encoding or decoding can also be performed
170 either by itself or in addition to the encryption or decryption.
173 .IP "\fB\-in filename\fR" 4
174 .IX Item "-in filename"
175 the input filename, standard input by default.
176 .IP "\fB\-out filename\fR" 4
177 .IX Item "-out filename"
178 the output filename, standard output by default.
179 .IP "\fB\-pass arg\fR" 4
181 the password source. For more information about the format of \fBarg\fR
182 see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
185 use a salt in the key derivation routines. This is the default.
186 .IP "\fB\-nosalt\fR" 4
188 don't use a salt in the key derivation routines. This option \fB\s-1SHOULD NOT\s0\fR be
189 used except for test purposes or compatibility with ancient versions of OpenSSL
193 encrypt the input data: this is the default.
196 decrypt the input data.
199 base64 process the data. This means that if encryption is taking place
200 the data is base64 encoded after encryption. If decryption is set then
201 the input data is base64 decoded before being decrypted.
202 .IP "\fB\-base64\fR" 4
207 if the \fB\-a\fR option is set then base64 process the data on one line.
208 .IP "\fB\-k password\fR" 4
209 .IX Item "-k password"
210 the password to derive the key from. This is for compatibility with previous
211 versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
212 .IP "\fB\-kfile filename\fR" 4
213 .IX Item "-kfile filename"
214 read the password to derive the key from the first line of \fBfilename\fR.
215 This is for compatibility with previous versions of OpenSSL. Superseded by
216 the \fB\-pass\fR argument.
217 .IP "\fB\-nosalt\fR" 4
222 use salt (randomly generated or provide with \fB\-S\fR option) when
223 encrypting (this is the default).
224 .IP "\fB\-S salt\fR" 4
226 the actual salt to use: this must be represented as a string of hex digits.
227 .IP "\fB\-K key\fR" 4
229 the actual key to use: this must be represented as a string comprised only
230 of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
231 using the \fB\-iv\fR option. When both a key and a password are specified, the
232 key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
233 password will be taken. It probably does not make much sense to specify
234 both key and password.
235 .IP "\fB\-iv \s-1IV\s0\fR" 4
237 the actual \s-1IV\s0 to use: this must be represented as a string comprised only
238 of hex digits. When only the key is specified using the \fB\-K\fR option, the
239 \&\s-1IV\s0 must explicitly be defined. When a password is being specified using
240 one of the other options, the \s-1IV\s0 is generated from this password.
243 print out the key and \s-1IV\s0 used.
246 print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
248 .IP "\fB\-bufsize number\fR" 4
249 .IX Item "-bufsize number"
250 set the buffer size for I/O
251 .IP "\fB\-nopad\fR" 4
253 disable standard block padding
254 .IP "\fB\-debug\fR" 4
256 debug the BIOs used for I/O.
259 Compress or decompress clear text using zlib before encryption or after
260 decryption. This option exists only if OpenSSL with compiled with zlib
261 or zlib-dynamic option.
264 Use \s-1NULL\s0 cipher (no encryption or decryption of input).
267 The program can be called either as \fBopenssl ciphername\fR or
268 \&\fBopenssl enc \-ciphername\fR. But the first form doesn't work with
269 engine-provided ciphers, because this form is processed before the
270 configuration file is read and any ENGINEs loaded.
272 Engines which provide entirely new encryption algorithms (such as ccgost
273 engine which provides gost89 algorithm) should be configured in the
274 configuration file. Engines, specified in the command line using \-engine
275 options can only be used for hadrware-assisted implementations of
276 ciphers, which are supported by OpenSSL core or other engine, specified
277 in the configuration file.
279 When enc command lists supported ciphers, ciphers provided by engines,
280 specified in the configuration files are listed too.
282 A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
284 The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived
285 from a password unless you want compatibility with previous versions of
288 Without the \fB\-salt\fR option it is possible to perform efficient dictionary
289 attacks on the password and to attack stream cipher encrypted data. The reason
290 for this is that without the salt the same password always generates the same
291 encryption key. When the salt is being used the first eight bytes of the
292 encrypted data are reserved for the salt: it is generated at random when
293 encrypting a file and read from the encrypted file when it is decrypted.
295 Some of the ciphers do not have large keys and others have security
296 implications if not used correctly. A beginner is advised to just use
297 a strong block cipher in \s-1CBC\s0 mode such as bf or des3.
299 All the block ciphers normally use PKCS#5 padding also known as standard block
300 padding: this allows a rudimentary integrity or password check to be
301 performed. However since the chance of random data passing the test is
302 better than 1 in 256 it isn't a very good test.
304 If padding is disabled then the input data must be a multiple of the cipher
307 All \s-1RC2\s0 ciphers have the same key and effective key length.
309 Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
310 .SH "SUPPORTED CIPHERS"
311 .IX Header "SUPPORTED CIPHERS"
312 Note that some of these ciphers can be disabled at compile time
313 and some are available only if an appropriate engine is configured
314 in the configuration file. The output of the \fBenc\fR command run with
315 unsupported options (for example \fBopenssl enc \-help\fR) includes a
316 list of ciphers, supported by your versesion of OpenSSL, including
317 ones provided by configured engines.
319 The \fBenc\fR program does not support authenticated encryption modes
320 like \s-1CCM\s0 and \s-1GCM.\s0 The utility does not store or retrieve the
326 \& bf\-cbc Blowfish in CBC mode
327 \& bf Alias for bf\-cbc
328 \& bf\-cfb Blowfish in CFB mode
329 \& bf\-ecb Blowfish in ECB mode
330 \& bf\-ofb Blowfish in OFB mode
332 \& cast\-cbc CAST in CBC mode
333 \& cast Alias for cast\-cbc
334 \& cast5\-cbc CAST5 in CBC mode
335 \& cast5\-cfb CAST5 in CFB mode
336 \& cast5\-ecb CAST5 in ECB mode
337 \& cast5\-ofb CAST5 in OFB mode
339 \& des\-cbc DES in CBC mode
340 \& des Alias for des\-cbc
341 \& des\-cfb DES in CBC mode
342 \& des\-ofb DES in OFB mode
343 \& des\-ecb DES in ECB mode
345 \& des\-ede\-cbc Two key triple DES EDE in CBC mode
346 \& des\-ede Two key triple DES EDE in ECB mode
347 \& des\-ede\-cfb Two key triple DES EDE in CFB mode
348 \& des\-ede\-ofb Two key triple DES EDE in OFB mode
350 \& des\-ede3\-cbc Three key triple DES EDE in CBC mode
351 \& des\-ede3 Three key triple DES EDE in ECB mode
352 \& des3 Alias for des\-ede3\-cbc
353 \& des\-ede3\-cfb Three key triple DES EDE CFB mode
354 \& des\-ede3\-ofb Three key triple DES EDE in OFB mode
356 \& desx DESX algorithm.
358 \& gost89 GOST 28147\-89 in CFB mode (provided by ccgost engine)
359 \& gost89\-cnt \`GOST 28147\-89 in CNT mode (provided by ccgost engine)
361 \& idea\-cbc IDEA algorithm in CBC mode
362 \& idea same as idea\-cbc
363 \& idea\-cfb IDEA in CFB mode
364 \& idea\-ecb IDEA in ECB mode
365 \& idea\-ofb IDEA in OFB mode
367 \& rc2\-cbc 128 bit RC2 in CBC mode
368 \& rc2 Alias for rc2\-cbc
369 \& rc2\-cfb 128 bit RC2 in CFB mode
370 \& rc2\-ecb 128 bit RC2 in ECB mode
371 \& rc2\-ofb 128 bit RC2 in OFB mode
372 \& rc2\-64\-cbc 64 bit RC2 in CBC mode
373 \& rc2\-40\-cbc 40 bit RC2 in CBC mode
376 \& rc4\-64 64 bit RC4
377 \& rc4\-40 40 bit RC4
379 \& rc5\-cbc RC5 cipher in CBC mode
380 \& rc5 Alias for rc5\-cbc
381 \& rc5\-cfb RC5 cipher in CFB mode
382 \& rc5\-ecb RC5 cipher in ECB mode
383 \& rc5\-ofb RC5 cipher in OFB mode
385 \& aes\-[128|192|256]\-cbc 128/192/256 bit AES in CBC mode
386 \& aes\-[128|192|256] Alias for aes\-[128|192|256]\-cbc
387 \& aes\-[128|192|256]\-cfb 128/192/256 bit AES in 128 bit CFB mode
388 \& aes\-[128|192|256]\-cfb1 128/192/256 bit AES in 1 bit CFB mode
389 \& aes\-[128|192|256]\-cfb8 128/192/256 bit AES in 8 bit CFB mode
390 \& aes\-[128|192|256]\-ecb 128/192/256 bit AES in ECB mode
391 \& aes\-[128|192|256]\-ofb 128/192/256 bit AES in OFB mode
394 .IX Header "EXAMPLES"
395 Just base64 encode a binary file:
398 \& openssl base64 \-in file.bin \-out file.b64
404 \& openssl base64 \-d \-in file.b64 \-out file.bin
407 Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password:
410 \& openssl des3 \-salt \-in file.txt \-out file.des3
413 Decrypt a file using a supplied password:
416 \& openssl des3 \-d \-salt \-in file.des3 \-out file.txt \-k mypassword
419 Encrypt a file then base64 encode it (so it can be sent via mail for example)
420 using Blowfish in \s-1CBC\s0 mode:
423 \& openssl bf \-a \-salt \-in file.txt \-out file.bf
426 Base64 decode a file then decrypt it:
429 \& openssl bf \-d \-salt \-a \-in file.bf \-out file.txt
432 Decrypt some data using a supplied 40 bit \s-1RC4\s0 key:
435 \& openssl rc4\-40 \-in file.rc4 \-out file.txt \-K 0102030405
439 The \fB\-A\fR option when used with large files doesn't work properly.
441 There should be an option to allow an iteration count to be included.
443 The \fBenc\fR program only supports a fixed number of algorithms with
444 certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
445 76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.