使用 openssl 命令行加密字符串

Question

I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string.

This encrypted string ( in human readable format ) then needs to be supplied to a user who would use it, and the string would be decrypted to its original 16-byte form for comparison and authentication. Could anyone please tell me how this would be possible with openssl commandline.

Answer 1

Here's one way to encrypt a string with openssl on the command line (must enter password twice):

echo -n "aaaabbbbccccdddd" | openssl enc -e -aes-256-cbc -a -salt
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

Here's what the output looks like:

U2FsdGVkX1/6LATntslD80T2HEIn3A0BqxarNfwbg31D2kI00dYbmBo8Mqt42PIm

Edit: To my knowledge, you can't control the number of bytes out. You can b64 or hex encode it, but that's about it. Also, if you want to save that string to a file rather than stdout, use the -out option.

Answer 2

Try this:

echo 'foo' | openssl aes-256-cbc -a -salt
echo 'U2FsdGVkX1/QGdl4syQE8bLFSr2HzoAlcG299U/T/Xk=' | openssl aes-256-cbc -a -d -salt

Run

openssl list-cipher-commands 

to list all available ciphers.

Answer 3

I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string [in human readable format]

I believe you are looking for Format Preserving Encryption. I think the caveat is you have to start with a 16-byte human readable string. Phillip Rogaway has a paper on the technologies: Synopsis of Format-Preserving Encryption . There's a lot to the paper, and it can't fit into a single paragraph on Stack Overflow.

If you can start with a shorter string and use a streaming mode like OCB, OFB or CTR, then you can Base64 encode the final string so that the result is 16-bytes and human readable. Base64 expands at a rate of 3 → 4 (3 un-encoded expands to 4 encoded), so you'd need a shorter string of length 12 characters to achieve 16 human readable characters.

As far as I know, there are no command line tools that do it natively. You may be able to use OpenSSL on the command line with AES/CTR and pipe it through base64 command. The following gets close, but it starts with 11 characters (and not 12):

$ echo 12345678901 | openssl enc -e -base64 -aes-128-ctr -nopad -nosalt -k secret_password
cSTzU8+UPQQwpRAq

Also, you really need to understand te -k option (and -K for that matter), and how it derives a key so you can do it outside of the OpenSSL command (if needed).

Answer 4

try this

$ echo "a_byte_character" | openssl enc -base64

and you have 100+ Cipher Types

-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb              
-aes-128-gcm               -aes-128-ofb               -aes-128-xts              
-aes-192-cbc               -aes-192-cfb               -aes-192-cfb1             
-aes-192-cfb8              -aes-192-ctr               -aes-192-ecb              
-aes-192-gcm               -aes-192-ofb               -aes-256-cbc              
-aes-256-cfb               -aes-256-cfb1              -aes-256-cfb8             
-aes-256-ctr               -aes-256-ecb               -aes-256-gcm              
-aes-256-ofb               -aes-256-xts               -aes128                   
-aes192                    -aes256                    -bf                       
-bf-cbc                    -bf-cfb                    -bf-ecb                   
-bf-ofb                    -blowfish                  -camellia-128-cbc         
-camellia-128-cfb          -camellia-128-cfb1         -camellia-128-cfb8        
-camellia-128-ecb          -camellia-128-ofb          -camellia-192-cbc         
-camellia-192-cfb          -camellia-192-cfb1         -camellia-192-cfb8        
-camellia-192-ecb          -camellia-192-ofb          -camellia-256-cbc         
-camellia-256-cfb          -camellia-256-cfb1         -camellia-256-cfb8        
-camellia-256-ecb          -camellia-256-ofb          -camellia128              
-camellia192               -camellia256               -cast                     
-cast-cbc                  -cast5-cbc                 -cast5-cfb                
-cast5-ecb                 -cast5-ofb                 -des                      
-des-cbc                   -des-cfb                   -des-cfb1                 
-des-cfb8                  -des-ecb                   -des-ede                  
-des-ede-cbc               -des-ede-cfb               -des-ede-ofb              
-des-ede3                  -des-ede3-cbc              -des-ede3-cfb             
-des-ede3-cfb1             -des-ede3-cfb8             -des-ede3-ofb             
-des-ofb                   -des3                      -desx                     
-desx-cbc                  -id-aes128-GCM             -id-aes192-GCM            
-id-aes256-GCM             -rc2                       -rc2-40-cbc               
-rc2-64-cbc                -rc2-cbc                   -rc2-cfb                  
-rc2-ecb                   -rc2-ofb                   -rc4                      
-rc4-40                    -rc4-hmac-md5              -seed                     
-seed-cbc                  -seed-cfb                  -seed-ecb                 
-seed-ofb

Answer 5

I had trouble getting it working using echo with -n. This worked for me:

To encrypt:

echo "PLAINTEXT_STRING" | openssl enc -aes256 -pbkdf2 -base64

you'll be prompted to provide a decryption password.

To decrypt:

echo "ENCRYPTED_STRING" | openssl aes-256-cbc -d -pbkdf2 -a

enter the decryption password to decrypt.