Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   12896 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

enc(1ssl)							     enc(1ssl)

NAME
       enc - Symmetric cipher routines

SYNOPSIS
       openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e]
       [-d] [-a] [-A] [-k password] [-kfile filename] [-K  key]	 [-ivIV]  [-p]
       [-P] [-bufsize  number] [-debug]

OPTIONS
       Input  filename,	 standard input by default.  Output filename, standard
       output by default.  Password source. For	 more  information  about  the
       format  of  arg see the Pass Phrase Arguments section in openssl(1ssl).
       Uses a salt in the key derivation routines. This option	should	always
       be  used	 unless	 compatibility	with  previous	versions of OpenSSL or
       SSLeay is required. This option is only	present	 on  OpenSSL  versions
       0.9.5  or  above.   Does not use a salt in the key derivation routines.
       This is the default for compatibility with previous versions of OpenSSL
       and  SSLeay.   Encrypts	the input data. This is the default.  Decrypts
       the input data.	Base64 processes the data.  This means that if encryp‐
       tion  is	 taking	 place the data is base64 encoded after encryption. If
       decryption is set then the input data is base64	decoded	 before	 being
       decrypted.   If	the -a option is set then base64 processes the data on
       one line.  The password to derive the key from. This is for compatibil‐
       ity  with  previous  versions of OpenSSL. It is superseded by the -pass
       argument.  Reads the password to derive the key from the first line  of
       filename.  This is for computability with previous versions of OpenSSL.
       It is superseded by the -pass argument.	The actual salt to  use.  This
       must  be	 represented  as  a  string comprised only of hex digits.  The
       actual key to use. This must be represented as a string comprised  only
       of  hex	digits.	 If  only  the	key  is specified, the IV must also be
       specifed using the -iv option. When both a key and password are	speci‐
       fied,  the key given with the -K option will be used, and the IV gener‐
       ated from the password will be taken. It probably does  not  make  much
       sense  to  specify  both	 key and password.  The actual IV to use. This
       must be represented as a string comprised only  of  hex	digits.	  When
       only  the key is specified using the -K option, the IV must explicitely
       be defined. When a  password  is	 specified  using  one	of  the	 other
       options,	 the  IV  is generated from this password.  Prints out the key
       and IV used.  Prints out the key and IV used  then  immediately	exits.
       Does not do any encryption or decryption.  Sets the buffer size for I/O
       Debugs the BIOs used for I/O.

DESCRIPTION
       The symmetric cipher commands allow data to be encrypted	 or  decrypted
       using various block and stream ciphers using keys based on passwords or
       explicitly provided. Base64 encoding or decoding can also be  performed
       either by itself or in addition to the encryption or decryption.

NOTES
       The  program  can be called either as openssl ciphername or openssl enc
       -ciphername.

       There is a prompt for a password to derive the key and IV if necessary.

       The -salt option should always be used if the key is being derived from
       a  password  unless  you	 want  compatibility with previous versions of
       OpenSSL and SSLeay.

       Without the -salt option it is possible to perform efficient dictionary
       attacks	on  the	 password  and to attack stream cipher encrypted data.
       The reason for this is that without the salt the same  password	always
       generates  the  same  encryption	 key.  When the salt is being used the
       first eight bytes of the encrypted data are reserved for the  salt.  It
       is  generated  at  random  when	encrypting  a  file  and read from the
       encrypted file when it is decrypted.

       Some of the ciphers do not have large keys  and	others	have  security
       implications  if	 not  used  correctly.	A beginner is advised to use a
       strong block cipher in CBC mode such as bf or des3.

       All the block ciphers use PKCS#5 padding, also known as standard	 block
       padding.	 This  allows  a rudimentary integrity or password check to be
       performed.  However, since the chance of random data passing  the  test
       is better than 1 in 256 it is not a very good test.

       All RC2 ciphers have the same key and effective key length.

       Blowfish and RC5 algorithms use a 128 bit key.

   Supported Ciphers
	base64		   Base 64

	bf-cbc		   Blowfish in CBC mode
	bf		   Alias for bf-cbc
	bf-cfb		   Blowfish in CFB mode
	bf-ecb		   Blowfish in ECB mode
	bf-ofb		   Blowfish in OFB mode

	cast-cbc	   CAST in CBC mode
	cast		   Alias for cast-cbc
	cast5-cbc	   CAST5 in CBC mode
	cast5-cfb	   CAST5 in CFB mode
	cast5-ecb	   CAST5 in ECB mode
	cast5-ofb	   CAST5 in OFB mode

	des-cbc		   DES in CBC mode
	des		   Alias for des-cbc
	des-cfb		   DES in CBC mode
	des-ofb		   DES in OFB mode
	des-ecb		   DES in ECB mode

	des-ede-cbc	   Two key triple DES EDE in CBC mode
	des-ede		   Alias for des-ede
	des-ede-cfb	   Two key triple DES EDE in CFB mode
	des-ede-ofb	   Two key triple DES EDE in OFB mode

	des-ede3-cbc	   Three key triple DES EDE in CBC mode
	des-ede3	   Alias for des-ede3-cbc
	des3		   Alias for des-ede3-cbc
	des-ede3-cfb	   Three key triple DES EDE CFB mode
	des-ede3-ofb	   Three key triple DES EDE in OFB mode

	desx		   DESX algorithm.

	idea-cbc	   IDEA algorithm in CBC mode
	idea		   same as idea-cbc
	idea-cfb	   IDEA in CFB mode
	idea-ecb	   IDEA in ECB mode
	idea-ofb	   IDEA in OFB mode

	rc2-cbc		   128 bit RC2 in CBC mode
	rc2		   Alias for rc2-cbc
	rc2-cfb		   128 bit RC2 in CBC mode
	rc2-ecb		   128 bit RC2 in CBC mode
	rc2-ofb		   128 bit RC2 in CBC mode
	rc2-64-cbc	   64 bit RC2 in CBC mode
	rc2-40-cbc	   40 bit RC2 in CBC mode

	rc4		   128 bit RC4
	rc4-64		   64 bit RC4
	rc4-40		   40 bit RC4

	rc5-cbc		   RC5 cipher in CBC mode
	rc5		   Alias for rc5-cbc
	rc5-cfb		   RC5 cipher in CBC mode
	rc5-ecb		   RC5 cipher in CBC mode
	rc5-ofb		   RC5 cipher in CBC mode

RESTRICTIONS
       The -A option when used with large files does not work properly.

       There should be an option to allow an iteration count to be included.

       Like  the  EVP  library the enc program only supports a fixed number of
       algorithms with certain parameters. For example, if you want to use RC2
       with  a	76  bit key or RC4 with an 84 bit key you cannot use this pro‐
       gram.

EXAMPLES
       Just base64 encode a binary file:
	openssl base64 -in file.bin -out file.b64

       Decode the same file
	openssl base64 -d -in file.b64 -out file.bin

       Encrypt a file using triple DES in CBC mode using a prompted password:
	openssl des3 -salt -in file.txt -out file.des3

       Decrypt a file using a supplied password:
	openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword

       Encrypt a file then base64 encode it (so it can be sent	via  mail  for
       example) using Blowfish in CBC mode:
	openssl bf -a -salt -in file.txt -out file.bf

       Base64 decode a file then decrypt it:
	openssl bf -d -salt -a -in file.bf -out file.txt

       Decrypt some data using a supplied 40 bit RC4 key:
	openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405

								     enc(1ssl)

                             _         _         _ 
                            | |       | |       | |     
                            | |       | |       | |     
                         __ | | __ __ | | __ __ | | __  
                         \ \| |/ / \ \| |/ / \ \| |/ /  
                          \ \ / /   \ \ / /   \ \ / /   
                           \   /     \   /     \   /    
                            \_/       \_/       \_/ 

Vote for polarhome