Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
ENC(1)				    OpenSSL				ENC(1)

NAME
       enc - symmetric cipher routines

SYNOPSIS
       openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e]
       [-d] [-a] [-A] [-k password] [-kfile filename] [-K key] [-iv IV]	[-p]
       [-P] [-bufsize number] [-nopad] [-debug]

DESCRIPTION
       The symmetric cipher commands allow data	to be encrypted	or decrypted
       using various block and stream ciphers using keys based on passwords or
       explicitly provided. Base64 encoding or decoding	can also be performed
       either by itself	or in addition to the encryption or decryption.

OPTIONS
       -in filename
	   the input filename, standard	input by default.

       -out filename
	   the output filename,	standard output	by default.

       -pass arg
	   the password	source.	For more information about the format of arg
	   see the PASS	PHRASE ARGUMENTS section in openssl(1).

       -salt
	   use a salt in the key derivation routines. This option should AL-
	   WAYS	be used	unless compatibility with previous versions of OpenSSL
	   or SSLeay is	required. This option is only present on OpenSSL ver-
	   sions 0.9.5 or above.

       -nosalt
	   don't use a salt in the key derivation routines. This is the	de-
	   fault for compatibility with	previous versions of OpenSSL and
	   SSLeay.

       -e  encrypt the input data: this	is the default.

       -d  decrypt the input data.

       -a  base64 process the data. This means that if encryption is taking
	   place the data is base64 encoded after encryption. If decryption is
	   set then the	input data is base64 decoded before being decrypted.

       -A  if the -a option is set then	base64 process the data	on one line.

       -k password
	   the password	to derive the key from.	This is	for compatibility with
	   previous versions of	OpenSSL. Superseded by the -pass argument.

       -kfile filename
	   read	the password to	derive the key from the	first line of file-
	   name.  This is for compatibility with previous versions of OpenSSL.
	   Superseded by the -pass argument.

       -S salt
	   the actual salt to use: this	must be	represented as a string	com-
	   prised only of hex digits.

       -K key
	   the actual key to use: this must be represented as a	string com-
	   prised only of hex digits. If only the key is specified, the	IV
	   must	additionally specified using the -iv option. When both a key
	   and a password are specified, the key given with the	-K option will
	   be used and the IV generated	from the password will be taken. It
	   probably does not make much sense to	specify	both key and password.

       -iv IV
	   the actual IV to use: this must be represented as a string com-
	   prised only of hex digits. When only	the key	is specified using the
	   -K option, the IV must explicitly be	defined. When a	password is
	   being specified using one of	the other options, the IV is generated
	   from	this password.

       -p  print out the key and IV used.

       -P  print out the key and IV used then immediately exit:	don't do any
	   encryption or decryption.

       -bufsize	number
	   set the buffer size for I/O

       -nopad
	   disable standard block padding

       -debug
	   debug the BIOs used for I/O.

NOTES
       The program can be called either	as openssl ciphername or openssl enc
       -ciphername.

       A password will be prompted for to derive the key and IV	if necessary.

       The -salt option	should ALWAYS be used if the key is being derived from
       a password unless you want compatibility	with previous versions of
       OpenSSL and SSLeay.

       Without the -salt option	it is possible to perform efficient dictionary
       attacks on the password and to attack stream cipher encrypted data. The
       reason for this is that without the salt	the same password always gen-
       erates the same encryption key. When the	salt is	being used the first
       eight bytes of the encrypted data are reserved for the salt: it is gen-
       erated at random	when encrypting	a file and read	from the encrypted
       file when it is decrypted.

       Some of the ciphers do not have large keys and others have security im-
       plications if not used correctly. A beginner is advised to just use a
       strong block cipher in CBC mode such as bf or des3.

       All the block ciphers normally use PKCS#5 padding also known as stan-
       dard block padding: this	allows a rudimentary integrity or password
       check to	be performed. However since the	chance of random data passing
       the test	is better than 1 in 256	it isn't a very	good test.

       If padding is disabled then the input data must be a multiple of	the
       cipher block length.

       All RC2 ciphers have the	same key and effective key length.

       Blowfish	and RC5	algorithms use a 128 bit key.

SUPPORTED CIPHERS
	base64		   Base	64

	bf-cbc		   Blowfish in CBC mode
	bf		   Alias for bf-cbc
	bf-cfb		   Blowfish in CFB mode
	bf-ecb		   Blowfish in ECB mode
	bf-ofb		   Blowfish in OFB mode

	cast-cbc	   CAST	in CBC mode
	cast		   Alias for cast-cbc
	cast5-cbc	   CAST5 in CBC	mode
	cast5-cfb	   CAST5 in CFB	mode
	cast5-ecb	   CAST5 in ECB	mode
	cast5-ofb	   CAST5 in OFB	mode

	des-cbc		   DES in CBC mode
	des		   Alias for des-cbc
	des-cfb		   DES in CBC mode
	des-ofb		   DES in OFB mode
	des-ecb		   DES in ECB mode

	des-ede-cbc	   Two key triple DES EDE in CBC mode
	des-ede		   Alias for des-ede
	des-ede-cfb	   Two key triple DES EDE in CFB mode
	des-ede-ofb	   Two key triple DES EDE in OFB mode

	des-ede3-cbc	   Three key triple DES	EDE in CBC mode
	des-ede3	   Alias for des-ede3-cbc
	des3		   Alias for des-ede3-cbc
	des-ede3-cfb	   Three key triple DES	EDE CFB	mode
	des-ede3-ofb	   Three key triple DES	EDE in OFB mode

	desx		   DESX	algorithm.

	idea-cbc	   IDEA	algorithm in CBC mode
	idea		   same	as idea-cbc
	idea-cfb	   IDEA	in CFB mode
	idea-ecb	   IDEA	in ECB mode
	idea-ofb	   IDEA	in OFB mode

	rc2-cbc		   128 bit RC2 in CBC mode
	rc2		   Alias for rc2-cbc
	rc2-cfb		   128 bit RC2 in CBC mode
	rc2-ecb		   128 bit RC2 in CBC mode
	rc2-ofb		   128 bit RC2 in CBC mode
	rc2-64-cbc	   64 bit RC2 in CBC mode
	rc2-40-cbc	   40 bit RC2 in CBC mode

	rc4		   128 bit RC4
	rc4-64		   64 bit RC4
	rc4-40		   40 bit RC4

	rc5-cbc		   RC5 cipher in CBC mode
	rc5		   Alias for rc5-cbc
	rc5-cfb		   RC5 cipher in CBC mode
	rc5-ecb		   RC5 cipher in CBC mode
	rc5-ofb		   RC5 cipher in CBC mode

EXAMPLES
       Just base64 encode a binary file:

	openssl	base64 -in file.bin -out file.b64

       Decode the same file

	openssl	base64 -d -in file.b64 -out file.bin

       Encrypt a file using triple DES in CBC mode using a prompted password:

	openssl	des3 -salt -in file.txt	-out file.des3

       Decrypt a file using a supplied password:

	openssl	des3 -d	-salt -in file.des3 -out file.txt -k mypassword

       Encrypt a file then base64 encode it (so	it can be sent via mail	for
       example)	using Blowfish in CBC mode:

	openssl	bf -a -salt -in	file.txt -out file.bf

       Base64 decode a file then decrypt it:

	openssl	bf -d -salt -a -in file.bf -out	file.txt

       Decrypt some data using a supplied 40 bit RC4 key:

	openssl	rc4-40 -in file.rc4 -out file.txt -K 0102030405

BUGS
       The -A option when used with large files	doesn't	work properly.

       There should be an option to allow an iteration count to	be included.

       The enc program only supports a fixed number of algorithms with certain
       parameters. So if, for example, you want	to use RC2 with	a 76 bit key
       or RC4 with an 84 bit key you can't use this program.

0.9.7d				  2005-02-25				ENC(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | NOTES | SUPPORTED CIPHERS | EXAMPLES | BUGS

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=enc&sektion=1&manpath=FreeBSD+5.4-RELEASE>

home | help