Using OpenSSL to encrypt files

I am a big user of PGP and use it regularly to send encrypted email to colleagues and friends that use PGP.  However, sometimes I have non-PGP users that need to receive a file.  Obviously, there are easier ways to send the file using something like FortiMail but if you want to ensure the file is encrypted at rest even when moved off to another device, this CAN do it for you.  Again there are other ways, probably easier than this but that has never stopped me from taking the “scenic route”.

You will need openssl installed on your computer.  This is on by default in macOS and Linux, on Windows you will need to download the installer and install on Windows.

Note:  I believe you need to Run as administrator when you run it.

To know what version you are running:

macOS

Mannys-MacBook-Pro:~ mannyfernandez$ openssl
OpenSSL> version
LibreSSL 2.8.3
OpenSSL>

Linux

[root@fll-observium ~]# openssl
OpenSSL> version
OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL>

Now for the “fun” part.

Encrypting the File

To encrypt a file we will use the following command

openssl aes-256-cbc -a -salt -in %unencrypted-file-name% -out %encrypted-file-name%

I created a file and named it MonkeyBiz.txt and will encrypt it using a password.

openssl aes-256-cbc -a -salt -in MonkeyBiz.txt -out MonekyBiz.enc

enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

As you can see, I took MonkeyBiz.txt and encrypted it using the name MonkeyBiz.enc .  And when I did so, was asked to enter a password for the file and then validate it was correct.

NOTE: You COULD use the same name for the encrypted version but you would need to pipe it to another folder/directory.

As you can see below, we have both files in the folder

ls -l

-rw-r--r-- 1 mannyfernandez staff 90 Mar 7 11:12 MonkeyBiz.enc
-rw-r--r--@ 1 mannyfernandez staff 41 Mar 7 11:06 MonkeyBiz.txt

Decrypting the File

To decrypt the file, we will do the reverse process

openssl aes-256-cbc -d -a -in MonkeyBiz.enc -out MonkeyBiz.log

enter aes-256-cbc decryption password:

Again, we can see the prompt for the password although no verification since it is assumed that the person receiving this file did not set it.  Additionally, I chose a different extension ( .log) for the output file so I can show the difference.

Validation

Clear Text (MonkeyBiz.txt)

cat MonkeyBiz.txt

Nothing here but a little Monkey Business

Encrypted Form (MonkeyBiz.enc)

cat MonkeyBiz.enc

U2FsdGVkX19iUrhpaEpNlWEIp5aPv7Hx8/dgOhRxwARNRKiDKQVq4Drx1YXQOhy+
/ED9p5Nu+GAxjC+1OEwr6A==

Decrypted Form (MonkeyBiz.log)

cat MonkeyBiz.log

Nothing here but a little Monkey Business

 

Hope this helps