1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=head1 NAME
5
6openssl-enc - symmetric cipher routines
7
8=head1 SYNOPSIS
9
10B<openssl> B<enc>|I<cipher>
11[B<-I<cipher>>]
12[B<-help>]
13[B<-list>]
14[B<-ciphers>]
15[B<-in> I<filename>]
16[B<-out> I<filename>]
17[B<-pass> I<arg>]
18[B<-e>]
19[B<-d>]
20[B<-a>]
21[B<-base64>]
22[B<-A>]
23[B<-k> I<password>]
24[B<-kfile> I<filename>]
25[B<-K> I<key>]
26[B<-iv> I<IV>]
27[B<-S> I<salt>]
28[B<-salt>]
29[B<-nosalt>]
30[B<-z>]
31[B<-md> I<digest>]
32[B<-iter> I<count>]
33[B<-pbkdf2>]
34[B<-p>]
35[B<-P>]
36[B<-bufsize> I<number>]
37[B<-nopad>]
38[B<-v>]
39[B<-debug>]
40[B<-none>]
41{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
42{- $OpenSSL::safe::opt_provider_synopsis -}
43
44B<openssl> I<cipher> [B<...>]
45
46=head1 DESCRIPTION
47
48The symmetric cipher commands allow data to be encrypted or decrypted
49using various block and stream ciphers using keys based on passwords
50or explicitly provided. Base64 encoding or decoding can also be performed
51either by itself or in addition to the encryption or decryption.
52
53=head1 OPTIONS
54
55=over 4
56
57=item B<-I<cipher>>
58
59The cipher to use.
60
61=item B<-help>
62
63Print out a usage message.
64
65=item B<-list>
66
67List all supported ciphers.
68
69=item B<-ciphers>
70
71Alias of -list to display all supported ciphers.
72
73=item B<-in> I<filename>
74
75The input filename, standard input by default.
76
77=item B<-out> I<filename>
78
79The output filename, standard output by default.
80
81=item B<-pass> I<arg>
82
83The password source. For more information about the format of I<arg>
84see L<openssl-passphrase-options(1)>.
85
86=item B<-e>
87
88Encrypt the input data: this is the default.
89
90=item B<-d>
91
92Decrypt the input data.
93
94=item B<-a>
95
96Base64 process the data. This means that if encryption is taking place
97the data is base64 encoded after encryption. If decryption is set then
98the input data is base64 decoded before being decrypted.
99
100=item B<-base64>
101
102Same as B<-a>
103
104=item B<-A>
105
106If the B<-a> option is set then base64 process the data on one line.
107
108=item B<-k> I<password>
109
110The password to derive the key from. This is for compatibility with previous
111versions of OpenSSL. Superseded by the B<-pass> argument.
112
113=item B<-kfile> I<filename>
114
115Read the password to derive the key from the first line of I<filename>.
116This is for compatibility with previous versions of OpenSSL. Superseded by
117the B<-pass> argument.
118
119=item B<-md> I<digest>
120
121Use the specified digest to create the key from the passphrase.
122The default algorithm is sha-256.
123
124=item B<-iter> I<count>
125
126Use a given number of iterations on the password in deriving the encryption key.
127High values increase the time required to brute-force the resulting file.
128This option enables the use of PBKDF2 algorithm to derive the key.
129
130=item B<-pbkdf2>
131
132Use PBKDF2 algorithm with a default iteration count of 10000
133unless otherwise specified by the B<-iter> command line option.
134
135=item B<-nosalt>
136
137Don't use a salt in the key derivation routines. This option B<SHOULD NOT> be
138used except for test purposes or compatibility with ancient versions of
139OpenSSL.
140
141=item B<-salt>
142
143Use salt (randomly generated or provide with B<-S> option) when
144encrypting, this is the default.
145
146=item B<-S> I<salt>
147
148The actual salt to use: this must be represented as a string of hex digits.
149If this option is used while encrypting, the same exact value will be needed
150again during decryption.
151
152=item B<-K> I<key>
153
154The actual key to use: this must be represented as a string comprised only
155of hex digits. If only the key is specified, the IV must additionally specified
156using the B<-iv> option. When both a key and a password are specified, the
157key given with the B<-K> option will be used and the IV generated from the
158password will be taken. It does not make much sense to specify both key
159and password.
160
161=item B<-iv> I<IV>
162
163The actual IV to use: this must be represented as a string comprised only
164of hex digits. When only the key is specified using the B<-K> option, the
165IV must explicitly be defined. When a password is being specified using
166one of the other options, the IV is generated from this password.
167
168=item B<-p>
169
170Print out the key and IV used.
171
172=item B<-P>
173
174Print out the key and IV used then immediately exit: don't do any encryption
175or decryption.
176
177=item B<-bufsize> I<number>
178
179Set the buffer size for I/O.
180
181=item B<-nopad>
182
183Disable standard block padding.
184
185=item B<-v>
186
187Verbose print; display some statistics about I/O and buffer sizes.
188
189=item B<-debug>
190
191Debug the BIOs used for I/O.
192
193=item B<-z>
194
195Compress or decompress encrypted data using zlib after encryption or before
196decryption. This option exists only if OpenSSL was compiled with the zlib
197or zlib-dynamic option.
198
199=item B<-none>
200
201Use NULL cipher (no encryption or decryption of input).
202
203{- $OpenSSL::safe::opt_r_item -}
204
205{- $OpenSSL::safe::opt_provider_item -}
206
207{- $OpenSSL::safe::opt_engine_item -}
208
209=back
210
211=head1 NOTES
212
213The program can be called either as C<openssl I<cipher>> or
214C<openssl enc -I<cipher>>. The first form doesn't work with
215engine-provided ciphers, because this form is processed before the
216configuration file is read and any ENGINEs loaded.
217Use the L<openssl-list(1)> command to get a list of supported ciphers.
218
219Engines which provide entirely new encryption algorithms (such as the ccgost
220engine which provides gost89 algorithm) should be configured in the
221configuration file. Engines specified on the command line using B<-engine>
222option can only be used for hardware-assisted implementations of
223ciphers which are supported by the OpenSSL core or another engine specified
224in the configuration file.
225
226When the enc command lists supported ciphers, ciphers provided by engines,
227specified in the configuration files are listed too.
228
229A password will be prompted for to derive the key and IV if necessary.
230
231The B<-salt> option should B<ALWAYS> be used if the key is being derived
232from a password unless you want compatibility with previous versions of
233OpenSSL.
234
235Without the B<-salt> option it is possible to perform efficient dictionary
236attacks on the password and to attack stream cipher encrypted data. The reason
237for this is that without the salt the same password always generates the same
238encryption key.
239
240When the salt is generated at random (that means when encrypting using a
241passphrase without explicit salt given using B<-S> option), the first bytes
242of the encrypted data are reserved to store the salt for later decrypting.
243
244Some of the ciphers do not have large keys and others have security
245implications if not used correctly. A beginner is advised to just use
246a strong block cipher, such as AES, in CBC mode.
247
248All the block ciphers normally use PKCS#5 padding, also known as standard
249block padding. This allows a rudimentary integrity or password check to
250be performed. However, since the chance of random data passing the test
251is better than 1 in 256 it isn't a very good test.
252
253If padding is disabled then the input data must be a multiple of the cipher
254block length.
255
256All RC2 ciphers have the same key and effective key length.
257
258Blowfish and RC5 algorithms use a 128 bit key.
259
260Please note that OpenSSL 3.0 changed the effect of the B<-S> option.
261Any explicit salt value specified via this option is no longer prepended to the
262ciphertext when encrypting, and must again be explicitly provided when decrypting.
263Conversely, when the B<-S> option is used during decryption, the ciphertext
264is expected to not have a prepended salt value.
265
266When using OpenSSL 3.0 or later to decrypt data that was encrypted with an
267explicit salt under OpenSSL 1.1.1 do not use the B<-S> option, the salt will
268then be read from the ciphertext.
269To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use
270the B<-S> option, the salt will be then be generated randomly and prepended
271to the output.
272
273=head1 SUPPORTED CIPHERS
274
275Note that some of these ciphers can be disabled at compile time
276and some are available only if an appropriate engine is configured
277in the configuration file. The output when invoking this command
278with the B<-list> option (that is C<openssl enc -list>) is
279a list of ciphers, supported by your version of OpenSSL, including
280ones provided by configured engines.
281
282This command does not support authenticated encryption modes
283like CCM and GCM, and will not support such modes in the future.
284This is due to having to begin streaming output (e.g., to standard output
285when B<-out> is not used) before the authentication tag could be validated.
286When this command is used in a pipeline, the receiving end will not be
287able to roll back upon authentication failure.  The AEAD modes currently in
288common use also suffer from catastrophic failure of confidentiality and/or
289integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the
290entire burden of key/iv/nonce management upon the user, the risk of
291exposing AEAD modes is too great to allow.  These key/iv/nonce
292management issues also affect other modes currently exposed in this command,
293but the failure modes are less extreme in these cases, and the
294functionality cannot be removed with a stable release branch.
295For bulk encryption of data, whether using authenticated encryption
296modes or other modes, L<openssl-cms(1)> is recommended, as it provides a
297standard data format and performs the needed key/iv/nonce management.
298
299
300 base64             Base 64
301
302 bf-cbc             Blowfish in CBC mode
303 bf                 Alias for bf-cbc
304 blowfish           Alias for bf-cbc
305 bf-cfb             Blowfish in CFB mode
306 bf-ecb             Blowfish in ECB mode
307 bf-ofb             Blowfish in OFB mode
308
309 cast-cbc           CAST in CBC mode
310 cast               Alias for cast-cbc
311 cast5-cbc          CAST5 in CBC mode
312 cast5-cfb          CAST5 in CFB mode
313 cast5-ecb          CAST5 in ECB mode
314 cast5-ofb          CAST5 in OFB mode
315
316 chacha20           ChaCha20 algorithm
317
318 des-cbc            DES in CBC mode
319 des                Alias for des-cbc
320 des-cfb            DES in CFB mode
321 des-ofb            DES in OFB mode
322 des-ecb            DES in ECB mode
323
324 des-ede-cbc        Two key triple DES EDE in CBC mode
325 des-ede            Two key triple DES EDE in ECB mode
326 des-ede-cfb        Two key triple DES EDE in CFB mode
327 des-ede-ofb        Two key triple DES EDE in OFB mode
328
329 des-ede3-cbc       Three key triple DES EDE in CBC mode
330 des-ede3           Three key triple DES EDE in ECB mode
331 des3               Alias for des-ede3-cbc
332 des-ede3-cfb       Three key triple DES EDE CFB mode
333 des-ede3-ofb       Three key triple DES EDE in OFB mode
334
335 desx               DESX algorithm.
336
337 gost89             GOST 28147-89 in CFB mode (provided by ccgost engine)
338 gost89-cnt         GOST 28147-89 in CNT mode (provided by ccgost engine)
339
340 idea-cbc           IDEA algorithm in CBC mode
341 idea               same as idea-cbc
342 idea-cfb           IDEA in CFB mode
343 idea-ecb           IDEA in ECB mode
344 idea-ofb           IDEA in OFB mode
345
346 rc2-cbc            128 bit RC2 in CBC mode
347 rc2                Alias for rc2-cbc
348 rc2-cfb            128 bit RC2 in CFB mode
349 rc2-ecb            128 bit RC2 in ECB mode
350 rc2-ofb            128 bit RC2 in OFB mode
351 rc2-64-cbc         64 bit RC2 in CBC mode
352 rc2-40-cbc         40 bit RC2 in CBC mode
353
354 rc4                128 bit RC4
355 rc4-64             64 bit RC4
356 rc4-40             40 bit RC4
357
358 rc5-cbc            RC5 cipher in CBC mode
359 rc5                Alias for rc5-cbc
360 rc5-cfb            RC5 cipher in CFB mode
361 rc5-ecb            RC5 cipher in ECB mode
362 rc5-ofb            RC5 cipher in OFB mode
363
364 seed-cbc           SEED cipher in CBC mode
365 seed               Alias for seed-cbc
366 seed-cfb           SEED cipher in CFB mode
367 seed-ecb           SEED cipher in ECB mode
368 seed-ofb           SEED cipher in OFB mode
369
370 sm4-cbc            SM4 cipher in CBC mode
371 sm4                Alias for sm4-cbc
372 sm4-cfb            SM4 cipher in CFB mode
373 sm4-ctr            SM4 cipher in CTR mode
374 sm4-ecb            SM4 cipher in ECB mode
375 sm4-ofb            SM4 cipher in OFB mode
376
377 aes-[128|192|256]-cbc  128/192/256 bit AES in CBC mode
378 aes[128|192|256]       Alias for aes-[128|192|256]-cbc
379 aes-[128|192|256]-cfb  128/192/256 bit AES in 128 bit CFB mode
380 aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
381 aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
382 aes-[128|192|256]-ctr  128/192/256 bit AES in CTR mode
383 aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
384 aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode
385
386 aria-[128|192|256]-cbc  128/192/256 bit ARIA in CBC mode
387 aria[128|192|256]       Alias for aria-[128|192|256]-cbc
388 aria-[128|192|256]-cfb  128/192/256 bit ARIA in 128 bit CFB mode
389 aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
390 aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
391 aria-[128|192|256]-ctr  128/192/256 bit ARIA in CTR mode
392 aria-[128|192|256]-ecb  128/192/256 bit ARIA in ECB mode
393 aria-[128|192|256]-ofb  128/192/256 bit ARIA in OFB mode
394
395 camellia-[128|192|256]-cbc  128/192/256 bit Camellia in CBC mode
396 camellia[128|192|256]       Alias for camellia-[128|192|256]-cbc
397 camellia-[128|192|256]-cfb  128/192/256 bit Camellia in 128 bit CFB mode
398 camellia-[128|192|256]-cfb1 128/192/256 bit Camellia in 1 bit CFB mode
399 camellia-[128|192|256]-cfb8 128/192/256 bit Camellia in 8 bit CFB mode
400 camellia-[128|192|256]-ctr  128/192/256 bit Camellia in CTR mode
401 camellia-[128|192|256]-ecb  128/192/256 bit Camellia in ECB mode
402 camellia-[128|192|256]-ofb  128/192/256 bit Camellia in OFB mode
403
404=head1 EXAMPLES
405
406Just base64 encode a binary file:
407
408 openssl base64 -in file.bin -out file.b64
409
410Decode the same file
411
412 openssl base64 -d -in file.b64 -out file.bin
413
414Encrypt a file using AES-128 using a prompted password
415and PBKDF2 key derivation:
416
417 openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128
418
419Decrypt a file using a supplied password:
420
421 openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \
422    -pass pass:<password>
423
424Encrypt a file then base64 encode it (so it can be sent via mail for example)
425using AES-256 in CTR mode and PBKDF2 key derivation:
426
427 openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256
428
429Base64 decode a file then decrypt it using a password supplied in a file:
430
431 openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \
432    -pass file:<passfile>
433
434=head1 BUGS
435
436The B<-A> option when used with large files doesn't work properly.
437
438The B<openssl enc> command only supports a fixed number of algorithms with
439certain parameters. So if, for example, you want to use RC2 with a
44076 bit key or RC4 with an 84 bit key you can't use this program.
441
442=head1 HISTORY
443
444The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
445
446The B<-list> option was added in OpenSSL 1.1.1e.
447
448The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0.
449
450=head1 COPYRIGHT
451
452Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
453
454Licensed under the Apache License 2.0 (the "License").  You may not use
455this file except in compliance with the License.  You can obtain a copy
456in the file LICENSE in the source distribution or at
457L<https://www.openssl.org/source/license.html>.
458
459=cut
460