Using AES with OpenSSL to Encrypt Files

This post briefly describes how to utilise AES to encrypt and decrypt files with OpenSSL.

AES - Advanced Encryption Standard (also known as Rijndael).

OpenSSL - Cryptography and SSL/TLS Toolkit

We’ll walk through the following steps:

• Generate an AES key plus Initialization vector (iv) with openssl and
• how to encode/decode a file with the generated key/iv pair

Note: AES is a symmetric-key algorithm which means it uses the same key during encryption/decryption.

Generating key/iv pair

We want to generate a 256-bit key and use Cipher Block Chaining (CBC).

The basic command to use is openssl enc plus some options:

• -P — Print out the salt, key and IV used, then exit
• -k <secret> or -pass pass:<secret> — to specify the password to use
• -aes-256-cbc — the cipher name

$ openssl enc -nosalt -aes-256-cbc -k hello-aes -P
key=C639A572E14D5075C5…2EF3D2710AF9F359DD4
iv =D09A4D2C5DC39843FE075313A7EF2F4C

Note: We decided to use no salt to keep the example simple.

Issue openssl enc --help for more details and options (e.g. other ciphernames, how to specify a salt, …).

Encoding

Let's start with encoding Hello, AES! contained in the text file message.txt:

$ openssl enc -nosalt -aes-256-cbc -in message.txt -out message.txt.enc -base64 -K <key> -iv <iv>

Decoding

Decoding is almost the same command line - just an additional -d for decrypting:

$ openssl enc -nosalt -aes-256-cbc -d -in message.txt.enc -base64 -K <key> -iv <iv>
Hello, AES!

Note: Beware of the line breaks

While working with AES encryption I encountered the situation where the encoder sometimes produces base 64 encoded data with or without line breaks...

Can OpenSSL decode base64 data that does not contain line breaks?

Short answer: Yes, use the OpenSSL -A option.