Ever felt the need of hiding stuff from the world. In this article, I'll show you how you can encrypt and decrypt your data using the AES Encryption technique. We'll use the openssl command for this purpose.
What is Symmetric Encryption?
Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt data. By using symmetric encryption algorithms, data is converted to a form that cannot be understood by anyone who does not possess the secret key to decrypt it.
What is Advanced Encryption Standard (AES)?
Advanced Encryption Standard (also known as Rijndael), is one of the best symmetric encryption algorithm. AES is a block encryption algorithm and thus supports five modes which are as follows:
- ECB mode: Electronic Code Book mode
- CBC mode: Cipher Block Chaining mode
- CFB mode: Cipher Feedback mode
- OFB mode: Output Feedback mode
- CTR mode: Counter mode
In this article, we will encrypt our data using CBC mode. ECB is generally not preferred as it is not secure. The command-line tool that we will use is openssl.
What is OpenSSL
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. OpenSSL supports many different cryptographic operations, such as symmetric key encryption, public/private key pair generation, public-key encryption, hash functions, digital signatures, etc.
openssl comes pre-installed in most Linux distributions. If it is not pre-installed then you can install it using your Linux package manager.
Encrypting a file
The following command is used to encrypt a file:
openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath
After the execution of the command, it will ask you for setting the passphrase (secret key). Without the passphrase, nobody in this world can decrypt your file because brute-forcing AES is very difficult.
Let's learn about the different options that we provided.
openssl is the command-line tool that we are using.
enc is used to specify the cipher name
-aes-256-cbc is the cipher name along with the mode of operation which is CBC(Cipher Block Chaining mode)
-md sha512 specifies which digest to use for the generation of the key from the passphrase. The default value from version 1.1.0 is SHA256. Before version 1.1.0 MD5 was the default digest.
-pbkdf2 specifies to use PBKDF2 (Password-Based Key Derivation Function 2) algorithm
-iter 250000 is overriding the default count of iterations for the password. High values increase the time required to brute-force the resulting file. This option enables the use of the PBKDF2 algorithm to derive the key.
-salt Use salt in Key Derivation Function(KDF). This is the default behaviour and thus this option is not required.
Decrypting a file
Use the same command but add -d option to it. The command is as follows:
openssl enc -aes-256-cbc -d -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath
Encrypting and Decrypting Multiple Files
The above command works only on a single file thus to encrypt and decrypt multiple files you can first convert it into a tar file (you can even compress it) and then apply the same command.
My Personal Preference
I also use the same command but I also add -a and -A options to my command. -a is used for Base64 encode/decode and -A is used with -a to specify base64 buffer as a single line.
Thus the command I use for encryption and decryption is:
Encryption
openssl enc -aes-256-cbc -a -A -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath
Decryption
openssl enc -aes-256-cbc -a -A -d -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath
Fun Fact
This is the same encryption algorithm that was used by Elliot Alderson in the TV series Mr Robot to encrypt data.
References
I hope this article helped you learn about using AES encryption.
Questions, suggestions, a word of thanks is always encouraged.
Top comments (5)
Great post. Thanks!
But if you're encrypting to send to someone else then I believe PGP is preferable because you never have to share the secret key
(security.stackexchange.com/a/196913)
Yes, that's true.
Is exactly the same command used to encrypt and decrypt data?
No, if you see carefully the command for decrypting the data has a -d option in it.
This was a truly informative read. I liked the explaination of the various flags of your preferred way to use openssl.
Looking forward for more.