encrypt with openssl-enc:
echo -n "127.0.0.1:62863" | openssl enc -e -aes-256-cbc -a -salt -k "p0sr8uy*48po"
U2FsdGVkX18K1nNrcAXaZxFhD6VRSMkcDnI5e6vBmXk=
As I Known OpenSSL uses the password and salt to generate Key(the actual encryption key) and IV.
but the crypto:crypto_one_time/5 in Erlang
crypto_one_time(Cipher, Key, IV, Data, FlagOrOptions)
use the Key and IV to decrypt, what I Known now is only password, so how can I decrypt the ciphertext in Erlang?
Not sure if this is what you need, but when using openssl command, we can actually print out the Key (and IV) generated using the -p parameter. So you should then somehow store those values for decryption.
echo -n "127.0.0.1:62863" | openssl enc -e -aes-256-cbc -a -salt -k "p0sr8uy*48po" -p
salt=9B677C2CC233FAC1
key=6B4BD1FB0248E1CAE2C6C9D2702051105A5A41973AE80DC0A5316F1E9A851BD7
iv =2B5DA03AF9E7492ED200BD1C0F4DEF9C
U2FsdGVkX1+bZ3wswjP6wTosfuGdUs84zIzrY10pmPQ=
Related
Me and my colleagues are trying to exchange encrypted config files. Person A is able to decrypt a file encrypted-dev.enc encrypted by person B. But I can't decrypt it, and person B can't decrypt a file I send her. The error is
bad decrypt
4672347584:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:610:
From reading around (for example this answer), this error refers to the algorithm openssl uses for the message digest. To fix it, people always tell you to specify the algorithm with an argument like -md md5. But our command already includes that argument.
Person A is on openssl 1.1.1f.
Person B is on openssl 1.1.1i.
I am on openssl 1.1.1j.
To encrypt, we're using this command:
export CONFIG_KEY='[ key ]'
openssl enc -md sha1 -aes-256-cbc -pbkdf2 -pass env:CONFIG_KEY -out ./tests/e2e/config/encrypted-dev.enc -in ./tests/e2e/config/config-dev.json
To decrypt, we're doing this:
export CONFIG_KEY='[ key ]'
openssl enc -md sha1 -aes-256-cbc -pbkdf2 -d -pass env:CONFIG_KEY -in ./tests/e2e/config/encrypted-dev.enc -out ./tests/e2e/config/config-dev.json
Has anybody else run into this situation?
To investigate your issue, add -p flag to dump the key and IV, they must be identical when ciphering and deciphering. Add -nosalt to disable salting password (with a random value) to make password to key computation constant.
$ openssl enc -p -nosalt -md sha1 -aes-256-cbc -pbkdf2 -pass env:CONFIG_KEY -out ./tests/e2e/config/encrypted-dev.enc -in ./tests/e2e/config/config-dev.json
key=27D3CEEB44142947B9ADFA4E6D7F6EB731EB6828A6CD4C49257079470599A443
iv =35E21E3684C06DB2F182D69D99BD6E9C
in your case, you will get two differents values, that's your problem.
The parameter name CONFIG_KEY is not accurate, because you are setting a password nota key, CONFIG_PASSW would be more suitable.
If your goal was to use a key (not a password), you can use this syntax
$ openssl enc -e -aes-256-cbc -nosalt -K AC7CBA91D9523EA2A9166341EC66D9DDCB14D3F6BCE33ADB59B16BE8F40AE607 -iv 208DE031141C4ACA18EA7B71B2EAA935 -in test.txt -out test.enc
$ openssl enc -d -aes-256-cbc -nosalt -K AC7CBA91D9523EA2A9166341EC66D9DDCB14D3F6BCE33ADB59B16BE8F40AE607 -iv 208DE031141C4ACA18EA7B71B2EAA935 -in test.enc
Hello world !!!
I want to encrypt a file in linux using this command sudo openssl enc –aes-128-ecb –nosalt -p –in poraka.txt -out poraka.aes but terminal gives me this error Extra arguments given.
What should I delete from this command line?
Start by checking the output:
$ openssl enc –aes-128-ecb –nosalt -p –in poraka.txt -out poraka.aes
Extra arguments given.
enc: Use -help for summary.
Ok so lets run with -help
$ openssl enc -help
Usage: enc [options]
Valid options are:
-help Display this summary
-ciphers List ciphers
-in infile Input file
-out outfile Output file
-pass val Passphrase source
-e Encrypt
-d Decrypt
-p Print the iv/key
-P Print the iv/key and exit
-v Verbose output
-nopad Disable standard block padding
-salt Use salt in the KDF (default)
-nosalt Do not use salt in the KDF
-debug Print debug info
-a Base64 encode/decode, depending on encryption flag
-base64 Same as option -a
-A Used with -[base64|a] to specify base64 buffer as a single line
-bufsize val Buffer size
-k val Passphrase
-kfile infile Read passphrase from file
-K val Raw key, in hex
-S val Salt, in hex
-iv val IV in hex
-md val Use specified digest to create a key from the passphrase
-iter +int Specify the iteration count and force use of PBKDF2
-pbkdf2 Use password-based key derivation function 2
-none Don't encrypt
-* Any supported cipher
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
-engine val Use engine, possibly a hardware device
Looks like -p is misused
$ touch poraka.txt
$ openssl enc -aes-128-ecb -nosalt -in poraka.txt -out poraka.aes
enter aes-128-ecb encryption password:
Verifying - enter aes-128-ecb encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
I think this works
The ciphertext is encrypted by Javascript using the AES algorithm in hexadecimal format. I first coded it in Base64 and then decrypted it using OpenSSL.
But it failed, I don't know where it is wrong.
And I am using a Windows compiled version of OpenSSL.
http://gnuwin32.sourceforge.net/packages/openssl.htm
The command is as follows:
openssl enc -aes-128-cbc -a -A -in Cipherbase64.txt -out PlainText.txt -K 31323334353637383930303030303030 -iv 31323334353637383930303030303030 -d
result:
bad decrypt
6396:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:./crypto/evp/evp_enc.c:461:
Ciphertext (HEX)
4cb4eb49df960e82c14e158ac418ca918736e4fbb730f532fc37d226e0e8b0e3ce0571ce4c146a6a9e037b9b79d8077568326d7fe2a3f9a91d266cfeb8bfac5668f526bc4d5ee1a21cbe85c8efab8cd1fe29b4a2b412468c6d97b7a3bfd2f69c50691e181fde43710bc61ffff2c6e7cbab59de70b97d993707c16e4a909273cc873d9156dda0ad03214e29048ac39532b8ec11c071174219fefa85e0d489468036154d19d2b683b20b07589abb9f4d863fcd17598d43a8b82d37236ceee7588d08a22f4c9662bba7f4cf6595f28b0e7b7e62f9be2d42f1b11f5c06aca7ed7568d8922d9155c229a8d57b251695c2bd645cb44539e4278b4431ac60a318fbd22afe18b204f9730f86a07c43355ce89f9646be5810e0c6bd2043066d359efe73c8e0ac7f581e048ed1809ad2720ea96f528d0acc7fd622b86d3073e8b1ac0b5d70f4e92b045e8cdf1fb6c999332ba2c279ebab2262589082a8214187a8904671a2c4eec8828335dc7f49fe438fb4e34c762e9f7febe30672a9ced8b0a2b66373d3a3b9efbe46e63f4d8b2723ebe85736f5
Thanks to Topaco for your help. Because of my negligence, mistake CTR for CBC, causing confusion.
You can try the following:
openssl enc -aes-128-cbc -a -A -in Cipherbase64.txt -out PlainText.txt -K 31323334353637383930303030303030 -iv 31323334353637383930303030303030 -d
After the -K and -iv options, the input must be a hexadecimal string, i.e. instead of 1234567890000000 you have to use 31323334353637383930303030303030. The -A option says that the Base64-encoded ciphertext is contained in one single line, here. So there is no need to use line breaks.
Update:
It turned out that the JavaScript-code actually applied to generate the posted ciphertext uses CTR-mode for encryption (instead of CBC-mode). Therefore, the OpenSSL-statement which can be used to decrypt the posted ciphertext is:
openssl enc -aes-128-ctr -a -A -in Cipherbase64.txt -out PlainText.txt -K 31323334353637383930303030303030 -iv 31323334353637383930303030303030 -d
The decrypted text is:
{"sign":"13adab9285fe86206b73e029ff0d290fc0e31237","timestamp":1570608017,"logid":"MTU3MDYwODA2MjAzMjAuMTMzMjE0Nzc2OTIxNTgxNDY=","uk":3012946979,"shareid":547370362,"fid_list":"[\"482622974717034\"]","input":"aaxb","vcode":"33324238656332346361663334656637323237633636373637643239666664336662393132313032313738303030303030303030303030303031353730363038303530B0D6C0036A1909217D2CDCD5B76B46FB"}
which can be easily verified here.
I wanted to know how I can go about encrypting particular values in a properties file using openssl or gpg.
Most of the examples seem to consist of the below I have seen seem to encrypt the entire file. But I just wanted to use it to encrypt stored passwords.
To Encrypt
openssl enc -aes-256-cbc -in un_encrypted.data -out encrypted.data
To Decrypt
openssl enc -d -aes-256-cbc -in encrypted.data -out un_encrypted.data
You can easily use openssl to encrypt any string you want:
$ echo 12345678901 | openssl enc -e -base64 -aes-256-cbc -k MySecretPassword
U2FsdGVkX18z9p14y9XRhDdRBRoeJfIkdLQXQmGfKag=
In your case you could use a bash script like this:
encrypted=`grep "the.name.of.my.property" myFile.properties|cut -d'=' -f2|openssl enc -e -base64 -aes-256-cbc -k MySecretPassword`
sed "/the.name.of.my.property=/ s/=.*/=$encrypted/" myFile.properties > newFile.properties
This will produce a new file named newFile.properties with the encrypted field.
I'll try to make this succinct as possible.
I want to be able to encrypt & decrypt simple strings using OpenSSL, which I have done before.
HOWEVER, the following conditions must be met:
Simple passphrase use (no keys)
No input/output files
No prompt for passphrase (specify via command-line options for either direction)
I'm 50% there. I can successfully perform ENCRYPTION via:
echo 'someTextIWantToEncrypt' | openssl enc -e -aes-256-cbc -nosalt -pass pass:mySecretPass
The output result is:
(??b}n??v???>??G??.?B??~?
OK, great. Now I want to DECRYPT that string. So I do:
echo -n '(??b}n??v???>??G??.?B??~?' | openssl enc -d -aes-256-cbc -pass pass:mySecretPass
or even as an alternative:
openssl enc -d -aes-256-cbc -pass pass:mySecretPass <<< '(??b}n??v???>??G??.?B??~?'
But I get this response:
bad magic number
Though I don't want to use input/output files, that method DOES work 100%:
# encrypt to file
echo -n 'someTextIWantToEncrypt' | openssl enc -e -nosalt -out test.txt -aes-256-cbc -pass pass:mySecretPass
# decrypt from file
openssl enc -d -nosalt -in test.txt -aes-256-cbc -pass pass:mySecretPass
# result of decryption (is successful):
someTextIWantToEncrypt
So ... how can I achieve the above decryption process without using input/output files whatsoever? I feel I am close, but missing some small detail.
Thanks in advance.
The problem is that encryption uses the entire ASCII character set, including unprintable characters. If you want to be able to cut and paste the encrypted data, you need to convert it to only printable characters. You can do this with the -base64 (or -a) option:
echo 'someTextIWantToEncrypt' | \
openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:mySecretPass
KPkBkGJ9bs4YHvh24xz7m9jTlYWm1LcIFcWR0DwY4PU=
Then decrypt it the same way:
echo "KPkBkGJ9bs4YHvh24xz7m9jTlYWm1LcIFcWR0DwY4PU=" | \
openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:mySecretPass
WARNING: If you're using openssl, I can only assume the confidentiality of the data, and therefore the password, is important to you. If that's the case, you should never supply a password on the command line, because it can be exposed to anyone with the privilege to run ps.
A better solution is to store the password in an environment variable and have openssl read it from there:
export passwd="mySecretPass"
echo "KPkBkGJ9bs4YHvh24xz7m9jTlYWm1LcIFcWR0DwY4PU=" | \
openssl enc -base64 -d -aes-256-cbc -nosalt -pass env:passwd
Decrypt
#!/bin/bash
clear
# encrypt to file
echo "enter choice "
echo "1-dakr"
echo "2-gakr"
read choice
case $choice in
1 )
echo "text?"
read text
echo "pass?"
read pass
echo -n '$text' | openssl enc -e -nosalt -out test.txt -aes-256-cbc -pass pass:$pass
;;
2 )
# decrypt from file
echo "pass?"
read pass
echo "path?"
read path
openssl enc -d -nosalt -in $path -aes-256-cbc -pass pass:$pass
;;
* )
echo "shcd"
;;
esac
Output of Decrypt is $text how to fix it?
I know this is old, but someone else just showed me this question. I have a TCL script that achieves this easily, and can just be modified to work with whatever shell you're using, it contains these lines:
if {[catch {set lines [exec echo -n $tte | openssl enc -$cipher -a -pbkdf2 -iter $iterations -pass pass:$fkey]} msg]} {
tk_messageBox -message $msg
return
}
Where $tte = text to encrypt, $cipher and $iterations are self explanatory, and $fkey is the password passed to openssl. Just add a -d switch to decrypt.