encrypt file line by line using openssl on UNIX - unix

I need to encrypt a file containing one CLIENT_ID by line.
When I use
openssl enc -k jesuislacle -aes256 -base64 -e -in &_fidat/num_tie_dmp.csv -out &_fidat/decrypted_numtie.csv, I encrypt the whole file.
But what I want is to encrypt line by line. i.e.
Original I have:
ABCDEC
FGHHIJ
KLMNOP
QRSTUV
What I want :
QHXrpv3ah0qEPBECCt1//PBKiugmWYMuE+WaA4r9Rgc#
nAca0Pb6bH1cQRfkO9wReY+X6dgl44BKE/nKSFBLM+o#
UjTJsoHoLAC0GeqqImxDXX9znUtd7dGm4VODZ+T7lvM#
dcU+H+jd9RZZqweDu1nnJDWMlKjxW2Hc+Q2uAW1tQfk#
For the moment, I launch this command X times for each ID.
But I can have, more than 10000 ID to encrypt. It takes few hours to have the results. It's too much.
What's the best way.
I'm on SAS 9.3, UNIX and I have to encrypt in AES 256 not MD5 (thank's to my DPO :-) )
Thanks for your help.
Jérome

You can try this:
while read line; do
echo "$line" | openssl enc -k jesuislacle -aes256 -base64 -e;
done <infile >outfile
It reads all lines of the file one by one and encrypts it with the specified key.

Related

Why do OpenSSl Encription times vary with modifications to file?

I have a ssl wrapper around GNU-Cash which decrypts my data file when opening GNU-Cash, and then re-encrypts it when I exit the app, overwriting the original encrypted file and then deletes the unencrypted one. What happens is if I make say 1 single change in GNU-Cash, the file re-encryption is a second or two, but if I make a lot of changes to the data, then the encryption takes significantly longer. It appears the time to create the new encrypted file is directly related to the changes made in the data file within.
I cannot see why it takes longer to encrypt a heavily modified file than the same one with only minor changes. My script does not remove the original encrypted data, just overwrites it upon exit from GNU-Cash. Does OpenSSl reference the old copy of the encrypted data file which it is over-writing?
I can post the whole thing if needed, but here are the Decrypt and Encrypt lines from the script:
openssl enc -d -aes-256-cbc -pbkdf2 -in ${DATA_FILE} -out ${DECRYPTED_FILE} -pass stdin <<EOPW &> /dev/null
${FILEPASS}
EOPW
openssl enc -e -aes-256-cbc -pbkdf2 -in ${DECRYPTED_FILE} -out ${DATA_FILE} -pass stdin <<EOPW &> /dev/null
${FILEPASS}
EOPW
Thanks.

Decrypt a text with OpenSSL using key and salt only

I would like to decrypt a text using a 32 characters key and a salt from command line in my MacOS. I have encrypted it in Windows using a program. But, whenever I try to decrypt it from command line I couldn't and get an error.
echo -n PuYNZO+SLqFo6g97gxKr2uAPRUph/sZgaJ3T5YIBPIc= | openssl enc -d -a -aes-256-cbc -K TheTestKeyUsedIs32CharactersLong -S 53616c7455736564 -iv 0 -p
hex string is too short, padding with zero bytes to length
hex string is too short, padding with zero bytes to length
non-hex digit
invalid hex key value
When I try to encrypt
100836
in MacOS it gives me completely different string.
U2FsdGVkX19TYWx0VXNlZA4AWDWo5nzi8p5pYyAeUMg=
using following command:
openssl enc -aes-256-cbc -a -S 53616c7455736564 -iter 5 -k TheTestKeyUsedIs32CharactersLong -in input.txt -out openssl_output.txt
From the application I am using in Windows
100836
is converting into
PuYNZO+SLqFo6g97gxKr2uAPRUph/sZgaJ3T5YIBPIc=
My salt text is SaltUsed
My 32 bit character key is TheTestKeyUsedIs32CharactersLong
Input is PuYNZO+SLqFo6g97gxKr2uAPRUph/sZgaJ3T5YIBPIc=
Should be decrypted in 100836
But, result is completely unexpected.
I have also tried a java program to decrypt it but there I was getting other strings so thought to correct it with command line first and then will jump into the code.
I also tried the key in hex digits but still the response was incorrect and was not as expected.
#Wasif and I spent some time debugging in chat and in the end believe it's most likely a compatbility issue between OpenSSL 1.1.1.d on Windows and OpenSSL 1.1.1.b on macOS.
We went through a number of tests and permutations, using (Key, IV) tuples in hex, using passwords, with and without salts, and ultimately our testing came down to a simple check.
Using openssl enc -a -aes-256-cbc -pass pass:MYPASSWORD -p -in input.txt on Windows we got:
salt=E70092FEBA619144
key=29631452F8C259DFE6FD8E9372EC4B20392395F36B7A0B11769CEBEA987E90A0
iv =93BF2E94462A43B23EF585C0F4B3F1A8
U2FsdGVkX1/nAJL+umGRRGi3ybIPFXf7qrgov7SyXnI=
Using openssl aes-256-cbc -d -a -pass pass:MYPASSWORD -in cipherText.txt (which contains 'U2FsdGVkX1/nAJL+umGRRGi3ybIPFXf7qrgov7SyXnI=' on the Mac we got:
4593573484:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt
Despite this simple test failing, the Mac and Windows boxes successfully encrypted and decrypted locally.
Weird, but this looks like version incompatibility.
Try specifying the digest alorithm:
Default digest has changed between different versions.
See
How to resolve the "EVP_DecryptFInal_ex: bad decrypt" during file decryption

Openssl - AES-256-ECB decrypt with key, bad magic number

Im trying to decrypt a text, which was encrypted with AES-256-ECB with the given key. To decrypt, Im using the same version of the openssl which was used for encryption (OpenSSL 1.1.1d 10 Sep 2019).
String to decrypt: VAWawVAWawxiyH20dI+t5NPAY9w== (inside file.txt)
Key: 461a966faef244e4808d6b2b8e928d01 (inside key.txt)
I tried those commands:
cat file.txt | base64 -d > file2.txt
openssl enc -AES-256-ECB -d -in file2.txt -out answer.txt --kfile key.txt
And im getting: bad magic number. Whats the problem?
openssl enc will normally use a password to derive a key. So it is the derived key that is used to decrypt the file. The derivation process requires a "salt", and openssl enc during encryption stores that salt at the beginning of the file along with a "magic number" to identify it. If the magic number is missing (usually because the file wasn't encrypted by openssl enc or because the password based key derivation derivation method wasn't used) then you get this error.
The -kfile option tells OpenSSL to read the password from a file and then derive the key from it. Probably want you intended was to not use password derivation at all, but to use the explicit key. In which case you need to use the -K option and supply the key on the command line using hex.

FFMPEG Encryption

I am doing a project with encrypting
video and I have a few questions for the procedure.
I used a command to transcode mp4 to HLS with a ts segment duration of ~10 seconds.
First, I need to encrypt those videos with a key from database. However,
I have no idea for the encryption whether working with ffmpeg or not.
Second, if the encryption can work without ffmpeg, so what should I do? I have searched in google which includes something like openssl / aes but
there is no a detailed step for me to follow, even the ffmpeg link:
http://www.ffmpeg.org/ffmpeg-all.html#srtp
Could anyone give me a hand, teaching me how to encrypt a video? Thanks to you.
Yes, you can do it with ffmpeg. You need to write the key from the database to a file, let's say video.key.
You need a second file, let's name it key_info which is the key info file. It has the following format:
key URI
key file path
IV (optional)
Eg:
http://example.com/video.key
video.key
You tell ffmpeg to use it to encrypt your segments with the hls_key_info argument:
ffmpeg -i input.mp4 -c copy -bsf:v h264_mp4toannexb -hls_time 10 -hls_key_info_file key_info playlist.m3u8
This will encrypt your segments with AES-128 in CBC mode and add the relevant tags to your playlist:
#EXT-X-KEY:METHOD=AES-128,URI="http://example.com/video.key"
You can also manually encrypt the segments if you want with openssl. Here's an example script, where each IV is equal to the segment index:
#!/bin/bash
ts_dir=/path/to/ts/
key_file=video.key
openssl rand 16 > $key_file
enc_key=$(hexdump -v -e '16/1 "%02x"' $key_file)
pushd $ts_dir
ts_cnt=$(ls *.ts | wc -l)
((ts_cnt--))
i=0
for i in $(seq -f "%01g" 0 $ts_cnt); do
iv=$(printf '%032x' $i)
ts_file=segment-$i.ts
echo [$i] $ts_file
openssl aes-128-cbc -e -in $ts_file -out encrypted_${ts_file} -nosalt -iv $iv -K $enc_key
done
popd

Using Openssl to decrypt AES 128 bits CBC based64 text

I am trying to use Openssl to decrypt the following AES 128 bits CBC based64 text (not padded) contained in the input.txt
bzxCHMWF+KVMumKb6rXTJQ0803fpYyxgdtZ8/nvc0Fc=
the first 16bytes are the IV. the encryption key is h4ckth1sk3yp4d16
I tried using the command:
openssl enc -aes-128-cbc -d -base64 -K 6834636b746831736b33797034643136 -iv 627a7843484d57462b4b564d756d4b62 -in input.txt -out result.txt
in the input.txt, I remove the first 16 bytes of the encrypted text when running the above command.
but I kept getting the error:
bad decrypt 3073874120:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:532:
can anyone tell what's wrong here? thanks!

Resources