I am new to shell script. In my project there is a requirement to keep all the sensitive data in encrypted format. For to achieve this I need to openssl in command line tool. I tried the following command
openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc
It is not asking me to enter password. And it is not showing anything. Please help me to solve this problem.
Clik here to see the screen shot
I had the same issue with openssl not providing any output. Executed the same using winpty and it worked as expected:
$ winpty openssl enc -salt -aes-256-cbc -in file -out file.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
$ git --version
git version 2.14.1.windows.1
If the question is indeed, "How do I encrypt a file with AES" then I think this line might work, found from either here, or here.
openssl enc -aes-256-cbc -salt -in secrets.txt -out secrets.txt.enc
Related
I am trying to perform a file encryption which is equal to the below command of openssl:
openssl aes-256-cbc -e -salt -pbkdf2 -iter 10000 -in geometry.json -out geometry.json.enc -pass pass:"password"
I am using the implementation 'not-yet-commons-ssl:not-yet-commons-ssl:0.3.13'
With the default values after the file encryption the decryption from openssl command line always throws up the below error;
40B7B9B5F37F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124:
What do I need to pass to the openssl encrypt function?
Salt is used by default, so you don't need to use it explicitly. I would use higher iteration number with pbkdf2, or in this case, it would make more sense to use sha256 instead of pbkdf2. Also, there is no reason to use quotation marks around your password. pass:"password" should be pass:password unless quotations are part of the password.
You could use this:
openssl aes-256-cbc -pass pass:password -in geometry.json -out geometry.json.enc -pbkdf2 -iter 100000
or this:
openssl aes-256-cbc -k password -in geometry.json -out geometry.json.enc -pbkdf2 -iter 100000
And if you want to use SHA-256 for password hashing then you could use this:
openssl aes-256-cbc -k password -in geometry.json -out geometry.json.enc -md sha256
Me and my colleagues are trying to exchange encrypted config files. Person A is able to decrypt a file encrypted-dev.enc encrypted by person B. But I can't decrypt it, and person B can't decrypt a file I send her. The error is
bad decrypt
4672347584:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:610:
From reading around (for example this answer), this error refers to the algorithm openssl uses for the message digest. To fix it, people always tell you to specify the algorithm with an argument like -md md5. But our command already includes that argument.
Person A is on openssl 1.1.1f.
Person B is on openssl 1.1.1i.
I am on openssl 1.1.1j.
To encrypt, we're using this command:
export CONFIG_KEY='[ key ]'
openssl enc -md sha1 -aes-256-cbc -pbkdf2 -pass env:CONFIG_KEY -out ./tests/e2e/config/encrypted-dev.enc -in ./tests/e2e/config/config-dev.json
To decrypt, we're doing this:
export CONFIG_KEY='[ key ]'
openssl enc -md sha1 -aes-256-cbc -pbkdf2 -d -pass env:CONFIG_KEY -in ./tests/e2e/config/encrypted-dev.enc -out ./tests/e2e/config/config-dev.json
Has anybody else run into this situation?
To investigate your issue, add -p flag to dump the key and IV, they must be identical when ciphering and deciphering. Add -nosalt to disable salting password (with a random value) to make password to key computation constant.
$ openssl enc -p -nosalt -md sha1 -aes-256-cbc -pbkdf2 -pass env:CONFIG_KEY -out ./tests/e2e/config/encrypted-dev.enc -in ./tests/e2e/config/config-dev.json
key=27D3CEEB44142947B9ADFA4E6D7F6EB731EB6828A6CD4C49257079470599A443
iv =35E21E3684C06DB2F182D69D99BD6E9C
in your case, you will get two differents values, that's your problem.
The parameter name CONFIG_KEY is not accurate, because you are setting a password nota key, CONFIG_PASSW would be more suitable.
If your goal was to use a key (not a password), you can use this syntax
$ openssl enc -e -aes-256-cbc -nosalt -K AC7CBA91D9523EA2A9166341EC66D9DDCB14D3F6BCE33ADB59B16BE8F40AE607 -iv 208DE031141C4ACA18EA7B71B2EAA935 -in test.txt -out test.enc
$ openssl enc -d -aes-256-cbc -nosalt -K AC7CBA91D9523EA2A9166341EC66D9DDCB14D3F6BCE33ADB59B16BE8F40AE607 -iv 208DE031141C4ACA18EA7B71B2EAA935 -in test.enc
Hello world !!!
Given this command:
openssl enc -aes-128-ecb -nosalt -base64 -pass pass:aaaca -in flag.txt -out flag.txt.enc -md sha256
What's the format to decrypt openssl file? My openssl ubuntu version is 1.0.2g.
I'm asking because I tried using openssl enc -d -aes-128-ecb -pass pass:aaaca -in flag.txt.enc -out pass.txt but it says bad magic number with aaaca as password, and when I tried openssl enc -d -aes-128-ecb -nosalt -base64 -md sha256 -in flag.txt.enc -out pass.txt -pass pass:aaaaa (with different password), it says bad decrypt. At this point, I'm not sure anymore. Thanks!
Edit: If you're wondering why am I purposely inputting the wrong password, it's because I'm trying to test out on brute forcing password for one of my assignment. Help appreciated ><
and when I tried openssl enc -d -aes-128-ecb -nosalt -base64 -md sha256 -in flag.txt.enc -out pass.txt -pass pass:aaaaa (with different password), it says bad decrypt.
Yes, of course, because the openssl command line will perform PKCS#7 compatible padding and unpadding by default. So if you decrypt with a wrong key then there is about a 255/256 chance of getting "bad decrypt" because the unpadding fails. If you're "lucky" the incorrect plaintext will contain a valid padding and you'll just get a wrong / randomized plaintext in the output.
So if you get into that situation then you'll have to check if the plaintext message does fit what you expect. If you have nothing to compare the possibly bad plaintext against, well, then you're in trouble as you may find multiple solutions to your problem.
I am running a unix script in which I am pasing a USERNAME and a PASSWORD to isql to connect to sybase databse and I have used the below command to encrypt and decrypt the password which I am passing to isql command but I am getting the below error.
openssl aes-256-cbc -salt -in sybase_pwd.txt -out SybasePad.txt.enc -pass file:SybasePadKey.txt
openssl aes-256-cbc -d -salt -in SybasePad.txt.enc -pass file:SybasePadKey.txt
I am using the above command to encrypt and decrypt but I am getting this error:
error:aes-256-cbc: not found [No such file or directory]
But when I run the same command in putty it works fine. Could you please assis me?
#!/bin/ksh
export SCRIPT_HOME=/tmp/REGCOM
cd ${SCRIPT_HOME}
DBPASSWORDENC=openssl aes-256-cbc -salt -in sybase_pwd.txt -out SybasePad.txt.enc -pass file:SybasePadKey.txt
DBPASSWORD=openssl aes-256-cbc -d -salt -in SybasePad.txt.enc -pass file:SybasePadKey.txt
echo $DBPASSWORDENC
echo $DBPASSWORD
exit
Posted sample script but still the same error.
You're running this in ksh, not in bash as you originally tagged, but the same thing would happen in both. You're running
DBPASSWORDENC=openssl aes-256-cbc ....
which is actually running command aes-256-cbc with environment variable DBPASSWORDENC set to openssl.
You likely want something like:
DBPASSWORDENC=$(openssl aes-256-cbc ....)
I'm trying to make a encrypted pass-file, but receive an error:
bad decrypt
3872:error:0607F08A:digital envelope routines:EVP_EncryptFinal_ex:data not multiple of block length:.\crypto\evp\evp_enc.c:414:
please, provide a solution for present error
here is command for making file:
openssl enc -des-ede-cbc -K 16161616161616161515151515151515 -iv
000000000000000 -in C:\OpenSSL\bin\ssl\key\pass.txt -out
C:\OpenSSL\bin\ssl\key\pass.enc -nopad
pass.txt contains just one line with pass
Thanks
It's working for me if I leave out the "-nopad" argument:
openssl enc -des-ede-cbc -K 16161616161616161515151515151515 -iv
000000000000000 -in C:\OpenSSL\bin\ssl\key\pass.txt -out
C:\OpenSSL\bin\ssl\key\pass.enc