Using openssl-1.0.1g command line for simple file encryption/decryption, when I issue the commands
openssl enc -aes-256-cbc -k secret -in file.txt -out file.ssl
openssl enc -d -aes-256-cbc -k secret -in file.ssl
The contents of file.txt go to stdout as expected. However, when I issue the commands
openssl enc -aes-256-gcm -k secret -in file.txt -out file.ssl
openssl enc -d -aes-256-gcm -k secret -in file.ssl
The contents of file.txt go to stdout but the string "bad decrypt" goes to stderr.
Am I missing something or is there a bug in the openssl gcm implementation?
I have tried substituting "-pass pass:secret" for "-k secret" and get the same results.
Related
Me and my colleagues are trying to exchange encrypted config files. Person A is able to decrypt a file encrypted-dev.enc encrypted by person B. But I can't decrypt it, and person B can't decrypt a file I send her. The error is
bad decrypt
4672347584:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:610:
From reading around (for example this answer), this error refers to the algorithm openssl uses for the message digest. To fix it, people always tell you to specify the algorithm with an argument like -md md5. But our command already includes that argument.
Person A is on openssl 1.1.1f.
Person B is on openssl 1.1.1i.
I am on openssl 1.1.1j.
To encrypt, we're using this command:
export CONFIG_KEY='[ key ]'
openssl enc -md sha1 -aes-256-cbc -pbkdf2 -pass env:CONFIG_KEY -out ./tests/e2e/config/encrypted-dev.enc -in ./tests/e2e/config/config-dev.json
To decrypt, we're doing this:
export CONFIG_KEY='[ key ]'
openssl enc -md sha1 -aes-256-cbc -pbkdf2 -d -pass env:CONFIG_KEY -in ./tests/e2e/config/encrypted-dev.enc -out ./tests/e2e/config/config-dev.json
Has anybody else run into this situation?
To investigate your issue, add -p flag to dump the key and IV, they must be identical when ciphering and deciphering. Add -nosalt to disable salting password (with a random value) to make password to key computation constant.
$ openssl enc -p -nosalt -md sha1 -aes-256-cbc -pbkdf2 -pass env:CONFIG_KEY -out ./tests/e2e/config/encrypted-dev.enc -in ./tests/e2e/config/config-dev.json
key=27D3CEEB44142947B9ADFA4E6D7F6EB731EB6828A6CD4C49257079470599A443
iv =35E21E3684C06DB2F182D69D99BD6E9C
in your case, you will get two differents values, that's your problem.
The parameter name CONFIG_KEY is not accurate, because you are setting a password nota key, CONFIG_PASSW would be more suitable.
If your goal was to use a key (not a password), you can use this syntax
$ openssl enc -e -aes-256-cbc -nosalt -K AC7CBA91D9523EA2A9166341EC66D9DDCB14D3F6BCE33ADB59B16BE8F40AE607 -iv 208DE031141C4ACA18EA7B71B2EAA935 -in test.txt -out test.enc
$ openssl enc -d -aes-256-cbc -nosalt -K AC7CBA91D9523EA2A9166341EC66D9DDCB14D3F6BCE33ADB59B16BE8F40AE607 -iv 208DE031141C4ACA18EA7B71B2EAA935 -in test.enc
Hello world !!!
I wanted to know how I can go about encrypting particular values in a properties file using openssl or gpg.
Most of the examples seem to consist of the below I have seen seem to encrypt the entire file. But I just wanted to use it to encrypt stored passwords.
To Encrypt
openssl enc -aes-256-cbc -in un_encrypted.data -out encrypted.data
To Decrypt
openssl enc -d -aes-256-cbc -in encrypted.data -out un_encrypted.data
You can easily use openssl to encrypt any string you want:
$ echo 12345678901 | openssl enc -e -base64 -aes-256-cbc -k MySecretPassword
U2FsdGVkX18z9p14y9XRhDdRBRoeJfIkdLQXQmGfKag=
In your case you could use a bash script like this:
encrypted=`grep "the.name.of.my.property" myFile.properties|cut -d'=' -f2|openssl enc -e -base64 -aes-256-cbc -k MySecretPassword`
sed "/the.name.of.my.property=/ s/=.*/=$encrypted/" myFile.properties > newFile.properties
This will produce a new file named newFile.properties with the encrypted field.
I have AES-encrypted file, which encoded to base64 one-line string (without breaklines) and need to decrypt it. Here it is.
But when i use:
openssl enc -d -a -aes-256-cbc -in encrypted -out decrypted
OpenSSL throws "error reading input file"
But base64 util decrypts it like a charm:
base64 -d encrypted | openssl enc -d -aes-256-cbc > decrypted
Trying to find find the cause and convert to one-line base64 file:
base64 -w 0 aesfile | openssl enc -d -a -aes-256-cbc > decrypted
# error reading input file
base64 aesfile | openssl enc -d -a -aes-256-cbc > decrypted
# no errors, file decrypted
Conclusion: OpenSSL can't decode non-multiline base64 inputs
Encrypt
openssl enc -aes-256-cbc -pass pass:YOURPASSWORD -p -in msg.txt -out enc.txt -base64
Decrypt
openssl enc -aes-256-cbc -base64 -pass pass:YOURPASSWORD -d -p -in enc.txt -out dec.txt
If there's no newline in the encrypted file after the base64 line, you get an error saying error reading input file.
If the encryption format is different than the decryption format used in the script, it throws similar error.
Make sure you use the same decryption format used for the file during encryption.
I'm trying to make a encrypted pass-file, but receive an error:
bad decrypt
3872:error:0607F08A:digital envelope routines:EVP_EncryptFinal_ex:data not multiple of block length:.\crypto\evp\evp_enc.c:414:
please, provide a solution for present error
here is command for making file:
openssl enc -des-ede-cbc -K 16161616161616161515151515151515 -iv
000000000000000 -in C:\OpenSSL\bin\ssl\key\pass.txt -out
C:\OpenSSL\bin\ssl\key\pass.enc -nopad
pass.txt contains just one line with pass
Thanks
It's working for me if I leave out the "-nopad" argument:
openssl enc -des-ede-cbc -K 16161616161616161515151515151515 -iv
000000000000000 -in C:\OpenSSL\bin\ssl\key\pass.txt -out
C:\OpenSSL\bin\ssl\key\pass.enc
I don't know how could I measure the elapsed time in encryption using openssl.
I have downloaded openssl to my linux system with no problems and I can do encryption to different files but I don't know how to measure the time to see what encryption algorithm is more effecient.
Here is the command that I use to do the encryption:
OpenSSL> enc -des-cbc -salt -a -in "/usr/local/openssl/file1.txt" -out "/usr/local/openssl/file1_des.enc" -k "123456"
This is the other algorithm:
OpenSSL> enc -aes-128-cbc -salt -a -in "/usr/local/openssl/file2.txt" -out "/usr/local/openssl/file2_aes.enc" -k "123456"
Is there a way to measure the time of execution? I tried to open another terminal and execute the (time) but it didn't help. I also don't have that much of experice on using linux. However, I tried to do the same thing on Windows but still don't have a way to measure the time.
Hope you guys can help.
Thanks,
D
Eh, you mean like openssl speed?
On Linux, I entered this at the shell prompt:
time openssl enc -des-cbc -salt -a -in foo.txt -out foo_des.enc -k "123456"
and got the output:
real 0m0.214s
user 0m0.008s
sys 0m0.016s
That said, you'd get a more meaningful result if you introduced some sort of looping construct. At the very least, consider creating a text file with multiple openssl command lines:
opensslcmds.txt:
enc -des-cbc -salt -a -in foo.txt -out file1_des.enc -k 123456
enc -des-cbc -salt -a -in foo.txt -out file2_des.enc -k 123456
enc -des-cbc -salt -a -in foo.txt -out file3_des.enc -k 123456
(and so on)
and then run
time openssl < opensslcmds.txt