如何使用OpenSSL加密/解密文件？

Question

我想使用一个密码加密和解密一个文件.

我如何使用OpenSSL来做到这一点？

Answer 1

这是来自谷歌的问题的最佳答案:http: //tombuntu.com/index.php/2007/12/12/simple-file-encryption-with-openssl/

加密:

openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc

解密:

openssl aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new

但这根本没有使用公钥基础设施,所以有点像用螺丝刀锤击钉子:-)

Answer 2

简答:

您可能希望使用gpg而不是在此答案的末尾openssl看到"附加说明".但要回答这个问题openssl:

要加密:

openssl enc -aes-256-cbc -in un_encrypted.data -out encrypted.data

要解密:

openssl enc -d -aes-256-cbc -in encrypted.data -out un_encrypted.data

注意:加密或解密时将提示您输入密码.

答案很长:

您最好的信息来源openssl enc可能是:https://www.openssl.org/docs/apps/enc.html

命令行: openssl enc采用以下形式:

openssl enc -ciphername [-in filename] [-out filename] [-pass arg]
[-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] 
[-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p] [-P] 
[-bufsize number] [-nopad] [-debug] [-none] [-engine id]

关于您的问题的最有用参数的说明:

-e
    Encrypt the input data: this is the default.

-d    
    Decrypt the input data.

-k <password>
    Only use this if you want to pass the password as an argument. 
    Usually you can leave this out and you will be prompted for a 
    password. The password is used to derive the actual key which 
    is used to encrypt your data. Using this parameter is typically
    not considered secure because your password appears in 
    plain-text on the command line and will likely be recorded in 
    bash history.

-kfile <filename>
    Read the password from the first line of <filename> instead of
    from the command line as above.

-a
    base64 process the data. This means that if encryption is taking 
    place the data is base64 encoded after encryption. If decryption 
    is set then the input data is base64 decoded before being 
    decrypted.
    You likely DON'T need to use this. This will likely increase the
    file size for non-text data. Only use this if you need to send 
    data in the form of text format via email etc.

-salt
    To use a salt (randomly generated) when encrypting. You always
    want to use a salt while encrypting. This parameter is actually
    redundant because a salt is used whether you use this or not 
    which is why it was not used in the "Short Answer" above!

-K key    
    The actual key to use: this must be represented as a string
    comprised only of hex digits. If only the key is specified, the
    IV must additionally be specified using the -iv option. When 
    both a key and a password are specified, the key given with the
    -K option will be used and the IV generated from the password 
    will be taken. It probably does not make much sense to specify 
    both key and password.

-iv IV
    The actual IV to use: this must be represented as a string 
    comprised only of hex digits. When only the key is specified 
    using the -K option, the IV must explicitly be defined. When a
    password is being specified using one of the other options, the 
    IV is generated from this password.

补充说明:

虽然您已经特别询问过OpenSSL,但您可能需要考虑使用GPG代替基于本文的加密目的OpenSSL与GPG加密异地备份？

要使用GPG执行相同操作,您可以使用以下命令:

要加密:

gpg --output encrypted.data --symmetric --cipher-algo AES256 un_encrypted.data

要解密:

gpg --output un_encrypted.data --decrypt encrypted.data

注意:加密或解密时将提示您输入密码.

Answer 3

加密:

openssl enc -in infile.txt -out encrypted.dat -e -aes256 -k symmetrickey

解密:

openssl enc -in encrypted.dat -out outfile.txt -d -aes256 -k symmetrickey

有关详细信息,请参阅openssl(1)文档.

Answer 4

不要使用 OPENSSL 默认密钥派生。

目前接受的答案使用它，不再推荐和安全。

攻击者简单地暴力破解密钥是非常可行的。

https://www.ietf.org/rfc/rfc2898.txt

PBKDF1 应用散列函数（应为 MD2 [6]、MD5 [19] 或 SHA-1 [18]）来派生密钥。派生密钥的长度受散列函数输出长度的限制，MD2 和 MD5 为 16 个八位字节，SHA-1 为 20 个八位字节。PBKDF1 与 PKCS #5 v1.5 中的密钥派生过程兼容。推荐 PBKDF1 仅用于与现有应用程序兼容，因为它生成的密钥对于某些应用程序来说可能不够大。

PBKDF2 应用伪随机函数（示例见附录 B.1）来导出密钥。派生密钥的长度基本上是无界的。（但是，导出密钥的最大有效搜索空间可能受到底层伪随机函数结构的限制。有关进一步讨论，请参见附录 B.1。）建议新应用使用 PBKDF2。

做这个：

openssl enc -aes-256-cbc -pbkdf2 -iter 20000 -in hello -out hello.enc -k meow

openssl enc -d -aes-256-cbc -pbkdf2 -iter 20000 -in hello.enc -out hello.out

注意：解密迭代必须与加密迭代相同。

迭代次数必须至少为 10000。这是关于迭代次数的一个很好的答案：https : //security.stackexchange.com/a/3993

另外……我们这里有足够多的人推荐 GPG。阅读该死的问题。

Answer 5

使用随机生成的公钥进行更新。

加密：

openssl enc -aes-256-cbc -a -salt -in {raw data} -out {encrypted data} -pass file:{random key}

解密：

openssl enc -d -aes-256-cbc -in {ciphered data} -out {raw data}

Answer 6

如其他答案中所述，以前版本的 openssl 使用弱密钥派生函数从密码派生 AES 加密密钥。但是，openssl v1.1.1 支持更强的密钥派生功能，其中密钥是从密码中派生的，使用pbkdf2随机生成的盐，以及多次迭代的 sha256 哈希（默认为 10,000）。

要加密文件：

openssl aes-256-cbc -e -salt -pbkdf2 -iter 10000 -in plaintextfilename -out encryptedfilename

解密文件：

openssl aes-256-cbc -d -salt -pbkdf2 -iter 10000 -in encryptedfilename -out plaintextfilename

Answer 7

加密：

$ openssl bf < arquivo.txt > arquivo.txt.bf

解密：

$ openssl bf -d < arquivo.txt.bf > arquivo.txt

bf === CBC 模式下的河豚