Monday, January 09, 2012

OpenSSL: Encrypt a File with a Password from the Command Line

Do you know how to use OpenSSL to protect sensitive information in storage instead of just in transit across the network?  In fact, your can use the OpenSSL command line too to encrypt a file on your Mac OS X, Linux, or FreeBSD based computer.  Support for the library are included by default in PHP and Ruby.  So there is no reason not to use it to add additional security to your web applications.

Encrypting a File from the Command Line
In terminal, suppose you wanted to encrypt a file with a password (symmetric key encryption).

To do this using the OpenSSL command line tool, you could run this:
openssl aes-128-cbc -in Archive.zip -out Archive.zip.aes128
To decrypt it (notice the addition of the -d flag that triggers a decrypt instead of an encrypt action):
openssl aes-128-cbc -d -in Archive.zip.aes128 -out  Archive.zip
This example uses the Advanced Encryption Standard (AES) cipher in cipher-block chaining mode.  The file is very strongly encrypted for normal purposes assuming that you picked a good passphrase.

According to Bruce Schneier, "...for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change" (Another New AES Attack, July 30, 2009).

Built into Ruby and PHP
The OpenSSL library is a very standardized open source security library. It's built into the majority of platforms, including Mac OS X, Linux, FreeBSD, iOS, and Android.  Compatible SSL libraries are also built into Java and even the Microsoft platforms.

In future articles, we will explore the usage of OpenSSL for encryption and verification in website projects. In the mean time, check out these API references for both PHP and Ruby.
Impressive Array of Options
On my Mac OS X system, the default openssl install supports and impressive set of 49 algorithms to choose from.
  • aes-128-cbc
  • aes-128-ecb
  • aes-192-cbc
  • aes-192-ecb
  • aes-256-cbc
  • aes-256-ecb
  • base64
  • bf
  • bf-cbc
  • bf-cfb
  • bf-ecb
  • bf-ofb
  • camellia-128-cbc
  • camellia-128-ecb
  • camellia-192-cbc
  • camellia-192-ecb
  • camellia-256-cbc
  • camellia-256-ecb
  • cast
  • cast-cbc
  • cast5-cbc
  • cast5-cfb
  • cast5-ecb
  • cast5-ofb
  • des
  • des-cbc
  • des-cfb
  • des-ecb
  • des-ede
  • des-ede-cbc
  • des-ede-cfb
  • des-ede-ofb
  • des-ede3
  • des-ede3-cbc
  • des-ede3-cfb
  • des-ede3-ofb
  • des-ofb
  • des3
  • desx
  • idea
  • idea-cbc
  • idea-cfb
  • idea-ecb
  • idea-ofb
  • rc2
  • rc2-40-cbc
  • rc2-64-cbc
  • rc2-cbc
  • rc2-cfb
  • rc2-ecb
  • rc2-ofb
  • rc4
  • rc4-40
  • seed
  • seed-cbc
  • seed-cfb
  • seed-ecb
  • seed-ofb
  • zlib
This truly is the swiss army knife of encryption tools.  You should use it too.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)