Quickly encrypt a file with OpenSSL

May 2, 2007 - 18 Comments

A few months ago a question was posed to our readers about encrypting or password protecting a text file [How can I password protect a file?]. We got several good responses but one in particular has really stuck with me. A reader named Jim posted in the comments a tip about using OpenSSL that I have used a bunch since then, and I think others will find this useful as well. This tip is repeated from a DZone snippet, but slightly modified and annotated to better accommodate for Mac OS X users:

Encrypt a file using OpenSSL via the Command Line

This is a pretty simple way to encrypt a single file so that it is nearly impossible for others to read, and it will require a password to access again. You’ll need to use the OpenSSL technology via the command line for this to work.

Encrypt the file:
openssl des3 -salt -in file.txt -out encryptedfile.txt

Decrypt the file:
openssl des3 -d -salt -in encryptedfile.txt -out normalfile.txt

Be sure to heed this important advice so you don’t overwrite and lose files:

Do not specify the same file as input and output on encryption.. I have noticed weird effects on OS X (it eats the file). Remove the -in * stuff if you want to pipe data into it (e.g. a tarred folder). Omit the -out * stuff if you want it to pipe data out on STDOUT.

When you encrypt the file initially, it will prompt you to set a password to access the file and decrypt it again in the future – do not forget the password because triple DES encryption is incredibly powerful and you’ll likely lose the file’s content forever without the password.

Source: DZone SnippetThanks Jim!

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: David Mendez in Command Line, Mac OS X, Security, Tips & Tricks

18 Comments

» Comments RSS Feed

  1. mugab says:

    It’d be nice if there was an easy drag and drop utility to do this that just prompts you for a password. I’m not really command line savvy and I think there’s a lot of room for error.

    It doesn’t look like it can be used on folders either which sucks

  2. Weaver says:

    that’s a pretty good solution to protect a single text file

  3. Gash says:

    This is a great solution. Another one would be to grab gpg for OSX and use ‘gpg -c ‘

  4. Ignacio says:

    If you want to protect a folder or more than one file use the disc utility, click on new image, set the space and the password.
    Everyone have secrets… xD

  5. Murphy says:

    mugab –

    It might not be EXACTLY what you’re looking for – but I just posted the steps to make this command into a shell script. At least you can drag the file you want encrypted into a Terminal window !

    Great tip OSXDaily !

  6. buzzert says:

    “It doesn’t look like it can be used on folders either which sucks”

    You could ZIP it first.

  7. mchl says:

    Many thanx for this information. Please note the possibility to add a password directly (it took me as a newby some hours to figure this out):

    openssl des3 -salt -in file.txt -out file.des3 -k mypassword

    (http://www.openssl.org/docs/apps/enc.html)

  8. plaxdan says:

    @mchl: Just remember if you enter your password on the command line, it will be stored in plain text in your .bash_history file.

  9. […] Also, from this awesome tip from OS X Daily, you can quickly encrypt a file using openssl using the following (I used AES 128 in CBC mode) — it even prompts you for the encryption password (key) twice: […]

  10. Jon says:

    Beautiful and simple – I didn’t realize this was built-in to Leopard! Thanks!

  11. Chuck Lin says:

    -salt doesnt seem to be in the man pages nor does it seem to do anything

    you can also do

    cat file.txt | openssl des3 > encrypted.data
    and
    cat encrypted.data | openssl des3 -d

    • Fernando says:

      This work too, but…

      to decrypt, you have to use:
      cat encrypted.data| openssl des3 -d > file.txt

    • Cobalto says:

      Chuck The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay. Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.

  12. are you guys on drugs? You do realize that the best way to encrypt a text file is to use GNUpg, right? Install Gnupg, as well as the GPGdropthing. Drop your text into it. Encrypt. Paste into text file. When you need the data, decrypt. C’mon…

  13. jon brassow says:

    Doesn’t this type of encrypting suck? You are starting with a plain text file, which remains on the hard drive even after you remove it from the file system. Sure, your encrypted file may be all that is visible to the average user, but anyone who can scrape the hard drive and search for FS data structures could probably recreate the plain-text file – saving a lot of time vs. breaking into the encrypted file.

    Instead, perhaps create a loopback encrypted filesystem that would hold the file?

    • Stephen says:

      No, it doesn’t suck. Frankly, I get the sense you just wanted to show off there.

      This is for creating encrypted files that you can, for example, send to other people.

  14. Cobalto says:

    The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay.

    Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.

  15. ftsum says:

    Dear all
    i am new to openssl and i have read about it. the first of my problem is how to open a file to be encrypter or decrypted. i have seen the cmds but it’s when the file is ready to be encrypted. shall i give the paths or what. pls help me. i am new to openssl
    B/R

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates