Quickly Encrypt a File with OpenSSL
Want to encrypt a file quickly? You can do so with OpenSSL at the command line.
A few months ago a question was posed to our readers about encrypting or password protecting a text file [How can I password protect a file?]. We got several good responses but one in particular has really stuck with me. A reader named Jim posted in the comments a tip about using OpenSSL that I have used a bunch since then, and I think others will find this useful as well. This tip is repeated from a reader provided snippet, but slightly modified and annotated to better accommodate for Mac OS X users:
Note: For a detailed article on encrypting and decrypting files with OpenSSL, click here otherwise you can follow the quick guide below:
Encrypt a file using OpenSSL via the Command Line
This is a pretty simple way to encrypt a single file so that it is nearly impossible for others to read, and it will require a password to access again. You’ll need to use the OpenSSL technology via the command line for this to work.
Command syntax for encrypting and decrypting with openssl is as follows:
Quickly Encrypt the file:
openssl des3 -salt -in file.txt -out encryptedfile.txt
Quickly Decrypt the file:
openssl des3 -d -salt -in encryptedfile.txt -out normalfile.txt
Be sure to heed this important advice so you don’t overwrite and lose files:
Do not specify the same file as input and output on encryption.. I have noticed weird effects on OS X (it eats the file). Remove the -in * stuff if you want to pipe data into it (e.g. a tarred folder). Omit the -out * stuff if you want it to pipe data out on STDOUT.
When you encrypt the file initially, it will prompt you to set a password to access the file and decrypt it again in the future – do not forget the password because triple DES encryption is incredibly powerful and you’ll likely lose the file’s content forever without the password. No password means you won’t be accessing the file contents!
Source: snippet thanks to Jim!
Know any other handy command line encryption tips? Share with us!
Dear all
i am new to openssl and i have read about it. the first of my problem is how to open a file to be encrypter or decrypted. i have seen the cmds but it’s when the file is ready to be encrypted. shall i give the paths or what. pls help me. i am new to openssl
B/R
The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay.
Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
Doesn’t this type of encrypting suck? You are starting with a plain text file, which remains on the hard drive even after you remove it from the file system. Sure, your encrypted file may be all that is visible to the average user, but anyone who can scrape the hard drive and search for FS data structures could probably recreate the plain-text file – saving a lot of time vs. breaking into the encrypted file.
Instead, perhaps create a loopback encrypted filesystem that would hold the file?
No, it doesn’t suck. Frankly, I get the sense you just wanted to show off there.
This is for creating encrypted files that you can, for example, send to other people.
are you guys on drugs? You do realize that the best way to encrypt a text file is to use GNUpg, right? Install Gnupg, as well as the GPGdropthing. Drop your text into it. Encrypt. Paste into text file. When you need the data, decrypt. C’mon…
-salt doesnt seem to be in the man pages nor does it seem to do anything
you can also do
cat file.txt | openssl des3 > encrypted.data
and
cat encrypted.data | openssl des3 -d
This work too, butā¦
to decrypt, you have to use:
cat encrypted.data| openssl des3 -d > file.txt
Chuck The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay. Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
Beautiful and simple – I didn’t realize this was built-in to Leopard! Thanks!
[…] Also, from this awesome tip from OS X Daily, you can quickly encrypt a file using openssl using the following (I used AES 128 in CBC mode) — it even prompts you for the encryption password (key) twice: […]
@mchl: Just remember if you enter your password on the command line, it will be stored in plain text in your .bash_history file.
Many thanx for this information. Please note the possibility to add a password directly (it took me as a newby some hours to figure this out):
openssl des3 -salt -in file.txt -out file.des3 -k mypassword
(http://www.openssl.org/docs/apps/enc.html)
“It doesnāt look like it can be used on folders either which sucks”
You could ZIP it first.
mugab –
It might not be EXACTLY what you’re looking for – but I just posted the steps to make this command into a shell script. At least you can drag the file you want encrypted into a Terminal window !
Great tip OSXDaily !
If you want to protect a folder or more than one file use the disc utility, click on new image, set the space and the password.
Everyone have secrets… xD
This is a great solution. Another one would be to grab gpg for OSX and use ‘gpg -c ‘
that’s a pretty good solution to protect a single text file
It’d be nice if there was an easy drag and drop utility to do this that just prompts you for a password. I’m not really command line savvy and I think there’s a lot of room for error.
It doesn’t look like it can be used on folders either which sucks