Lines Matching +full:input +full:- +full:mode
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OPENSSL-ENC 1ossl"
58 .TH OPENSSL-ENC 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-enc \- symmetric cipher routines
68 [\fB\-\fR\f(BIcipher\fR]
69 [\fB\-help\fR]
70 [\fB\-list\fR]
71 [\fB\-ciphers\fR]
72 [\fB\-in\fR \fIfilename\fR]
73 [\fB\-out\fR \fIfilename\fR]
74 [\fB\-pass\fR \fIarg\fR]
75 [\fB\-e\fR]
76 [\fB\-d\fR]
77 [\fB\-a\fR]
78 [\fB\-base64\fR]
79 [\fB\-A\fR]
80 [\fB\-k\fR \fIpassword\fR]
81 [\fB\-kfile\fR \fIfilename\fR]
82 [\fB\-K\fR \fIkey\fR]
83 [\fB\-iv\fR \fIIV\fR]
84 [\fB\-S\fR \fIsalt\fR]
85 [\fB\-salt\fR]
86 [\fB\-nosalt\fR]
87 [\fB\-z\fR]
88 [\fB\-md\fR \fIdigest\fR]
89 [\fB\-iter\fR \fIcount\fR]
90 [\fB\-pbkdf2\fR]
91 [\fB\-saltlen\fR \fIsize\fR]
92 [\fB\-p\fR]
93 [\fB\-P\fR]
94 [\fB\-bufsize\fR \fInumber\fR]
95 [\fB\-nopad\fR]
96 [\fB\-v\fR]
97 [\fB\-debug\fR]
98 [\fB\-none\fR]
99 [\fB\-skeymgmt\fR \fIskeymgmt\fR]
100 [\fB\-skeyopt\fR \fIopt\fR:\fIvalue\fR]
101 [\fB\-engine\fR \fIid\fR]
102 [\fB\-rand\fR \fIfiles\fR]
103 [\fB\-writerand\fR \fIfile\fR]
104 [\fB\-provider\fR \fIname\fR]
105 [\fB\-provider\-path\fR \fIpath\fR]
106 [\fB\-provparam\fR \fI[name:]key=value\fR]
107 [\fB\-propquery\fR \fIpropq\fR]
118 .IP \fB\-\fR\f(BIcipher\fR 4
119 .IX Item "-cipher"
121 .IP \fB\-help\fR 4
122 .IX Item "-help"
124 .IP \fB\-list\fR 4
125 .IX Item "-list"
127 .IP \fB\-ciphers\fR 4
128 .IX Item "-ciphers"
129 Alias of \-list to display all supported ciphers.
130 .IP "\fB\-in\fR \fIfilename\fR" 4
131 .IX Item "-in filename"
132 The input filename, standard input by default.
133 .IP "\fB\-out\fR \fIfilename\fR" 4
134 .IX Item "-out filename"
136 .IP "\fB\-pass\fR \fIarg\fR" 4
137 .IX Item "-pass arg"
139 see \fBopenssl\-passphrase\-options\fR\|(1).
140 .IP \fB\-e\fR 4
141 .IX Item "-e"
142 Encrypt the input data: this is the default.
143 .IP \fB\-d\fR 4
144 .IX Item "-d"
145 Decrypt the input data.
146 .IP \fB\-a\fR 4
147 .IX Item "-a"
150 the input data is base64 decoded before being decrypted.
152 When the \fB\-A\fR option not given,
154 on decoding a newline is expected among the first 1024 bytes of input.
155 .IP \fB\-base64\fR 4
156 .IX Item "-base64"
157 Same as \fB\-a\fR
158 .IP \fB\-A\fR 4
159 .IX Item "-A"
160 If the \fB\-a\fR option is set then base64 encoding produces output without any
162 Therefore it can be helpful to use the \fB\-A\fR option when decoding unknown input.
163 .IP "\fB\-k\fR \fIpassword\fR" 4
164 .IX Item "-k password"
166 versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
167 .IP "\fB\-kfile\fR \fIfilename\fR" 4
168 .IX Item "-kfile filename"
171 the \fB\-pass\fR argument.
172 .IP "\fB\-md\fR \fIdigest\fR" 4
173 .IX Item "-md digest"
175 The default algorithm is sha\-256.
176 .IP "\fB\-iter\fR \fIcount\fR" 4
177 .IX Item "-iter count"
179 High values increase the time required to brute-force the resulting file.
181 .IP \fB\-pbkdf2\fR 4
182 .IX Item "-pbkdf2"
184 unless otherwise specified by the \fB\-iter\fR command line option.
185 .IP \fB\-saltlen\fR 4
186 .IX Item "-saltlen"
187 Set the salt length to use when using the \fB\-pbkdf2\fR option.
190 If the \fB\-pbkdf2\fR option is not used, then this option is ignored
193 .IP \fB\-nosalt\fR 4
194 .IX Item "-nosalt"
198 .IP \fB\-salt\fR 4
199 .IX Item "-salt"
200 Use salt (randomly generated or provide with \fB\-S\fR option) when
202 .IP "\fB\-S\fR \fIsalt\fR" 4
203 .IX Item "-S salt"
207 match the salt length (See \fB\-saltlen\fR).
208 .IP "\fB\-K\fR \fIkey\fR" 4
209 .IX Item "-K key"
212 using the \fB\-iv\fR option. When both a key and a password are specified, the
213 key given with the \fB\-K\fR option will be used and the IV generated from the
216 .IP "\fB\-iv\fR \fIIV\fR" 4
217 .IX Item "-iv IV"
219 of hex digits. When only the key is specified using the \fB\-K\fR option, the
222 .IP \fB\-p\fR 4
223 .IX Item "-p"
225 .IP \fB\-P\fR 4
226 .IX Item "-P"
229 .IP "\fB\-bufsize\fR \fInumber\fR[\fBk\fR]" 4
230 .IX Item "-bufsize number[k]"
232 The maximum size that can be specified is \fB2^31\-1\fR (2147483647) bytes.
235 .IP \fB\-nopad\fR 4
236 .IX Item "-nopad"
238 .IP \fB\-v\fR 4
239 .IX Item "-v"
241 .IP \fB\-debug\fR 4
242 .IX Item "-debug"
244 .IP \fB\-z\fR 4
245 .IX Item "-z"
248 or zlib-dynamic option.
249 .IP \fB\-none\fR 4
250 .IX Item "-none"
251 Use NULL cipher (no encryption or decryption of input).
252 .IP "\fB\-skeymgmt\fR \fIskeymgmt\fR" 4
253 .IX Item "-skeymgmt skeymgmt"
259 please refer to the output of the \f(CW\*(C`openssl list \-skey\-managers\*(C'\fR command.
260 .IP "\fB\-skeyopt\fR \fIopt\fR:\fIvalue\fR" 4
261 .IX Item "-skeyopt opt:value"
265 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
266 .IX Item "-rand files, -writerand file"
268 .IP "\fB\-provider\fR \fIname\fR" 4
269 .IX Item "-provider name"
271 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
272 .IX Item "-provider-path path"
273 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
274 .IX Item "-provparam [name:]key=value"
275 .IP "\fB\-propquery\fR \fIpropq\fR" 4
276 .IX Item "-propquery propq"
279 .IP "\fB\-engine\fR \fIid\fR" 4
280 .IX Item "-engine id"
286 \&\f(CW\*(C`openssl enc \-\fR\f(CIcipher\fR\f(CW\*(C'\fR. The first form doesn't work with
287 engine-provided ciphers, because this form is processed before the
289 Use the \fBopenssl\-list\fR\|(1) command to get a list of supported ciphers.
293 configuration file. Engines specified on the command line using \fB\-engine\fR
294 option can only be used for hardware-assisted implementations of
303 The \fB\-salt\fR option should \fBALWAYS\fR be used if the key is being derived
307 Without the \fB\-salt\fR option it is possible to perform efficient dictionary
313 passphrase without explicit salt given using \fB\-S\fR option), the first bytes
318 a strong block cipher, such as AES, in CBC mode.
325 If padding is disabled then the input data must be a multiple of the cipher
332 Please note that OpenSSL 3.0 changed the effect of the \fB\-S\fR option.
335 Conversely, when the \fB\-S\fR option is used during decryption, the ciphertext
339 explicit salt under OpenSSL 1.1.1 do not use the \fB\-S\fR option, the salt will
342 the \fB\-S\fR option, the salt will be then be generated randomly and prepended
349 with the \fB\-list\fR option (that is \f(CW\*(C`openssl enc \-list\*(C'\fR) is
356 when \fB\-out\fR is not used) before the authentication tag could be validated.
367 modes or other modes, \fBopenssl\-cms\fR\|(1) is recommended, as it provides a
370 When enc is used with key wrapping modes the input data cannot be streamed,
372 Consequently, the input data size must be less than
373 the buffer size (\-bufsize arg, default to 8*1024 bytes).
374 The '*\-wrap' ciphers require the input to be a multiple of 8 bytes long,
376 The '*\-wrap\-pad' ciphers allow any input length.
382 \& bf\-cbc Blowfish in CBC mode
383 \& bf Alias for bf\-cbc
384 \& blowfish Alias for bf\-cbc
385 \& bf\-cfb Blowfish in CFB mode
386 \& bf\-ecb Blowfish in ECB mode
387 \& bf\-ofb Blowfish in OFB mode
389 \& cast\-cbc CAST in CBC mode
390 \& cast Alias for cast\-cbc
391 \& cast5\-cbc CAST5 in CBC mode
392 \& cast5\-cfb CAST5 in CFB mode
393 \& cast5\-ecb CAST5 in ECB mode
394 \& cast5\-ofb CAST5 in OFB mode
398 \& des\-cbc DES in CBC mode
399 \& des Alias for des\-cbc
400 \& des\-cfb DES in CFB mode
401 \& des\-ofb DES in OFB mode
402 \& des\-ecb DES in ECB mode
404 \& des\-ede\-cbc Two key triple DES EDE in CBC mode
405 \& des\-ede Two key triple DES EDE in ECB mode
406 \& des\-ede\-cfb Two key triple DES EDE in CFB mode
407 \& des\-ede\-ofb Two key triple DES EDE in OFB mode
409 \& des\-ede3\-cbc Three key triple DES EDE in CBC mode
410 \& des\-ede3 Three key triple DES EDE in ECB mode
411 \& des3 Alias for des\-ede3\-cbc
412 \& des\-ede3\-cfb Three key triple DES EDE CFB mode
413 \& des\-ede3\-ofb Three key triple DES EDE in OFB mode
417 \& gost89 GOST 28147\-89 in CFB mode (provided by ccgost engine)
418 \& gost89\-cnt GOST 28147\-89 in CNT mode (provided by ccgost engine)
420 \& idea\-cbc IDEA algorithm in CBC mode
421 \& idea same as idea\-cbc
422 \& idea\-cfb IDEA in CFB mode
423 \& idea\-ecb IDEA in ECB mode
424 \& idea\-ofb IDEA in OFB mode
426 \& rc2\-cbc 128 bit RC2 in CBC mode
427 \& rc2 Alias for rc2\-cbc
428 \& rc2\-cfb 128 bit RC2 in CFB mode
429 \& rc2\-ecb 128 bit RC2 in ECB mode
430 \& rc2\-ofb 128 bit RC2 in OFB mode
431 \& rc2\-64\-cbc 64 bit RC2 in CBC mode
432 \& rc2\-40\-cbc 40 bit RC2 in CBC mode
435 \& rc4\-64 64 bit RC4
436 \& rc4\-40 40 bit RC4
438 \& rc5\-cbc RC5 cipher in CBC mode
439 \& rc5 Alias for rc5\-cbc
440 \& rc5\-cfb RC5 cipher in CFB mode
441 \& rc5\-ecb RC5 cipher in ECB mode
442 \& rc5\-ofb RC5 cipher in OFB mode
444 \& seed\-cbc SEED cipher in CBC mode
445 \& seed Alias for seed\-cbc
446 \& seed\-cfb SEED cipher in CFB mode
447 \& seed\-ecb SEED cipher in ECB mode
448 \& seed\-ofb SEED cipher in OFB mode
450 \& sm4\-cbc SM4 cipher in CBC mode
451 \& sm4 Alias for sm4\-cbc
452 \& sm4\-cfb SM4 cipher in CFB mode
453 \& sm4\-ctr SM4 cipher in CTR mode
454 \& sm4\-ecb SM4 cipher in ECB mode
455 \& sm4\-ofb SM4 cipher in OFB mode
457 \& aes\-[128|192|256]\-cbc 128/192/256 bit AES in CBC mode
458 \& aes[128|192|256] Alias for aes\-[128|192|256]\-cbc
459 \& aes\-[128|192|256]\-cfb 128/192/256 bit AES in 128 bit CFB mode
460 \& aes\-[128|192|256]\-cfb1 128/192/256 bit AES in 1 bit CFB mode
461 \& aes\-[128|192|256]\-cfb8 128/192/256 bit AES in 8 bit CFB mode
462 \& aes\-[128|192|256]\-ctr 128/192/256 bit AES in CTR mode
463 \& aes\-[128|192|256]\-ecb 128/192/256 bit AES in ECB mode
464 \& aes\-[128|192|256]\-ofb 128/192/256 bit AES in OFB mode
466 \& aes\-[128|192|256]\-wrap key wrapping using 128/192/256 bit AES
467 \& aes\-[128|192|256]\-wrap\-pad key wrapping with padding using 128/192/256 bit AES
469 \& aria\-[128|192|256]\-cbc 128/192/256 bit ARIA in CBC mode
470 \& aria[128|192|256] Alias for aria\-[128|192|256]\-cbc
471 \& aria\-[128|192|256]\-cfb 128/192/256 bit ARIA in 128 bit CFB mode
472 \& aria\-[128|192|256]\-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
473 \& aria\-[128|192|256]\-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
474 \& aria\-[128|192|256]\-ctr 128/192/256 bit ARIA in CTR mode
475 \& aria\-[128|192|256]\-ecb 128/192/256 bit ARIA in ECB mode
476 \& aria\-[128|192|256]\-ofb 128/192/256 bit ARIA in OFB mode
478 \& camellia\-[128|192|256]\-cbc 128/192/256 bit Camellia in CBC mode
479 \& camellia[128|192|256] Alias for camellia\-[128|192|256]\-cbc
480 \& camellia\-[128|192|256]\-cfb 128/192/256 bit Camellia in 128 bit CFB mode
481 \& camellia\-[128|192|256]\-cfb1 128/192/256 bit Camellia in 1 bit CFB mode
482 \& camellia\-[128|192|256]\-cfb8 128/192/256 bit Camellia in 8 bit CFB mode
483 \& camellia\-[128|192|256]\-ctr 128/192/256 bit Camellia in CTR mode
484 \& camellia\-[128|192|256]\-ecb 128/192/256 bit Camellia in ECB mode
485 \& camellia\-[128|192|256]\-ofb 128/192/256 bit Camellia in OFB mode
492 \& openssl base64 \-in file.bin \-out file.b64
498 \& openssl base64 \-d \-in file.b64 \-out file.bin
501 Encrypt a file using AES\-128 using a prompted password
505 \& openssl enc \-aes128 \-pbkdf2 \-in file.txt \-out file.aes128
511 \& openssl enc \-aes128 \-pbkdf2 \-d \-in file.aes128 \-out file.txt \e
512 \& \-pass pass:<password>
516 using AES\-256 in CTR mode and PBKDF2 key derivation:
519 \& openssl enc \-aes\-256\-ctr \-pbkdf2 \-a \-in file.txt \-out file.aes256
525 \& openssl enc \-aes\-256\-ctr \-pbkdf2 \-d \-a \-in file.aes256 \-out file.txt \e
526 \& \-pass file:<passfile>
532 \& openssl enc \-e \-a \-id\-aes128\-wrap\-pad \-K 000102030405060708090A0B0C0D0E0F \-in file.bin
534 \& openssl aes128\-wrap\-pad \-e \-a \-K 000102030405060708090A0B0C0D0E0F \-in file.bin
538 The \fB\-A\fR option when used with large files doesn't work properly.
539 On the other hand, when base64 decoding without the \fB\-A\fR option,
540 if the first 1024 bytes of input do not include a newline character
541 the first two lines of input are ignored.
548 \&\fBopenssl\-list\fR\|(1), \fBEVP_SKEY\fR\|(3)
553 The \fB\-list\fR option was added in OpenSSL 1.1.1e.
555 The \fB\-ciphers\fR and \fB\-engine\fR options were deprecated in OpenSSL 3.0.
557 The \fB\-saltlen\fR option was added in OpenSSL 3.2.
559 The \fB\-skeymgmt\fR and \fB\-skeyopt\fR options were added in OpenSSL 3.5.
562 Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved.