1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-enc - symmetric cipher routines 7 8=head1 SYNOPSIS 9 10B<openssl> B<enc>|I<cipher> 11[B<-I<cipher>>] 12[B<-help>] 13[B<-list>] 14[B<-ciphers>] 15[B<-in> I<filename>] 16[B<-out> I<filename>] 17[B<-pass> I<arg>] 18[B<-e>] 19[B<-d>] 20[B<-a>] 21[B<-base64>] 22[B<-A>] 23[B<-k> I<password>] 24[B<-kfile> I<filename>] 25[B<-K> I<key>] 26[B<-iv> I<IV>] 27[B<-S> I<salt>] 28[B<-salt>] 29[B<-nosalt>] 30[B<-z>] 31[B<-md> I<digest>] 32[B<-iter> I<count>] 33[B<-pbkdf2>] 34[B<-saltlen> I<size>] 35[B<-p>] 36[B<-P>] 37[B<-bufsize> I<number>] 38[B<-nopad>] 39[B<-v>] 40[B<-debug>] 41[B<-none>] 42[B<-skeymgmt> I<skeymgmt>] 43[B<-skeyopt> I<opt>:I<value>] 44{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} 45{- $OpenSSL::safe::opt_provider_synopsis -} 46 47B<openssl> I<cipher> [B<...>] 48 49=head1 DESCRIPTION 50 51The symmetric cipher commands allow data to be encrypted or decrypted 52using various block and stream ciphers using keys based on passwords 53or explicitly provided. Base64 encoding or decoding can also be performed 54either by itself or in addition to the encryption or decryption. 55 56=head1 OPTIONS 57 58=over 4 59 60=item B<-I<cipher>> 61 62The cipher to use. 63 64=item B<-help> 65 66Print out a usage message. 67 68=item B<-list> 69 70List all supported ciphers. 71 72=item B<-ciphers> 73 74Alias of -list to display all supported ciphers. 75 76=item B<-in> I<filename> 77 78The input filename, standard input by default. 79 80=item B<-out> I<filename> 81 82The output filename, standard output by default. 83 84=item B<-pass> I<arg> 85 86The password source. For more information about the format of I<arg> 87see L<openssl-passphrase-options(1)>. 88 89=item B<-e> 90 91Encrypt the input data: this is the default. 92 93=item B<-d> 94 95Decrypt the input data. 96 97=item B<-a> 98 99Base64 process the data. This means that if encryption is taking place 100the data is base64 encoded after encryption. If decryption is set then 101the input data is base64 decoded before being decrypted. 102 103When the B<-A> option not given, 104on encoding a newline is inserted after each 64 characters, and 105on decoding a newline is expected among the first 1024 bytes of input. 106 107=item B<-base64> 108 109Same as B<-a> 110 111=item B<-A> 112 113If the B<-a> option is set then base64 encoding produces output without any 114newline character, and base64 decoding does not require any newlines. 115Therefore it can be helpful to use the B<-A> option when decoding unknown input. 116 117=item B<-k> I<password> 118 119The password to derive the key from. This is for compatibility with previous 120versions of OpenSSL. Superseded by the B<-pass> argument. 121 122=item B<-kfile> I<filename> 123 124Read the password to derive the key from the first line of I<filename>. 125This is for compatibility with previous versions of OpenSSL. Superseded by 126the B<-pass> argument. 127 128=item B<-md> I<digest> 129 130Use the specified digest to create the key from the passphrase. 131The default algorithm is sha-256. 132 133=item B<-iter> I<count> 134 135Use a given number of iterations on the password in deriving the encryption key. 136High values increase the time required to brute-force the resulting file. 137This option enables the use of PBKDF2 algorithm to derive the key. 138 139=item B<-pbkdf2> 140 141Use PBKDF2 algorithm with a default iteration count of 10000 142unless otherwise specified by the B<-iter> command line option. 143 144=item B<-saltlen> 145 146Set the salt length to use when using the B<-pbkdf2> option. 147For compatibility reasons, the default is 8 bytes. 148The maximum value is currently 16 bytes. 149If the B<-pbkdf2> option is not used, then this option is ignored 150and a fixed salt length of 8 is used. The salt length used when 151encrypting must also be used when decrypting. 152 153=item B<-nosalt> 154 155Don't use a salt in the key derivation routines. This option B<SHOULD NOT> be 156used except for test purposes or compatibility with ancient versions of 157OpenSSL. 158 159=item B<-salt> 160 161Use salt (randomly generated or provide with B<-S> option) when 162encrypting, this is the default. 163 164=item B<-S> I<salt> 165 166The actual salt to use: this must be represented as a string of hex digits. 167If this option is used while encrypting, the same exact value will be needed 168again during decryption. This salt may be truncated or zero padded to 169match the salt length (See B<-saltlen>). 170 171=item B<-K> I<key> 172 173The actual key to use: this must be represented as a string comprised only 174of hex digits. If only the key is specified, the IV must additionally specified 175using the B<-iv> option. When both a key and a password are specified, the 176key given with the B<-K> option will be used and the IV generated from the 177password will be taken. It does not make much sense to specify both key 178and password. 179 180=item B<-iv> I<IV> 181 182The actual IV to use: this must be represented as a string comprised only 183of hex digits. When only the key is specified using the B<-K> option, the 184IV must explicitly be defined. When a password is being specified using 185one of the other options, the IV is generated from this password. 186 187=item B<-p> 188 189Print out the key and IV used. 190 191=item B<-P> 192 193Print out the key and IV used then immediately exit: don't do any encryption 194or decryption. 195 196=item B<-bufsize> I<number> 197 198Set the buffer size for I/O. 199 200=item B<-nopad> 201 202Disable standard block padding. 203 204=item B<-v> 205 206Verbose print; display some statistics about I/O and buffer sizes. 207 208=item B<-debug> 209 210Debug the BIOs used for I/O. 211 212=item B<-z> 213 214Compress or decompress encrypted data using zlib after encryption or before 215decryption. This option exists only if OpenSSL was compiled with the zlib 216or zlib-dynamic option. 217 218=item B<-none> 219 220Use NULL cipher (no encryption or decryption of input). 221 222=item B<-skeymgmt> I<skeymgmt> 223 224Some providers may support opaque symmetric keys objects. To use them, we need 225to know the name of the B<EVP_SKEYMGMT> to be used. If not specified, the name 226of the cipher will be used. 227 228To find out the name of the suitable symmetric key management, 229please refer to the output of the C<openssl list -skey-managers> command. 230 231=item B<-skeyopt> I<opt>:I<value> 232 233To obtain an existing opaque symmetric key or generate a new one, key 234options are specified as opt:value. These options can't be used together with 235any options implying raw key directly or indirectly. 236 237{- $OpenSSL::safe::opt_r_item -} 238 239{- $OpenSSL::safe::opt_provider_item -} 240 241{- $OpenSSL::safe::opt_engine_item -} 242 243=back 244 245=head1 NOTES 246 247The program can be called either as C<openssl I<cipher>> or 248C<openssl enc -I<cipher>>. The first form doesn't work with 249engine-provided ciphers, because this form is processed before the 250configuration file is read and any ENGINEs loaded. 251Use the L<openssl-list(1)> command to get a list of supported ciphers. 252 253Engines which provide entirely new encryption algorithms (such as the ccgost 254engine which provides gost89 algorithm) should be configured in the 255configuration file. Engines specified on the command line using B<-engine> 256option can only be used for hardware-assisted implementations of 257ciphers which are supported by the OpenSSL core or another engine specified 258in the configuration file. 259 260When the enc command lists supported ciphers, ciphers provided by engines, 261specified in the configuration files are listed too. 262 263A password will be prompted for to derive the key and IV if necessary. 264 265The B<-salt> option should B<ALWAYS> be used if the key is being derived 266from a password unless you want compatibility with previous versions of 267OpenSSL. 268 269Without the B<-salt> option it is possible to perform efficient dictionary 270attacks on the password and to attack stream cipher encrypted data. The reason 271for this is that without the salt the same password always generates the same 272encryption key. 273 274When the salt is generated at random (that means when encrypting using a 275passphrase without explicit salt given using B<-S> option), the first bytes 276of the encrypted data are reserved to store the salt for later decrypting. 277 278Some of the ciphers do not have large keys and others have security 279implications if not used correctly. A beginner is advised to just use 280a strong block cipher, such as AES, in CBC mode. 281 282All the block ciphers normally use PKCS#5 padding, also known as standard 283block padding. This allows a rudimentary integrity or password check to 284be performed. However, since the chance of random data passing the test 285is better than 1 in 256 it isn't a very good test. 286 287If padding is disabled then the input data must be a multiple of the cipher 288block length. 289 290All RC2 ciphers have the same key and effective key length. 291 292Blowfish and RC5 algorithms use a 128 bit key. 293 294Please note that OpenSSL 3.0 changed the effect of the B<-S> option. 295Any explicit salt value specified via this option is no longer prepended to the 296ciphertext when encrypting, and must again be explicitly provided when decrypting. 297Conversely, when the B<-S> option is used during decryption, the ciphertext 298is expected to not have a prepended salt value. 299 300When using OpenSSL 3.0 or later to decrypt data that was encrypted with an 301explicit salt under OpenSSL 1.1.1 do not use the B<-S> option, the salt will 302then be read from the ciphertext. 303To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use 304the B<-S> option, the salt will be then be generated randomly and prepended 305to the output. 306 307=head1 SUPPORTED CIPHERS 308 309Note that some of these ciphers can be disabled at compile time 310and some are available only if an appropriate engine is configured 311in the configuration file. The output when invoking this command 312with the B<-list> option (that is C<openssl enc -list>) is 313a list of ciphers, supported by your version of OpenSSL, including 314ones provided by configured engines. 315 316This command does not support authenticated encryption modes 317like CCM and GCM, and will not support such modes in the future. 318This is due to having to begin streaming output (e.g., to standard output 319when B<-out> is not used) before the authentication tag could be validated. 320When this command is used in a pipeline, the receiving end will not be 321able to roll back upon authentication failure. The AEAD modes currently in 322common use also suffer from catastrophic failure of confidentiality and/or 323integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the 324entire burden of key/iv/nonce management upon the user, the risk of 325exposing AEAD modes is too great to allow. These key/iv/nonce 326management issues also affect other modes currently exposed in this command, 327but the failure modes are less extreme in these cases, and the 328functionality cannot be removed with a stable release branch. 329For bulk encryption of data, whether using authenticated encryption 330modes or other modes, L<openssl-cms(1)> is recommended, as it provides a 331standard data format and performs the needed key/iv/nonce management. 332 333When enc is used with key wrapping modes the input data cannot be streamed, 334meaning it must be processed in a single pass. 335Consequently, the input data size must be less than 336the buffer size (-bufsize arg, default to 8*1024 bytes). 337The '*-wrap' ciphers require the input to be a multiple of 8 bytes long, 338because no padding is involved. 339The '*-wrap-pad' ciphers allow any input length. 340In both cases, no IV is needed. See example below. 341 342 343 base64 Base 64 344 345 bf-cbc Blowfish in CBC mode 346 bf Alias for bf-cbc 347 blowfish Alias for bf-cbc 348 bf-cfb Blowfish in CFB mode 349 bf-ecb Blowfish in ECB mode 350 bf-ofb Blowfish in OFB mode 351 352 cast-cbc CAST in CBC mode 353 cast Alias for cast-cbc 354 cast5-cbc CAST5 in CBC mode 355 cast5-cfb CAST5 in CFB mode 356 cast5-ecb CAST5 in ECB mode 357 cast5-ofb CAST5 in OFB mode 358 359 chacha20 ChaCha20 algorithm 360 361 des-cbc DES in CBC mode 362 des Alias for des-cbc 363 des-cfb DES in CFB mode 364 des-ofb DES in OFB mode 365 des-ecb DES in ECB mode 366 367 des-ede-cbc Two key triple DES EDE in CBC mode 368 des-ede Two key triple DES EDE in ECB mode 369 des-ede-cfb Two key triple DES EDE in CFB mode 370 des-ede-ofb Two key triple DES EDE in OFB mode 371 372 des-ede3-cbc Three key triple DES EDE in CBC mode 373 des-ede3 Three key triple DES EDE in ECB mode 374 des3 Alias for des-ede3-cbc 375 des-ede3-cfb Three key triple DES EDE CFB mode 376 des-ede3-ofb Three key triple DES EDE in OFB mode 377 378 desx DESX algorithm. 379 380 gost89 GOST 28147-89 in CFB mode (provided by ccgost engine) 381 gost89-cnt GOST 28147-89 in CNT mode (provided by ccgost engine) 382 383 idea-cbc IDEA algorithm in CBC mode 384 idea same as idea-cbc 385 idea-cfb IDEA in CFB mode 386 idea-ecb IDEA in ECB mode 387 idea-ofb IDEA in OFB mode 388 389 rc2-cbc 128 bit RC2 in CBC mode 390 rc2 Alias for rc2-cbc 391 rc2-cfb 128 bit RC2 in CFB mode 392 rc2-ecb 128 bit RC2 in ECB mode 393 rc2-ofb 128 bit RC2 in OFB mode 394 rc2-64-cbc 64 bit RC2 in CBC mode 395 rc2-40-cbc 40 bit RC2 in CBC mode 396 397 rc4 128 bit RC4 398 rc4-64 64 bit RC4 399 rc4-40 40 bit RC4 400 401 rc5-cbc RC5 cipher in CBC mode 402 rc5 Alias for rc5-cbc 403 rc5-cfb RC5 cipher in CFB mode 404 rc5-ecb RC5 cipher in ECB mode 405 rc5-ofb RC5 cipher in OFB mode 406 407 seed-cbc SEED cipher in CBC mode 408 seed Alias for seed-cbc 409 seed-cfb SEED cipher in CFB mode 410 seed-ecb SEED cipher in ECB mode 411 seed-ofb SEED cipher in OFB mode 412 413 sm4-cbc SM4 cipher in CBC mode 414 sm4 Alias for sm4-cbc 415 sm4-cfb SM4 cipher in CFB mode 416 sm4-ctr SM4 cipher in CTR mode 417 sm4-ecb SM4 cipher in ECB mode 418 sm4-ofb SM4 cipher in OFB mode 419 420 aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode 421 aes[128|192|256] Alias for aes-[128|192|256]-cbc 422 aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode 423 aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode 424 aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode 425 aes-[128|192|256]-ctr 128/192/256 bit AES in CTR mode 426 aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode 427 aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode 428 429 aes-[128|192|256]-wrap key wrapping using 128/192/256 bit AES 430 aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES 431 432 aria-[128|192|256]-cbc 128/192/256 bit ARIA in CBC mode 433 aria[128|192|256] Alias for aria-[128|192|256]-cbc 434 aria-[128|192|256]-cfb 128/192/256 bit ARIA in 128 bit CFB mode 435 aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode 436 aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode 437 aria-[128|192|256]-ctr 128/192/256 bit ARIA in CTR mode 438 aria-[128|192|256]-ecb 128/192/256 bit ARIA in ECB mode 439 aria-[128|192|256]-ofb 128/192/256 bit ARIA in OFB mode 440 441 camellia-[128|192|256]-cbc 128/192/256 bit Camellia in CBC mode 442 camellia[128|192|256] Alias for camellia-[128|192|256]-cbc 443 camellia-[128|192|256]-cfb 128/192/256 bit Camellia in 128 bit CFB mode 444 camellia-[128|192|256]-cfb1 128/192/256 bit Camellia in 1 bit CFB mode 445 camellia-[128|192|256]-cfb8 128/192/256 bit Camellia in 8 bit CFB mode 446 camellia-[128|192|256]-ctr 128/192/256 bit Camellia in CTR mode 447 camellia-[128|192|256]-ecb 128/192/256 bit Camellia in ECB mode 448 camellia-[128|192|256]-ofb 128/192/256 bit Camellia in OFB mode 449 450=head1 EXAMPLES 451 452Just base64 encode a binary file: 453 454 openssl base64 -in file.bin -out file.b64 455 456Decode the same file 457 458 openssl base64 -d -in file.b64 -out file.bin 459 460Encrypt a file using AES-128 using a prompted password 461and PBKDF2 key derivation: 462 463 openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128 464 465Decrypt a file using a supplied password: 466 467 openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \ 468 -pass pass:<password> 469 470Encrypt a file then base64 encode it (so it can be sent via mail for example) 471using AES-256 in CTR mode and PBKDF2 key derivation: 472 473 openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256 474 475Base64 decode a file then decrypt it using a password supplied in a file: 476 477 openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \ 478 -pass file:<passfile> 479 480AES key wrapping: 481 482 openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin 483or 484 openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin 485 486=head1 BUGS 487 488The B<-A> option when used with large files doesn't work properly. 489On the other hand, when base64 decoding without the B<-A> option, 490if the first 1024 bytes of input do not include a newline character 491the first two lines of input are ignored. 492 493The B<openssl enc> command only supports a fixed number of algorithms with 494certain parameters. So if, for example, you want to use RC2 with a 49576 bit key or RC4 with an 84 bit key you can't use this program. 496 497=head1 SEE ALSO 498 499L<openssl-list(1)>, L<EVP_SKEY(3)> 500 501=head1 HISTORY 502 503The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. 504 505The B<-list> option was added in OpenSSL 1.1.1e. 506 507The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0. 508 509The B<-saltlen> option was added in OpenSSL 3.2. 510 511The B<-skeymgmt> and B<-skeyopt> options were added in OpenSSL 3.5. 512 513=head1 COPYRIGHT 514 515Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. 516 517Licensed under the Apache License 2.0 (the "License"). You may not use 518this file except in compliance with the License. You can obtain a copy 519in the file LICENSE in the source distribution or at 520L<https://www.openssl.org/source/license.html>. 521 522=cut 523