1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-enc - symmetric cipher routines 7 8=head1 SYNOPSIS 9 10B<openssl> B<enc>|I<cipher> 11[B<-I<cipher>>] 12[B<-help>] 13[B<-list>] 14[B<-ciphers>] 15[B<-in> I<filename>] 16[B<-out> I<filename>] 17[B<-pass> I<arg>] 18[B<-e>] 19[B<-d>] 20[B<-a>] 21[B<-base64>] 22[B<-A>] 23[B<-k> I<password>] 24[B<-kfile> I<filename>] 25[B<-K> I<key>] 26[B<-iv> I<IV>] 27[B<-S> I<salt>] 28[B<-salt>] 29[B<-nosalt>] 30[B<-z>] 31[B<-md> I<digest>] 32[B<-iter> I<count>] 33[B<-pbkdf2>] 34[B<-saltlen> I<size>] 35[B<-p>] 36[B<-P>] 37[B<-bufsize> I<number>] 38[B<-nopad>] 39[B<-v>] 40[B<-debug>] 41[B<-none>] 42[B<-skeymgmt> I<skeymgmt>] 43[B<-skeyopt> I<opt>:I<value>] 44{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} 45{- $OpenSSL::safe::opt_provider_synopsis -} 46 47B<openssl> I<cipher> [B<...>] 48 49=head1 DESCRIPTION 50 51The symmetric cipher commands allow data to be encrypted or decrypted 52using various block and stream ciphers using keys based on passwords 53or explicitly provided. Base64 encoding or decoding can also be performed 54either by itself or in addition to the encryption or decryption. 55 56=head1 OPTIONS 57 58=over 4 59 60=item B<-I<cipher>> 61 62The cipher to use. 63 64=item B<-help> 65 66Print out a usage message. 67 68=item B<-list> 69 70List all supported ciphers. 71 72=item B<-ciphers> 73 74Alias of -list to display all supported ciphers. 75 76=item B<-in> I<filename> 77 78The input filename, standard input by default. 79 80=item B<-out> I<filename> 81 82The output filename, standard output by default. 83 84=item B<-pass> I<arg> 85 86The password source. For more information about the format of I<arg> 87see L<openssl-passphrase-options(1)>. 88 89=item B<-e> 90 91Encrypt the input data: this is the default. 92 93=item B<-d> 94 95Decrypt the input data. 96 97=item B<-a> 98 99Base64 process the data. This means that if encryption is taking place 100the data is base64 encoded after encryption. If decryption is set then 101the input data is base64 decoded before being decrypted. 102 103When the B<-A> option not given, 104on encoding a newline is inserted after each 64 characters, and 105on decoding a newline is expected among the first 1024 bytes of input. 106 107=item B<-base64> 108 109Same as B<-a> 110 111=item B<-A> 112 113If the B<-a> option is set then base64 encoding produces output without any 114newline character, and base64 decoding does not require any newlines. 115Therefore it can be helpful to use the B<-A> option when decoding unknown input. 116 117=item B<-k> I<password> 118 119The password to derive the key from. This is for compatibility with previous 120versions of OpenSSL. Superseded by the B<-pass> argument. 121 122=item B<-kfile> I<filename> 123 124Read the password to derive the key from the first line of I<filename>. 125This is for compatibility with previous versions of OpenSSL. Superseded by 126the B<-pass> argument. 127 128=item B<-md> I<digest> 129 130Use the specified digest to create the key from the passphrase. 131The default algorithm is sha-256. 132 133=item B<-iter> I<count> 134 135Use a given number of iterations on the password in deriving the encryption key. 136High values increase the time required to brute-force the resulting file. 137This option enables the use of PBKDF2 algorithm to derive the key. 138 139=item B<-pbkdf2> 140 141Use PBKDF2 algorithm with a default iteration count of 10000 142unless otherwise specified by the B<-iter> command line option. 143 144=item B<-saltlen> 145 146Set the salt length to use when using the B<-pbkdf2> option. 147For compatibility reasons, the default is 8 bytes. 148The maximum value is currently 16 bytes. 149If the B<-pbkdf2> option is not used, then this option is ignored 150and a fixed salt length of 8 is used. The salt length used when 151encrypting must also be used when decrypting. 152 153=item B<-nosalt> 154 155Don't use a salt in the key derivation routines. This option B<SHOULD NOT> be 156used except for test purposes or compatibility with ancient versions of 157OpenSSL. 158 159=item B<-salt> 160 161Use salt (randomly generated or provide with B<-S> option) when 162encrypting, this is the default. 163 164=item B<-S> I<salt> 165 166The actual salt to use: this must be represented as a string of hex digits. 167If this option is used while encrypting, the same exact value will be needed 168again during decryption. This salt may be truncated or zero padded to 169match the salt length (See B<-saltlen>). 170 171=item B<-K> I<key> 172 173The actual key to use: this must be represented as a string comprised only 174of hex digits. If only the key is specified, the IV must additionally specified 175using the B<-iv> option. When both a key and a password are specified, the 176key given with the B<-K> option will be used and the IV generated from the 177password will be taken. It does not make much sense to specify both key 178and password. 179 180=item B<-iv> I<IV> 181 182The actual IV to use: this must be represented as a string comprised only 183of hex digits. When only the key is specified using the B<-K> option, the 184IV must explicitly be defined. When a password is being specified using 185one of the other options, the IV is generated from this password. 186 187=item B<-p> 188 189Print out the key and IV used. 190 191=item B<-P> 192 193Print out the key and IV used then immediately exit: don't do any encryption 194or decryption. 195 196=item B<-bufsize> I<number>[B<k>] 197 198Set the buffer size for I/O. 199The maximum size that can be specified is B<2^31-1> (2147483647) bytes. 200The B<k> suffix can be specified to indicate that I<number> is provided 201in kibibytes (multiples of 1024 bytes). 202 203=item B<-nopad> 204 205Disable standard block padding. 206 207=item B<-v> 208 209Verbose print; display some statistics about I/O and buffer sizes. 210 211=item B<-debug> 212 213Debug the BIOs used for I/O. 214 215=item B<-z> 216 217Compress or decompress encrypted data using zlib after encryption or before 218decryption. This option exists only if OpenSSL was compiled with the zlib 219or zlib-dynamic option. 220 221=item B<-none> 222 223Use NULL cipher (no encryption or decryption of input). 224 225=item B<-skeymgmt> I<skeymgmt> 226 227Some providers may support opaque symmetric keys objects. To use them, we need 228to know the name of the B<EVP_SKEYMGMT> to be used. If not specified, the name 229of the cipher will be used. 230 231To find out the name of the suitable symmetric key management, 232please refer to the output of the C<openssl list -skey-managers> command. 233 234=item B<-skeyopt> I<opt>:I<value> 235 236To obtain an existing opaque symmetric key or generate a new one, key 237options are specified as opt:value. These options can't be used together with 238any options implying raw key directly or indirectly. 239 240{- $OpenSSL::safe::opt_r_item -} 241 242{- $OpenSSL::safe::opt_provider_item -} 243 244{- $OpenSSL::safe::opt_engine_item -} 245 246=back 247 248=head1 NOTES 249 250The program can be called either as C<openssl I<cipher>> or 251C<openssl enc -I<cipher>>. The first form doesn't work with 252engine-provided ciphers, because this form is processed before the 253configuration file is read and any ENGINEs loaded. 254Use the L<openssl-list(1)> command to get a list of supported ciphers. 255 256Engines which provide entirely new encryption algorithms (such as the ccgost 257engine which provides gost89 algorithm) should be configured in the 258configuration file. Engines specified on the command line using B<-engine> 259option can only be used for hardware-assisted implementations of 260ciphers which are supported by the OpenSSL core or another engine specified 261in the configuration file. 262 263When the enc command lists supported ciphers, ciphers provided by engines, 264specified in the configuration files are listed too. 265 266A password will be prompted for to derive the key and IV if necessary. 267 268The B<-salt> option should B<ALWAYS> be used if the key is being derived 269from a password unless you want compatibility with previous versions of 270OpenSSL. 271 272Without the B<-salt> option it is possible to perform efficient dictionary 273attacks on the password and to attack stream cipher encrypted data. The reason 274for this is that without the salt the same password always generates the same 275encryption key. 276 277When the salt is generated at random (that means when encrypting using a 278passphrase without explicit salt given using B<-S> option), the first bytes 279of the encrypted data are reserved to store the salt for later decrypting. 280 281Some of the ciphers do not have large keys and others have security 282implications if not used correctly. A beginner is advised to just use 283a strong block cipher, such as AES, in CBC mode. 284 285All the block ciphers normally use PKCS#7 padding, also known as standard 286block padding. This allows a rudimentary integrity or password check to 287be performed. However, since the chance of random data passing the test 288is better than 1 in 256 it isn't a very good test. 289 290If padding is disabled then the input data must be a multiple of the cipher 291block length. 292 293All RC2 ciphers have the same key and effective key length. 294 295Blowfish and RC5 algorithms use a 128 bit key. 296 297Please note that OpenSSL 3.0 changed the effect of the B<-S> option. 298Any explicit salt value specified via this option is no longer prepended to the 299ciphertext when encrypting, and must again be explicitly provided when decrypting. 300Conversely, when the B<-S> option is used during decryption, the ciphertext 301is expected to not have a prepended salt value. 302 303When using OpenSSL 3.0 or later to decrypt data that was encrypted with an 304explicit salt under OpenSSL 1.1.1 do not use the B<-S> option, the salt will 305then be read from the ciphertext. 306To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use 307the B<-S> option, the salt will be then be generated randomly and prepended 308to the output. 309 310=head1 SUPPORTED CIPHERS 311 312Note that some of these ciphers can be disabled at compile time 313and some are available only if an appropriate engine is configured 314in the configuration file. The output when invoking this command 315with the B<-list> option (that is C<openssl enc -list>) is 316a list of ciphers, supported by your version of OpenSSL, including 317ones provided by configured engines. 318 319This command does not support authenticated encryption modes 320like CCM and GCM, and will not support such modes in the future. 321This is due to having to begin streaming output (e.g., to standard output 322when B<-out> is not used) before the authentication tag could be validated. 323When this command is used in a pipeline, the receiving end will not be 324able to roll back upon authentication failure. The AEAD modes currently in 325common use also suffer from catastrophic failure of confidentiality and/or 326integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the 327entire burden of key/iv/nonce management upon the user, the risk of 328exposing AEAD modes is too great to allow. These key/iv/nonce 329management issues also affect other modes currently exposed in this command, 330but the failure modes are less extreme in these cases, and the 331functionality cannot be removed with a stable release branch. 332For bulk encryption of data, whether using authenticated encryption 333modes or other modes, L<openssl-cms(1)> is recommended, as it provides a 334standard data format and performs the needed key/iv/nonce management. 335 336When enc is used with key wrapping modes the input data cannot be streamed, 337meaning it must be processed in a single pass. 338Consequently, the input data size must be less than 339the buffer size (-bufsize arg, default to 8*1024 bytes). 340The '*-wrap' ciphers require the input to be a multiple of 8 bytes long, 341because no padding is involved. 342The '*-wrap-pad' ciphers allow any input length. 343In both cases, no IV is needed. See example below. 344 345 346 base64 Base 64 347 348 bf-cbc Blowfish in CBC mode 349 bf Alias for bf-cbc 350 blowfish Alias for bf-cbc 351 bf-cfb Blowfish in CFB mode 352 bf-ecb Blowfish in ECB mode 353 bf-ofb Blowfish in OFB mode 354 355 cast-cbc CAST in CBC mode 356 cast Alias for cast-cbc 357 cast5-cbc CAST5 in CBC mode 358 cast5-cfb CAST5 in CFB mode 359 cast5-ecb CAST5 in ECB mode 360 cast5-ofb CAST5 in OFB mode 361 362 chacha20 ChaCha20 algorithm 363 364 des-cbc DES in CBC mode 365 des Alias for des-cbc 366 des-cfb DES in CFB mode 367 des-ofb DES in OFB mode 368 des-ecb DES in ECB mode 369 370 des-ede-cbc Two key triple DES EDE in CBC mode 371 des-ede Two key triple DES EDE in ECB mode 372 des-ede-cfb Two key triple DES EDE in CFB mode 373 des-ede-ofb Two key triple DES EDE in OFB mode 374 375 des-ede3-cbc Three key triple DES EDE in CBC mode 376 des-ede3 Three key triple DES EDE in ECB mode 377 des3 Alias for des-ede3-cbc 378 des-ede3-cfb Three key triple DES EDE CFB mode 379 des-ede3-ofb Three key triple DES EDE in OFB mode 380 381 desx DESX algorithm. 382 383 gost89 GOST 28147-89 in CFB mode (provided by ccgost engine) 384 gost89-cnt GOST 28147-89 in CNT mode (provided by ccgost engine) 385 386 idea-cbc IDEA algorithm in CBC mode 387 idea same as idea-cbc 388 idea-cfb IDEA in CFB mode 389 idea-ecb IDEA in ECB mode 390 idea-ofb IDEA in OFB mode 391 392 rc2-cbc 128 bit RC2 in CBC mode 393 rc2 Alias for rc2-cbc 394 rc2-cfb 128 bit RC2 in CFB mode 395 rc2-ecb 128 bit RC2 in ECB mode 396 rc2-ofb 128 bit RC2 in OFB mode 397 rc2-64-cbc 64 bit RC2 in CBC mode 398 rc2-40-cbc 40 bit RC2 in CBC mode 399 400 rc4 128 bit RC4 401 rc4-64 64 bit RC4 402 rc4-40 40 bit RC4 403 404 rc5-cbc RC5 cipher in CBC mode 405 rc5 Alias for rc5-cbc 406 rc5-cfb RC5 cipher in CFB mode 407 rc5-ecb RC5 cipher in ECB mode 408 rc5-ofb RC5 cipher in OFB mode 409 410 seed-cbc SEED cipher in CBC mode 411 seed Alias for seed-cbc 412 seed-cfb SEED cipher in CFB mode 413 seed-ecb SEED cipher in ECB mode 414 seed-ofb SEED cipher in OFB mode 415 416 sm4-cbc SM4 cipher in CBC mode 417 sm4 Alias for sm4-cbc 418 sm4-cfb SM4 cipher in CFB mode 419 sm4-ctr SM4 cipher in CTR mode 420 sm4-ecb SM4 cipher in ECB mode 421 sm4-ofb SM4 cipher in OFB mode 422 423 aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode 424 aes[128|192|256] Alias for aes-[128|192|256]-cbc 425 aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode 426 aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode 427 aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode 428 aes-[128|192|256]-ctr 128/192/256 bit AES in CTR mode 429 aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode 430 aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode 431 432 aes-[128|192|256]-wrap key wrapping using 128/192/256 bit AES 433 aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES 434 435 aria-[128|192|256]-cbc 128/192/256 bit ARIA in CBC mode 436 aria[128|192|256] Alias for aria-[128|192|256]-cbc 437 aria-[128|192|256]-cfb 128/192/256 bit ARIA in 128 bit CFB mode 438 aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode 439 aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode 440 aria-[128|192|256]-ctr 128/192/256 bit ARIA in CTR mode 441 aria-[128|192|256]-ecb 128/192/256 bit ARIA in ECB mode 442 aria-[128|192|256]-ofb 128/192/256 bit ARIA in OFB mode 443 444 camellia-[128|192|256]-cbc 128/192/256 bit Camellia in CBC mode 445 camellia[128|192|256] Alias for camellia-[128|192|256]-cbc 446 camellia-[128|192|256]-cfb 128/192/256 bit Camellia in 128 bit CFB mode 447 camellia-[128|192|256]-cfb1 128/192/256 bit Camellia in 1 bit CFB mode 448 camellia-[128|192|256]-cfb8 128/192/256 bit Camellia in 8 bit CFB mode 449 camellia-[128|192|256]-ctr 128/192/256 bit Camellia in CTR mode 450 camellia-[128|192|256]-ecb 128/192/256 bit Camellia in ECB mode 451 camellia-[128|192|256]-ofb 128/192/256 bit Camellia in OFB mode 452 453=head1 EXAMPLES 454 455Just base64 encode a binary file: 456 457 openssl base64 -in file.bin -out file.b64 458 459Decode the same file 460 461 openssl base64 -d -in file.b64 -out file.bin 462 463Encrypt a file using AES-128 using a prompted password 464and PBKDF2 key derivation: 465 466 openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128 467 468Decrypt a file using a supplied password: 469 470 openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \ 471 -pass pass:<password> 472 473Encrypt a file then base64 encode it (so it can be sent via mail for example) 474using AES-256 in CTR mode and PBKDF2 key derivation: 475 476 openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256 477 478Base64 decode a file then decrypt it using a password supplied in a file: 479 480 openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \ 481 -pass file:<passfile> 482 483AES key wrapping: 484 485 openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin 486or 487 openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin 488 489=head1 BUGS 490 491The B<-A> option when used with large files doesn't work properly. 492On the other hand, when base64 decoding without the B<-A> option, 493if the first 1024 bytes of input do not include a newline character 494the first two lines of input are ignored. 495 496The B<openssl enc> command only supports a fixed number of algorithms with 497certain parameters. So if, for example, you want to use RC2 with a 49876 bit key or RC4 with an 84 bit key you can't use this program. 499 500=head1 SEE ALSO 501 502L<openssl-list(1)>, L<EVP_SKEY(3)> 503 504=head1 HISTORY 505 506The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. 507 508The B<-list> option was added in OpenSSL 1.1.1e. 509 510The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0. 511 512The B<-saltlen> option was added in OpenSSL 3.2. 513 514The B<-skeymgmt> and B<-skeyopt> options were added in OpenSSL 3.5. 515 516=head1 COPYRIGHT 517 518Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. 519 520Licensed under the Apache License 2.0 (the "License"). You may not use 521this file except in compliance with the License. You can obtain a copy 522in the file LICENSE in the source distribution or at 523L<https://www.openssl.org/source/license.html>. 524 525=cut 526