I'm trying to encrypt a stdout stream to a file located on a removable drive.
However, as the drive can be removed at an arbitrary time, I am wondering how to manage this?
I have tried using openssl and a 256-bit AES cipher but unsurprisingly I get block length errors on the decrypt.
My bash scripts do this:
Encrypt:
openssl aes-256-cbc -a -salt -pass file:"$KEY_FILE"
Decrypt:
openssl aes-256-cbc -d -a -pass file:"$KEY_FILE"
Unfortunately I'm on an embedded system so not many binaries included beyond what is necessary. Bash and openssl are present however.
Related
I have the job of converting some bash scripts to run on Node in an AWS Lambda. The scripts encode and decode some files. As the files are used externally I have to keep the encryption unchanged.
The files are encrypted with the command
openssl -e -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
and decrypted with
openssl -d -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
I've tried just wrapping the openssl calls but openssl is no longer installed in the Node Lambda runtime.
I've tried using the node:crypto module and searching stackoverflow but don't really understand enough about encryption and how openssl works to have a chance of writing any code. For example I can't work out how to get the iv to use when decrypting the file.
So is it possible to reproduce these openssl commands with node?
My backup plan is to build a container or Lambda Layer containing SSL and use one of the SSL wrappers but I'd prefer not to do that if I can help it.
I'm using the OpenWrt Linux distribution and I want to encrypt a file using AES.
How can I do that quickly and easily, and how can I—or someone else—decrypt it again?
The quickest and easiest way is to use openssl util (provided by openssl-util package). For example, to encrypt a file, issue the following command:
openssl enc -aes-256-cbc -in file.txt -out file.enc
To decrypt:
openssl enc -d -aes-256-cbc -in file.enc -out file.dec
The openssl encryption is not a good solution according to this, so please don't use it.
I've used https://www.aescrypt.com/ in the past and I was happy with it. If you want something that has been around for a while - that's not a bad start. It also has both a UI and a cli.
The fact that there is no small, easy to use and super simple cli tool for this purpose annoyed me so much that I sat down and wrote this
https://github.com/ro-tex/aes256cli. I literally wrote it while this discussion was open on my screen, so I'm making no claims as to how good of a solution it is. I just wanted something that will do what I need with zero friction and this is good enough for me.
To encode:
cat 'yourfile' | openssl aes-128-cbc > 'encrypted file'
To decode: First, you have to remember your password which you used to encode, then:
cat 'encrypted file' | openssl enc -d -aes-128-cbc -k 'Your password' > 'decrypted file'
I recall when I was using ColdFusion years ago that you could encrypt CF scripts to protect the code and CF could still execute them.
Does any such capacity exist for gnuplot? My guess is it does not.
Gnuplot itself cannot handle encrypted files, but you can use an external tool like openssl to encrypt and decrypt your scripts and pipe the decrypted script to gnuplot:
Encrypt:
openssl aes-256-cbc -in foobar.gp -out foobar-enc.gp -pass file:foobar.pwd
Decrypt and execute gnuplot:
openssl aes-256-cbc -d -in foobar-enc.gp -pass file:foobar.pwd | gnuplot
That capacity does not exist in gnuplot.
When using openssl to encrypt/decrypt data and the AES cipher, my command will look something like this:
openssl enc -aes-256-cbc -in message_file -K 42AB7FCE7BFEEE03E16719044916CBD475F6D000F230D213FF0F4775EF8D46F5 -iv D5C21AC249B26A1FBA376E8CFCDC4E1A -S 2C6A1B8EAACA302D -e -out message_file.enc
This places the key, iv, and salt in my process title that is visible in top/ps. Is there a way to AES encrypt a file with openssl (or even another alternative if not) without revealing this information? I did not see an option to grab these strings from files.
RSA encryption:
http://bsdsupport.org/q-how-do-i-use-openssl-to-encrypt-files/
openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out encrypted.txt
AES encryption:
Based on the results of openssl enc -h
openssl enc -aes-128-cbc -in foo -out foo.enc -kfile passwordfile
And here's the result of openssl enc -h. Note the description of -kfile
root#bt:/tmp# openssl enc -h
unknown option '-h'
options are
-in <file> input file
-out <file> output file
-pass <arg> pass phrase source
-e encrypt
-d decrypt
-a/-base64 base64 encode/decode, depending on encryption flag
-k passphrase is the next argument
-kfile passphrase is the first line of the file argument
-md the next argument is the md to use to create a key
from a passphrase. One of md2, md5, sha or sha1
-K/-iv key/iv in hex is the next argument
-[pP] print the iv/key (then exit if -P)
-bufsize <n> buffer size
-engine e use engine e, possibly a hardware device.
Cipher Types
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ecb -aes-128-ofb
-aes-192-cbc -aes-192-cfb -aes-192-cfb1
-aes-192-cfb8 -aes-192-ecb -aes-192-ofb
-aes-256-cbc -aes-256-cfb -aes-256-cfb1
-aes-256-cfb8 -aes-256-ecb -aes-256-ofb
-aes128 -aes192 -aes256
-bf -bf-cbc -bf-cfb
-bf-ecb -bf-ofb -blowfish
-cast -cast-cbc -cast5-cbc
-cast5-cfb -cast5-ecb -cast5-ofb
-des -des-cbc -des-cfb
-des-cfb1 -des-cfb8 -des-ecb
-des-ede -des-ede-cbc -des-ede-cfb
-des-ede-ofb -des-ede3 -des-ede3-cbc
-des-ede3-cfb -des-ede3-ofb -des-ofb
-des3 -desx -desx-cbc
-rc2 -rc2-40-cbc -rc2-64-cbc
-rc2-cbc -rc2-cfb -rc2-ecb
-rc2-ofb -rc4 -rc4-40
openssl can take commands from stdin
For example if onetime_keyfile specifies the key and IV with the following contents
-K 42AB7FCE7BFEEE03E16719044916CBD475F6D000F230D213FF0F4775EF8D46F5 -iv D5C21AC249B26A1FBA376E8CFCDC4E1A
Then the following commands will encrypt a file using that information
umask 077
echo -n "enc -aes-256-cbc -in message_file -out message_file.enc " > encrypt_command_file
cat onetime_keyfile >> encrypt_command_file
openssl < encrypt_command_file
Note that in your question you specify both key, initialization vector and salt. The salt argument is ignored in that case; salt is only used to derive key and iv from a pass phrase. If you specify key and iv explicitly, then you should use your own salt algorithm to generate a unique key and iv for each file that you encrypt. So in practical use, the file onetime_keyfile in the example above should be generated as output from another program.
Refer to https://www.openssl.org/docs/crypto/EVP_BytesToKey.html for details of the standard algorithm for generating key and IV from pass phrase and salt.
If you are not doing your own salting, you are probably better to use the -kfile or -pass option to read a pass phrase from a file.
I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string.
This encrypted string ( in human readable format ) then needs to be supplied to a user who would use it, and the string would be decrypted to its original 16-byte form for comparison and authentication. Could anyone please tell me how this would be possible with openssl commandline.
Here's one way to encrypt a string with openssl on the command line (must enter password twice):
echo -n "aaaabbbbccccdddd" | openssl enc -e -aes-256-cbc -a -salt
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
Here's what the output looks like:
U2FsdGVkX1/6LATntslD80T2HEIn3A0BqxarNfwbg31D2kI00dYbmBo8Mqt42PIm
Edit: To my knowledge, you can't control the number of bytes out. You can b64 or hex encode it, but that's about it. Also, if you want to save that string to a file rather than stdout, use the -out option.
Try this:
echo 'foo' | openssl aes-256-cbc -a -salt
echo 'U2FsdGVkX1/QGdl4syQE8bLFSr2HzoAlcG299U/T/Xk=' | openssl aes-256-cbc -a -d -salt
Run
openssl list-cipher-commands
to list all available ciphers.
I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string [in human readable format]
I believe you are looking for Format Preserving Encryption. I think the caveat is you have to start with a 16-byte human readable string. Phillip Rogaway has a paper on the technologies: Synopsis of
Format-Preserving Encryption. There's a lot to the paper, and it can't fit into a single paragraph on Stack Overflow.
If you can start with a shorter string and use a streaming mode like OCB, OFB or CTR, then you can Base64 encode the final string so that the result is 16-bytes and human readable. Base64 expands at a rate of 3 → 4 (3 un-encoded expands to 4 encoded), so you'd need a shorter string of length 12 characters to achieve 16 human readable characters.
As far as I know, there are no command line tools that do it natively. You may be able to use OpenSSL on the command line with AES/CTR and pipe it through base64 command. The following gets close, but it starts with 11 characters (and not 12):
$ echo 12345678901 | openssl enc -e -base64 -aes-128-ctr -nopad -nosalt -k secret_password
cSTzU8+UPQQwpRAq
Also, you really need to understand te -k option (and -K for that matter), and how it derives a key so you can do it outside of the OpenSSL command (if needed).
try this
$ echo "a_byte_character" | openssl enc -base64
and you have 100+ Cipher Types
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ctr -aes-128-ecb
-aes-128-gcm -aes-128-ofb -aes-128-xts
-aes-192-cbc -aes-192-cfb -aes-192-cfb1
-aes-192-cfb8 -aes-192-ctr -aes-192-ecb
-aes-192-gcm -aes-192-ofb -aes-256-cbc
-aes-256-cfb -aes-256-cfb1 -aes-256-cfb8
-aes-256-ctr -aes-256-ecb -aes-256-gcm
-aes-256-ofb -aes-256-xts -aes128
-aes192 -aes256 -bf
-bf-cbc -bf-cfb -bf-ecb
-bf-ofb -blowfish -camellia-128-cbc
-camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8
-camellia-128-ecb -camellia-128-ofb -camellia-192-cbc
-camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8
-camellia-192-ecb -camellia-192-ofb -camellia-256-cbc
-camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8
-camellia-256-ecb -camellia-256-ofb -camellia128
-camellia192 -camellia256 -cast
-cast-cbc -cast5-cbc -cast5-cfb
-cast5-ecb -cast5-ofb -des
-des-cbc -des-cfb -des-cfb1
-des-cfb8 -des-ecb -des-ede
-des-ede-cbc -des-ede-cfb -des-ede-ofb
-des-ede3 -des-ede3-cbc -des-ede3-cfb
-des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ofb
-des-ofb -des3 -desx
-desx-cbc -id-aes128-GCM -id-aes192-GCM
-id-aes256-GCM -rc2 -rc2-40-cbc
-rc2-64-cbc -rc2-cbc -rc2-cfb
-rc2-ecb -rc2-ofb -rc4
-rc4-40 -rc4-hmac-md5 -seed
-seed-cbc -seed-cfb -seed-ecb
-seed-ofb
I had trouble getting it working using echo with -n. This worked for me:
To encrypt:
echo "PLAINTEXT_STRING" | openssl enc -aes256 -pbkdf2 -base64
you'll be prompted to provide a decryption password.
To decrypt:
echo "ENCRYPTED_STRING" | openssl aes-256-cbc -d -pbkdf2 -a
enter the decryption password to decrypt.