OLD | NEW |
1 =pod | 1 =pod |
2 | 2 |
3 =head1 NAME | 3 =head1 NAME |
4 | 4 |
5 enc - symmetric cipher routines | 5 enc - symmetric cipher routines |
6 | 6 |
7 =head1 SYNOPSIS | 7 =head1 SYNOPSIS |
8 | 8 |
9 B<openssl enc -ciphername> | 9 B<openssl enc -ciphername> |
10 [B<-in filename>] | 10 [B<-in filename>] |
11 [B<-out filename>] | 11 [B<-out filename>] |
12 [B<-pass arg>] | 12 [B<-pass arg>] |
13 [B<-e>] | 13 [B<-e>] |
14 [B<-d>] | 14 [B<-d>] |
15 [B<-a>] | 15 [B<-a/-base64>] |
16 [B<-A>] | 16 [B<-A>] |
17 [B<-k password>] | 17 [B<-k password>] |
18 [B<-kfile filename>] | 18 [B<-kfile filename>] |
19 [B<-K key>] | 19 [B<-K key>] |
20 [B<-iv IV>] | 20 [B<-iv IV>] |
| 21 [B<-S salt>] |
| 22 [B<-salt>] |
| 23 [B<-nosalt>] |
| 24 [B<-z>] |
| 25 [B<-md>] |
21 [B<-p>] | 26 [B<-p>] |
22 [B<-P>] | 27 [B<-P>] |
23 [B<-bufsize number>] | 28 [B<-bufsize number>] |
24 [B<-nopad>] | 29 [B<-nopad>] |
25 [B<-debug>] | 30 [B<-debug>] |
| 31 [B<-none>] |
| 32 [B<-engine id>] |
26 | 33 |
27 =head1 DESCRIPTION | 34 =head1 DESCRIPTION |
28 | 35 |
29 The symmetric cipher commands allow data to be encrypted or decrypted | 36 The symmetric cipher commands allow data to be encrypted or decrypted |
30 using various block and stream ciphers using keys based on passwords | 37 using various block and stream ciphers using keys based on passwords |
31 or explicitly provided. Base64 encoding or decoding can also be performed | 38 or explicitly provided. Base64 encoding or decoding can also be performed |
32 either by itself or in addition to the encryption or decryption. | 39 either by itself or in addition to the encryption or decryption. |
33 | 40 |
34 =head1 OPTIONS | 41 =head1 OPTIONS |
35 | 42 |
(...skipping 29 matching lines...) Expand all Loading... |
65 =item B<-d> | 72 =item B<-d> |
66 | 73 |
67 decrypt the input data. | 74 decrypt the input data. |
68 | 75 |
69 =item B<-a> | 76 =item B<-a> |
70 | 77 |
71 base64 process the data. This means that if encryption is taking place | 78 base64 process the data. This means that if encryption is taking place |
72 the data is base64 encoded after encryption. If decryption is set then | 79 the data is base64 encoded after encryption. If decryption is set then |
73 the input data is base64 decoded before being decrypted. | 80 the input data is base64 decoded before being decrypted. |
74 | 81 |
| 82 =item B<-base64> |
| 83 |
| 84 same as B<-a> |
| 85 |
75 =item B<-A> | 86 =item B<-A> |
76 | 87 |
77 if the B<-a> option is set then base64 process the data on one line. | 88 if the B<-a> option is set then base64 process the data on one line. |
78 | 89 |
79 =item B<-k password> | 90 =item B<-k password> |
80 | 91 |
81 the password to derive the key from. This is for compatibility with previous | 92 the password to derive the key from. This is for compatibility with previous |
82 versions of OpenSSL. Superseded by the B<-pass> argument. | 93 versions of OpenSSL. Superseded by the B<-pass> argument. |
83 | 94 |
84 =item B<-kfile filename> | 95 =item B<-kfile filename> |
85 | 96 |
86 read the password to derive the key from the first line of B<filename>. | 97 read the password to derive the key from the first line of B<filename>. |
87 This is for compatibility with previous versions of OpenSSL. Superseded by | 98 This is for compatibility with previous versions of OpenSSL. Superseded by |
88 the B<-pass> argument. | 99 the B<-pass> argument. |
89 | 100 |
| 101 =item B<-nosalt> |
| 102 |
| 103 do not use a salt |
| 104 |
| 105 =item B<-salt> |
| 106 |
| 107 use salt (randomly generated or provide with B<-S> option) when |
| 108 encrypting (this is the default). |
| 109 |
90 =item B<-S salt> | 110 =item B<-S salt> |
91 | 111 |
92 the actual salt to use: this must be represented as a string comprised only | 112 the actual salt to use: this must be represented as a string of hex digits. |
93 of hex digits. | |
94 | 113 |
95 =item B<-K key> | 114 =item B<-K key> |
96 | 115 |
97 the actual key to use: this must be represented as a string comprised only | 116 the actual key to use: this must be represented as a string comprised only |
98 of hex digits. If only the key is specified, the IV must additionally specified | 117 of hex digits. If only the key is specified, the IV must additionally specified |
99 using the B<-iv> option. When both a key and a password are specified, the | 118 using the B<-iv> option. When both a key and a password are specified, the |
100 key given with the B<-K> option will be used and the IV generated from the | 119 key given with the B<-K> option will be used and the IV generated from the |
101 password will be taken. It probably does not make much sense to specify | 120 password will be taken. It probably does not make much sense to specify |
102 both key and password. | 121 both key and password. |
103 | 122 |
(...skipping 18 matching lines...) Expand all Loading... |
122 set the buffer size for I/O | 141 set the buffer size for I/O |
123 | 142 |
124 =item B<-nopad> | 143 =item B<-nopad> |
125 | 144 |
126 disable standard block padding | 145 disable standard block padding |
127 | 146 |
128 =item B<-debug> | 147 =item B<-debug> |
129 | 148 |
130 debug the BIOs used for I/O. | 149 debug the BIOs used for I/O. |
131 | 150 |
| 151 =item B<-z> |
| 152 |
| 153 Compress or decompress clear text using zlib before encryption or after |
| 154 decryption. This option exists only if OpenSSL with compiled with zlib |
| 155 or zlib-dynamic option. |
| 156 |
| 157 =item B<-none> |
| 158 |
| 159 Use NULL cipher (no encryption or decryption of input). |
| 160 |
132 =back | 161 =back |
133 | 162 |
134 =head1 NOTES | 163 =head1 NOTES |
135 | 164 |
136 The program can be called either as B<openssl ciphername> or | 165 The program can be called either as B<openssl ciphername> or |
137 B<openssl enc -ciphername>. | 166 B<openssl enc -ciphername>. But the first form doesn't work with |
| 167 engine-provided ciphers, because this form is processed before the |
| 168 configuration file is read and any ENGINEs loaded. |
| 169 |
| 170 Engines which provide entirely new encryption algorithms (such as ccgost |
| 171 engine which provides gost89 algorithm) should be configured in the |
| 172 configuration file. Engines, specified in the command line using -engine |
| 173 options can only be used for hadrware-assisted implementations of |
| 174 ciphers, which are supported by OpenSSL core or other engine, specified |
| 175 in the configuration file. |
| 176 |
| 177 When enc command lists supported ciphers, ciphers provided by engines, |
| 178 specified in the configuration files are listed too. |
138 | 179 |
139 A password will be prompted for to derive the key and IV if necessary. | 180 A password will be prompted for to derive the key and IV if necessary. |
140 | 181 |
141 The B<-salt> option should B<ALWAYS> be used if the key is being derived | 182 The B<-salt> option should B<ALWAYS> be used if the key is being derived |
142 from a password unless you want compatibility with previous versions of | 183 from a password unless you want compatibility with previous versions of |
143 OpenSSL and SSLeay. | 184 OpenSSL and SSLeay. |
144 | 185 |
145 Without the B<-salt> option it is possible to perform efficient dictionary | 186 Without the B<-salt> option it is possible to perform efficient dictionary |
146 attacks on the password and to attack stream cipher encrypted data. The reason | 187 attacks on the password and to attack stream cipher encrypted data. The reason |
147 for this is that without the salt the same password always generates the same | 188 for this is that without the salt the same password always generates the same |
(...skipping 12 matching lines...) Expand all Loading... |
160 | 201 |
161 If padding is disabled then the input data must be a multiple of the cipher | 202 If padding is disabled then the input data must be a multiple of the cipher |
162 block length. | 203 block length. |
163 | 204 |
164 All RC2 ciphers have the same key and effective key length. | 205 All RC2 ciphers have the same key and effective key length. |
165 | 206 |
166 Blowfish and RC5 algorithms use a 128 bit key. | 207 Blowfish and RC5 algorithms use a 128 bit key. |
167 | 208 |
168 =head1 SUPPORTED CIPHERS | 209 =head1 SUPPORTED CIPHERS |
169 | 210 |
| 211 Note that some of these ciphers can be disabled at compile time |
| 212 and some are available only if an appropriate engine is configured |
| 213 in the configuration file. The output of the B<enc> command run with |
| 214 unsupported options (for example B<openssl enc -help>) includes a |
| 215 list of ciphers, supported by your versesion of OpenSSL, including |
| 216 ones provided by configured engines. |
| 217 |
| 218 |
170 base64 Base 64 | 219 base64 Base 64 |
171 | 220 |
172 bf-cbc Blowfish in CBC mode | 221 bf-cbc Blowfish in CBC mode |
173 bf Alias for bf-cbc | 222 bf Alias for bf-cbc |
174 bf-cfb Blowfish in CFB mode | 223 bf-cfb Blowfish in CFB mode |
175 bf-ecb Blowfish in ECB mode | 224 bf-ecb Blowfish in ECB mode |
176 bf-ofb Blowfish in OFB mode | 225 bf-ofb Blowfish in OFB mode |
177 | 226 |
178 cast-cbc CAST in CBC mode | 227 cast-cbc CAST in CBC mode |
179 cast Alias for cast-cbc | 228 cast Alias for cast-cbc |
(...skipping 14 matching lines...) Expand all Loading... |
194 des-ede-ofb Two key triple DES EDE in OFB mode | 243 des-ede-ofb Two key triple DES EDE in OFB mode |
195 | 244 |
196 des-ede3-cbc Three key triple DES EDE in CBC mode | 245 des-ede3-cbc Three key triple DES EDE in CBC mode |
197 des-ede3 Three key triple DES EDE in ECB mode | 246 des-ede3 Three key triple DES EDE in ECB mode |
198 des3 Alias for des-ede3-cbc | 247 des3 Alias for des-ede3-cbc |
199 des-ede3-cfb Three key triple DES EDE CFB mode | 248 des-ede3-cfb Three key triple DES EDE CFB mode |
200 des-ede3-ofb Three key triple DES EDE in OFB mode | 249 des-ede3-ofb Three key triple DES EDE in OFB mode |
201 | 250 |
202 desx DESX algorithm. | 251 desx DESX algorithm. |
203 | 252 |
| 253 gost89 GOST 28147-89 in CFB mode (provided by ccgost engine) |
| 254 gost89-cnt `GOST 28147-89 in CNT mode (provided by ccgost engine) |
| 255 |
204 idea-cbc IDEA algorithm in CBC mode | 256 idea-cbc IDEA algorithm in CBC mode |
205 idea same as idea-cbc | 257 idea same as idea-cbc |
206 idea-cfb IDEA in CFB mode | 258 idea-cfb IDEA in CFB mode |
207 idea-ecb IDEA in ECB mode | 259 idea-ecb IDEA in ECB mode |
208 idea-ofb IDEA in OFB mode | 260 idea-ofb IDEA in OFB mode |
209 | 261 |
210 rc2-cbc 128 bit RC2 in CBC mode | 262 rc2-cbc 128 bit RC2 in CBC mode |
211 rc2 Alias for rc2-cbc | 263 rc2 Alias for rc2-cbc |
212 rc2-cfb 128 bit RC2 in CFB mode | 264 rc2-cfb 128 bit RC2 in CFB mode |
213 rc2-ecb 128 bit RC2 in ECB mode | 265 rc2-ecb 128 bit RC2 in ECB mode |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
268 | 320 |
269 The B<-A> option when used with large files doesn't work properly. | 321 The B<-A> option when used with large files doesn't work properly. |
270 | 322 |
271 There should be an option to allow an iteration count to be included. | 323 There should be an option to allow an iteration count to be included. |
272 | 324 |
273 The B<enc> program only supports a fixed number of algorithms with | 325 The B<enc> program only supports a fixed number of algorithms with |
274 certain parameters. So if, for example, you want to use RC2 with a | 326 certain parameters. So if, for example, you want to use RC2 with a |
275 76 bit key or RC4 with an 84 bit key you can't use this program. | 327 76 bit key or RC4 with an 84 bit key you can't use this program. |
276 | 328 |
277 =cut | 329 =cut |
OLD | NEW |