如何使用OpenSSL来encryption/解密文件?

我想使用一个密码来encryption和解密一个文件。

我如何使用OpenSSL来做到这一点?

这是从谷歌你的问题的最佳答案: http : //tombuntu.com/index.php/2007/12/12/simple-file-encryption-with-openssl/

encryption:

 openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc 

解密:

 openssl aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new 

但是这根本没有使用公钥基础设施,所以有点像使用螺丝刀敲打钉子:-)

简答:

您可能想要使用gpg而不是openssl所以请参阅本答案末尾的“附加注释” 但是使用openssl来回答这个问题:

encryption:

 openssl enc -aes-256-cbc -in un_encrypted.data -out encrypted.data 

解密:

 openssl enc -d -aes-256-cbc -in encrypted.data -out un_encrypted.data 

注意:encryption或解密时将提示您input密码。


长答案:

openssl enc最佳信息来源可能是: https : //www.openssl.org/docs/apps/enc.html

命令行: openssl enc采取以下forms:

 openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id] 

关于你的问题的最有用的参数说明:

 -e Encrypt the input data: this is the default. -d Decrypt the input data. -k <password> Only use this if you want to pass the password as an argument. Usually you can leave this out and you will be prompted for a password. The password is used to derive the actual key which is used to encrypt your data. Using this parameter is typically not considered secure because your password appears in plain-text on the command line and will likely be recorded in bash history. -kfile <filename> Read the password from the first line of <filename> instead of from the command line as above. -a base64 process the data. This means that if encryption is taking place the data is base64 encoded after encryption. If decryption is set then the input data is base64 decoded before being decrypted. You likely DON'T need to use this. This will likely increase the file size for non-text data. Only use this if you need to send data in the form of text format via email etc. -salt To use a salt (randomly generated) when encrypting. You always want to use a salt while encrypting. This parameter is actually redundant because a salt is used whether you use this or not which is why it was not used in the "Short Answer" above! -K key The actual key to use: this must be represented as a string comprised only of hex digits. If only the key is specified, the IV must additionally be specified using the -iv option. When both a key and a password are specified, the key given with the -K option will be used and the IV generated from the password will be taken. It probably does not make much sense to specify both key and password. -iv IV The actual IV to use: this must be represented as a string comprised only of hex digits. When only the key is specified using the -K option, the IV must explicitly be defined. When a password is being specified using one of the other options, the IV is generated from this password. 

补充笔记:

虽然您已经特别询问了OpenSSL,但是您可能需要考虑将GPG用于基于本文的OpenSSL与GPG进行encryption来encryption异地备份?

要使用GPG执行相同的操作,可以使用以下命令:

encryption:

 gpg --output encrypted.data --symmetric --cipher-algo AES256 un_encrypted.data 

解密:

 gpg --output un_encrypted.data --decrypt encrypted.data 

注意:encryption或解密时将提示您input密码。

encryption:

 openssl enc -in infile.txt -out encrypted.dat -e -aes256 -k symmetrickey 

解密:

 openssl enc -in encrypted.dat -out outfile.txt -d -aes256 -k symmetrickey 

有关详细信息,请参阅openssl(1)文档。

encryption:

 $ openssl bf < arquivo.txt > arquivo.txt.bf 

解密:

 $ openssl bf -d < arquivo.txt.bf > arquivo.txt 

bf === CBC模式下的Blowfish

有一个开源的程序,我在网上find它使用openssl来encryption和解密文件。 它使用一个密码来完成。 关于这个开源脚本的好处是它通过粉碎文件来删除原来的未encryption文件。 但是危险的是一旦原来的encryption文件不存在了,你必须确保你记得你的密码,否则就不能解密你的文件。

这里的链接是在github上

https://github.com/EgbieAnderson1/linux_file_encryptor/blob/master/file_encrypt.py

使用随机生成的公钥更新。

Encypt:

 openssl enc -aes-256-cbc -a -salt -in {raw data} -out {encrypted data} -pass file:{random key} 

解密:

 openssl enc -d -aes-256-cbc -in {ciphered data} -out {raw data} 

我有一个完整的教程在这http://bigthinkingapplied.com/key-based-encryption-using-openssl/

请注意,OpenSSL CLI使用弱非标准algorithm将密码转换为密钥,并将GPG结果安装到添加到主目录的各种文件中,并运行gpg-agent后台进程。 如果您希望使用现有工具实现最大的可移植性和控制能力,则可以使用PHP或Python访问较低级别的API,并直接传入完整的AES密钥和IV。

通过Bash调用示例PHP:

 IV='c2FtcGxlLWFlcy1pdjEyMw==' KEY='Twsn8eh2w2HbVCF5zKArlY+Mv5ZwVyaGlk5QkeoSlmc=' INPUT=123456789023456 ENCRYPTED=$(php -r "print(openssl_encrypt('$INPUT','aes-256-ctr',base64_decode('$KEY'),OPENSSL_ZERO_PADDING,base64_decode('$IV')));") echo '$ENCRYPTED='$ENCRYPTED DECRYPTED=$(php -r "print(openssl_decrypt('$ENCRYPTED','aes-256-ctr',base64_decode('$KEY'),OPENSSL_ZERO_PADDING,base64_decode('$IV')));") echo '$DECRYPTED='$DECRYPTED 

这输出:

 $ENCRYPTED=nzRi252dayEsGXZOTPXW $DECRYPTED=123456789023456 

您也可以使用PHP的openssl_pbkdf2函数来安全地将密码转换为密钥。