1 .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
4 .\" ========================================================================
5 .de Sh \" Subsection heading
13 .de Sp \" Vertical space (when we can't use .PP)
17 .de Vb \" Begin verbatim text
22 .de Ve \" End verbatim text
26 .\" Set up some character translations and predefined strings. \*(-- will
27 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
28 .\" double quote, and \*(R" will give a right double quote. | will give a
29 .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
30 .\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
31 .\" expand to `' in nroff, nothing in troff, for use with C<>.
33 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
37 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
51 .\" If the F register is turned on, we'll generate index entries on stderr for
52 .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
53 .\" entries marked with X<> in POD. Of course, you'll have to process the
54 .\" output yourself in some meaningful fashion.
57 . tm Index:\\$1\t\\n%\t"\\$2"
63 .\" For nroff, turn off justification. Always turn off hyphenation; it makes
64 .\" way too many mistakes in technical documents.
68 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69 .\" Fear. Run. Save yourself. No user-serviceable parts.
70 . \" fudge factors for nroff and troff
79 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
85 . \" simple accents for nroff and troff
95 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
102 . \" troff and (daisy-wheel) nroff accents
103 .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104 .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105 .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106 .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107 .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108 .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109 .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110 .ds ae a\h'-(\w'a'u*4/10)'e
111 .ds Ae A\h'-(\w'A'u*4/10)'E
112 . \" corrections for vroff
113 .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114 .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
115 . \" for low resolution devices (crt and lpr)
116 .if \n(.H>23 .if \n(.V>19 \
129 .\" ========================================================================
132 .TH ENC 1 "2006-11-19" "0.9.8d" "OpenSSL"
134 enc \- symmetric cipher routines
136 .IX Header "SYNOPSIS"
137 \&\fBopenssl enc \-ciphername\fR
138 [\fB\-in filename\fR]
139 [\fB\-out filename\fR]
146 [\fB\-kfile filename\fR]
148 [\fB\-iv \s-1IV\s0\fR]
151 [\fB\-bufsize number\fR]
155 .IX Header "DESCRIPTION"
156 The symmetric cipher commands allow data to be encrypted or decrypted
157 using various block and stream ciphers using keys based on passwords
158 or explicitly provided. Base64 encoding or decoding can also be performed
159 either by itself or in addition to the encryption or decryption.
162 .IP "\fB\-in filename\fR" 4
163 .IX Item "-in filename"
164 the input filename, standard input by default.
165 .IP "\fB\-out filename\fR" 4
166 .IX Item "-out filename"
167 the output filename, standard output by default.
168 .IP "\fB\-pass arg\fR" 4
170 the password source. For more information about the format of \fBarg\fR
171 see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
174 use a salt in the key derivation routines. This option should \fB\s-1ALWAYS\s0\fR
175 be used unless compatibility with previous versions of OpenSSL or SSLeay
176 is required. This option is only present on OpenSSL versions 0.9.5 or
178 .IP "\fB\-nosalt\fR" 4
180 don't use a salt in the key derivation routines. This is the default for
181 compatibility with previous versions of OpenSSL and SSLeay.
184 encrypt the input data: this is the default.
187 decrypt the input data.
190 base64 process the data. This means that if encryption is taking place
191 the data is base64 encoded after encryption. If decryption is set then
192 the input data is base64 decoded before being decrypted.
195 if the \fB\-a\fR option is set then base64 process the data on one line.
196 .IP "\fB\-k password\fR" 4
197 .IX Item "-k password"
198 the password to derive the key from. This is for compatibility with previous
199 versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
200 .IP "\fB\-kfile filename\fR" 4
201 .IX Item "-kfile filename"
202 read the password to derive the key from the first line of \fBfilename\fR.
203 This is for compatibility with previous versions of OpenSSL. Superseded by
204 the \fB\-pass\fR argument.
205 .IP "\fB\-S salt\fR" 4
207 the actual salt to use: this must be represented as a string comprised only
209 .IP "\fB\-K key\fR" 4
211 the actual key to use: this must be represented as a string comprised only
212 of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
213 using the \fB\-iv\fR option. When both a key and a password are specified, the
214 key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
215 password will be taken. It probably does not make much sense to specify
216 both key and password.
217 .IP "\fB\-iv \s-1IV\s0\fR" 4
219 the actual \s-1IV\s0 to use: this must be represented as a string comprised only
220 of hex digits. When only the key is specified using the \fB\-K\fR option, the
221 \&\s-1IV\s0 must explicitly be defined. When a password is being specified using
222 one of the other options, the \s-1IV\s0 is generated from this password.
225 print out the key and \s-1IV\s0 used.
228 print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
230 .IP "\fB\-bufsize number\fR" 4
231 .IX Item "-bufsize number"
232 set the buffer size for I/O
233 .IP "\fB\-nopad\fR" 4
235 disable standard block padding
236 .IP "\fB\-debug\fR" 4
238 debug the BIOs used for I/O.
241 The program can be called either as \fBopenssl ciphername\fR or
242 \&\fBopenssl enc \-ciphername\fR.
244 A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
246 The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived
247 from a password unless you want compatibility with previous versions of
250 Without the \fB\-salt\fR option it is possible to perform efficient dictionary
251 attacks on the password and to attack stream cipher encrypted data. The reason
252 for this is that without the salt the same password always generates the same
253 encryption key. When the salt is being used the first eight bytes of the
254 encrypted data are reserved for the salt: it is generated at random when
255 encrypting a file and read from the encrypted file when it is decrypted.
257 Some of the ciphers do not have large keys and others have security
258 implications if not used correctly. A beginner is advised to just use
259 a strong block cipher in \s-1CBC\s0 mode such as bf or des3.
261 All the block ciphers normally use PKCS#5 padding also known as standard block
262 padding: this allows a rudimentary integrity or password check to be
263 performed. However since the chance of random data passing the test is
264 better than 1 in 256 it isn't a very good test.
266 If padding is disabled then the input data must be a multiple of the cipher
269 All \s-1RC2\s0 ciphers have the same key and effective key length.
271 Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
272 .SH "SUPPORTED CIPHERS"
273 .IX Header "SUPPORTED CIPHERS"
279 \& bf-cbc Blowfish in CBC mode
280 \& bf Alias for bf-cbc
281 \& bf-cfb Blowfish in CFB mode
282 \& bf-ecb Blowfish in ECB mode
283 \& bf-ofb Blowfish in OFB mode
287 \& cast-cbc CAST in CBC mode
288 \& cast Alias for cast-cbc
289 \& cast5-cbc CAST5 in CBC mode
290 \& cast5-cfb CAST5 in CFB mode
291 \& cast5-ecb CAST5 in ECB mode
292 \& cast5-ofb CAST5 in OFB mode
296 \& des-cbc DES in CBC mode
297 \& des Alias for des-cbc
298 \& des-cfb DES in CBC mode
299 \& des-ofb DES in OFB mode
300 \& des-ecb DES in ECB mode
304 \& des-ede-cbc Two key triple DES EDE in CBC mode
305 \& des-ede Two key triple DES EDE in ECB mode
306 \& des-ede-cfb Two key triple DES EDE in CFB mode
307 \& des-ede-ofb Two key triple DES EDE in OFB mode
311 \& des-ede3-cbc Three key triple DES EDE in CBC mode
312 \& des-ede3 Three key triple DES EDE in ECB mode
313 \& des3 Alias for des-ede3-cbc
314 \& des-ede3-cfb Three key triple DES EDE CFB mode
315 \& des-ede3-ofb Three key triple DES EDE in OFB mode
319 \& desx DESX algorithm.
323 \& idea-cbc IDEA algorithm in CBC mode
324 \& idea same as idea-cbc
325 \& idea-cfb IDEA in CFB mode
326 \& idea-ecb IDEA in ECB mode
327 \& idea-ofb IDEA in OFB mode
331 \& rc2-cbc 128 bit RC2 in CBC mode
332 \& rc2 Alias for rc2-cbc
333 \& rc2-cfb 128 bit RC2 in CFB mode
334 \& rc2-ecb 128 bit RC2 in ECB mode
335 \& rc2-ofb 128 bit RC2 in OFB mode
336 \& rc2-64-cbc 64 bit RC2 in CBC mode
337 \& rc2-40-cbc 40 bit RC2 in CBC mode
347 \& rc5-cbc RC5 cipher in CBC mode
348 \& rc5 Alias for rc5-cbc
349 \& rc5-cfb RC5 cipher in CFB mode
350 \& rc5-ecb RC5 cipher in ECB mode
351 \& rc5-ofb RC5 cipher in OFB mode
354 .IX Header "EXAMPLES"
355 Just base64 encode a binary file:
358 \& openssl base64 -in file.bin -out file.b64
364 \& openssl base64 -d -in file.b64 -out file.bin
367 Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password:
370 \& openssl des3 -salt -in file.txt -out file.des3
373 Decrypt a file using a supplied password:
376 \& openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
379 Encrypt a file then base64 encode it (so it can be sent via mail for example)
380 using Blowfish in \s-1CBC\s0 mode:
383 \& openssl bf -a -salt -in file.txt -out file.bf
386 Base64 decode a file then decrypt it:
389 \& openssl bf -d -salt -a -in file.bf -out file.txt
392 Decrypt some data using a supplied 40 bit \s-1RC4\s0 key:
395 \& openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
399 The \fB\-A\fR option when used with large files doesn't work properly.
401 There should be an option to allow an iteration count to be included.
403 The \fBenc\fR program only supports a fixed number of algorithms with
404 certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
405 76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.