How to encrypt file using OpenSSL and AES-256 with SHA-256?

linux encryption openssl digest

9,109

I found out by accident, here, that for openssl version 1.1.0:

-md digest
    Use the specified digest to create the key from the passphrase. The default algorithm is sha-256.

So, there is no point of specifying the message digest algorithm for the newer version of openssl as it already uses SHA-256.

But since on my system there is openssl version 1.0.2g, I dug further and found out, here, that:

... In OpenSSL 1.1.0 we changed from MD5 to SHA-256 ...

Essentially, this means, my openssl will by default use the old and obsolete MD5.

Luckily, this can be changed to SHA-256 with openssl version 1.0.2g:

openssl enc -aes-256-cbc -md sha256 -salt -in somefile -out somefile.enc

If you have an older openssl version than me, you might want to try -md sha1, if the above fails.

9,109

LinuxSecurityFreak

I am passionate about Linux systems. And a true IT nerd. 🖥️

Updated on September 18, 2022

Comments

LinuxSecurityFreak over 1 year
System: Linux Mint 18.3 Cinnamon 64-bit.

OpenSSL: 1.0.2g

Ordinarily, I would encrypt a file as follows:
```
openssl enc -aes-256-cbc -salt -in somefile -out somefile.enc
```
But I wonder what algorithm will be used to hash my password and if I can change it?
- dave_thompson_085 over 6 years
  
  Dupe superuser.com/questions/455463/… except that was out of date until just now; for full details see crypto.stackexchange.com/questions/3298/… . Note that any single hash is a bad PBKDF; SHA-256 is not noticeably better than MD5. And -salt has been the default for over a decade, nearly two.
- user1686 over 6 years
  
  @dave_thompson_085: OpenSSL does use a KDF instead of simple hash, although it still seems to be homegrown and rather weak (see EVP_BytesToKey).
- dave_thompson_085 over 6 years
  
  @grawity my answer to the crypto Q I linked explains this in detail. EVP_BytesToKey is a tweak of PBKDF1 from PKCS5, but commandline enc uses EVP_BytesToKey with iteration count 1 so it does only a single hash per output block, it does NOT actually iterate as PBKDF should. The bear agrees: security.stackexchange.com/questions/29106/…
- Xen2050 over 6 years
  
  Vlastimil: You're not using this for bulletproof security, are you? Consider GPG/PGP instead, it should still stump the biggest players. @dave_thompson_085 They're still only iterating once? Yowza. Moving away from MD5 is a baby step at least. Do they track the hash & encryption used, or you still have to remember yourself too? (I've quoted the bear too ;-)
anthony over 3 years

With all the changes to openssl (digest, and the new recommended pbkdf2 password hashing (which has been LONG overdue), it is now nessary to save more information (metadata) with encrypted files, so that you know how that specific encrypted file was actually encrypted. This is especially important as the default iteration count (10000) is woefully inadequate. As such you may like to look at a script that wrappers around "openssl enc" to save and re-read this metadata with the encrypted file. See antofthy.gitlab.io/software/#keepout