How to use password argument in via command line to openssl for decryption
Solution 1
The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.
Here's how to do it:
openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword
Notice that the command line command syntax is always -pass
followed by a space and then the type of passphrase you're providing, i.e. pass:
for plain passphrase and then the actual passphrase after the colon with no space.
Additionally the documentation specifies you can provide other passphrase sources by doing the following:
env:somevar
to get the password from an environment variablefile:somepathname
to get the password from the first line of the file at locationpathname
fd:number
to get the password from the file descriptor number.stdin
to read from standard input
Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)
With OpenSSL 1.0.1e the parameter to use is -passin
or -passout
. So this example would be:
openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword
Solution 2
I used -passin
and -passout
to set passwords to both files in example:
openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321
where 123
and 321
are password
Solution 3
At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16
In this version the parameter to use is -k
Example:
openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword
Related videos on Youtube
David Sulpy
Updated on September 18, 2022Comments
-
David Sulpy over 1 year
So it's not the most secure practice to pass a password in through a command line argument. That said, the documentation for openssl confused me on how to pass a password argument to the openssl command.
Here's what I'm trying to do
openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d
This then prompts for the pass key for decryption. I searched the openssl documents and the interwebs to try and find the answer if I simply wanted to give the password to the command without trying to echo the password to the file. I tried adding
-pass:somepassword
and-pass somepassword
both with and without quotes to no avail.I finally figured out the answer and saw in some other forums people had similar questions, so I thought I would post my question and answer here for the community.
note: I'm using openssl version 0.9.8y
-
dtmland almost 7 yearsWhat's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!
-
dave_thompson_085 almost 7 yearsNote that the documentation for password options applying to most
openssl
commands (not justenc
) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; otheropenssl
commands likersa dsa ec pkey pkcs8 pkcs12 req ca
do use those but in every version I've seen including 1.0.1e built directly from upstream sourceenc
uses-pass
or-k -kfile
as documented (on theenc
manpage). -
sibaz over 6 yearsin your example, -k is an option available to the openssl 'enc' command (try
man enc
) it is not a general option. If you look atman openssl
you'll see under the 'Pass Phrase Options' heading, what the general options are;pass:password
,env:var
,file:pathname
,fd:number
orstdin
, as mentioned in an earlier response. -
frakman1 about 6 yearsHow about the
openssl dgst
command? How do you enter the passphrase for that at the command line? -
drmad about 6 yearsbtw
-passin
is used to provide a password for the input certificate, and-passout
is for the new generated certificate