https://wiki.openssl.org/index.php/Command_Line_Utilities
Base64 Encoding Strings
For simple string encoding, you can use "here string" syntax with the base64 command as below. Intuitively, the -e flag specifies the action to be encoding.
$ openssl base64 -e <<< 'Welcome to openssl wiki'
V2VsY29tZSB0byBvcGVuc3NsIHdpa2kK
Similarly, the base64 command's -d flag may be used to indicate decoding mode.
$ openssl base64 -d <<< 'V2VsY29tZSB0byBvcGVuc3NsIHdpa2kK'
Welcome to openssl wiki
Note: base64 line length is limited to 76 characters by default in openssl (and generated with 64 characters per line).
openssl base64 -e <<< 'Welcome to openssl wiki with a very long line that splits...'
V2VsY29tZSB0byBvcGVuc3NsIHdpa2kgd2l0aCBhIHZlcnkgbG9uZyBsaW5lIHRo
YXQgc3BsaXRzLi4uCg==
openssl base64 -d <<< 'V2VsY29tZSB0byBvcGVuc3NsIHdpa2kgd2l0aCBhIHZlcnkgbG9uZyBsaW5lIHRoYXQgc3BsaXRzLi4uCg=='
=> NOTHING!
To be able to decode a base64 line without line feeds that exceeds the default 76 character length restriction use the -A option.
openssl base64 -d -A <<< 'V2VsY29tZSB0byBvcGVuc3NsIHdpa2kgd2l0aCBhIHZlcnkgbG9uZyBsaW5lIHRoYXQgc3BsaXRzLi4uCg=='
Welcome to openssl wiki with a very long line that splits...
It is recommended to actually split base64 strings into multiple lines of 64 characters, however, since the -A option is buggy, particularly with its handling of long files.
Generating a File Hash
One of the most basic uses of the dgst command (short for digest) is viewing the hash of a given file. To do this, simply invoke the command with the specified digest algorithm to use. For this example, I will be hashing an arbitrary file on my system using the MD5, SHA1, and SHA384 algorithms.
$ openssl dgst -md5 primes.dat
MD5(primes.dat)= 7710839bb87d2c4c15a86c2b2c805664
$ openssl dgst -sha1 primes.dat
SHA1(primes.dat)= 5dfab70ce825591689f4a3f65910870a9022cd32
$ openssl dgst -sha384 primes.dat
SHA384(primes.dat)= 41399bdffe6850f5a44852d967f3db415654f20dc2eb6cd231772f6ea411876d85d44091ebbc6b1f4ce8673e64617271
For a list of the available digest algorithms, you can use the following command.
$ openssl list -digest-algorithms
RSA-MD4 => MD4
RSA-MD5 => MD5
RSA-MDC2 => MDC2
RSA-RIPEMD160 => RIPEMD160
RSA-SHA1 => SHA1
RSA-SHA1-2 => RSA-SHA1
...
You can also use a similar command to see the available digest commands:
$ openssl list -digest-commands
blake2b512 blake2s256 gost md4
md5 mdc2 rmd160 sha1
sha224 sha256 sha3-224 sha3-256
sha3-384 sha3-512 sha384 sha512
sha512-224 sha512-256 shake128 shake256
sm3
Below are three sample invocations of the md5, sha1, and sha384 digest commands using the same file as the dgst command invocation above.
$ openssl md5 primes.dat
MD5(primes.dat)= 7710839bb87d2c4c15a86c2b2c805664
$ openssl sha1 primes.dat
SHA1(primes.dat)= 5dfab70ce825591689f4a3f65910870a9022cd32
$ openssl sha384 primes.dat
SHA384(primes.dat)= 41399bdffe6850f5a44852d967f3db415654f20dc2eb6cd231772f6ea411876d85d44091ebbc6b1f4ce8673e64617271
File Encryption and Decryption
The following example demonstrates a simple file encryption and decryption using the enc command.
The first argument is the cipher algorithm to use for encrypting the file.
For this example I carefully selected the AES-256 algorithm in CBC Mode by looking up the available ciphers and picking out the first one I saw.
To see the list of available ciphers, you can use the following command.
$ openssl enc -ciphers
Supported ciphers:
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ctr -aes-128-ecb
-aes-128-ofb -aes-192-cbc -aes-192-cfb
-aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr
...
You can also use the following command:
$ openssl list -cipher-algorithms
AES-128-CBC
AES-128-CBC-HMAC-SHA1
AES-128-CBC-HMAC-SHA256
id-aes128-CCM
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-CTR
...
Having selected an encryption algorithm,
you must then specify whether the action you are taking is either encryption or decryption via the -e or -d flags, respectively.
The -iter flag specifies the number of iterations on the password used for deriving the encryption key. A higher iteration count increases the time required to brute-force the resulting file. Using this option implies enabling use of the Password-Based Key Derivation Function 2, usually set using the -pbkdf2 flag. We then use the -salt flag to enable the use of a randomly generated salt in the key-derivation function.
Putting it all together, you can see the command to encrypt a file and the corresponding output below. Note that the passwords entered by the user are blank, just as they would usually be in a terminal session.
$ openssl enc -aes-256-cbc -e -iter 1000 -salt -in primes.dat -out primes.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
The analogous decryption command is as follows:
$ openssl enc -aes-256-cbc -d -iter 1000 -in primes.enc -out primes.dec
enter aes-256-cbc decryption password: