After my previous article 7 Practical uses of Openssl I have received many comments and suggestions of other possible uses of this excellent program.
With this article, i’ll show you other uses of the openssl command used from the command line.
You can use openssl to encrypt files. To view the list of available ciphers, use
You’ll get an output like this
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40
Once you’ve chosen a cipher to use, you can encrypt the file using the following commands:
openssl enc -aes-256-cbc -salt -in foo.txt -out foo.enc
You’ll be prompted for a password twice and after that you’ll get your encrypted file. In this example the file foo.txt was encrypted using 256-bit AES in CBC mode, the encrypted copy being saved as the file foo.enc. Looking at the contents of the file provide gibberish. Decrypting the file is done using the -d option; however, keep in mind that not only do you need to remember the password, you also need to know the cipher used.
openssl enc -d -aes-256-cbc -in foo.enc
If you work with raw email can be useful to encrypt/decrypt with Base64, for openssl it’s just a kind of cypher so you can use:
# send encoded contents of file.txt to stdout
openssl enc -base64 -in file.txt
# same, but write contents to file.txt.enc
openssl enc -base64 -in file.txt -out file.txt.enc
interpret SSL error messages
Sometimes you could see SSL error message related to other programs (http, ldap, ssh), you can use openssl to get a better understanding of what it means.
sshd: error: RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106) sshd: error: RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106)
The first step to figure out what’s going wrong is to use the errstr option to intrepret the error code. The code number is found between “error:” and “:lib”. In this case, it’s 0407006A.
$ openssl errstr 0407006A error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
Current cryptographic techniques rely heavily on the generation and testing of prime numbers, so it’s no surprise that the OpenSSL libraries contain several routines dealing with primes. Beginning with version 0.9.7e (or so), the prime option was added to the openssl binary.
To test if a number is prime just pass the number after the prime option. Openssl will answer with the hex of that number telling if it’s prime or not:
$openssl prime 12123211 B8FC4B is prime $openssl prime 121232111 739DAEF is not prime