Some useful OpenSSL command

Notice

I wrote this article and was originally published on Qiita on 4 March 2023.

---

OpenSSL is a swiss army knife of cryptography.

Help

# show option of enc command
$ openssl enc help
Usage: enc [options]
Valid options are:
 -help               Display this summary
 -list               List ciphers
 -ciphers            Alias for -list
 -in infile          Input file
 -out outfile        Output file
 -pass val           Passphrase source
 -e                  Encrypt
 -d                  Decrypt
 -p                  Print the iv/key
 -P                  Print the iv/key and exit
 -v                  Verbose output
 -nopad              Disable standard block padding
 -salt               Use salt in the KDF (default)
 -nosalt             Do not use salt in the KDF
 -debug              Print debug info
 -a                  Base64 encode/decode, depending on encryption flag
 -base64             Same as option -a
 -A                  Used with -[base64|a] to specify base64 buffer as a single line
 -bufsize val        Buffer size
 -k val              Passphrase
 -kfile infile       Read passphrase from file
 -K val              Raw key, in hex
 -S val              Salt, in hex
 -iv val             IV in hex
 -md val             Use specified digest to create a key from the passphrase
 -iter +int          Specify the iteration count and force use of PBKDF2
 -pbkdf2             Use password-based key derivation function 2
 -none               Don't encrypt
 -*                  Any supported cipher
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file
 -engine val         Use engine, possibly a hardware device

Generate symantec key

# generates 16 bytes (128 bits) key in binary format
$ openssl rand 16

# in hex format
$ openssl rand -hex 16
88cdbf1e106334f1bca57f730758abad

# encoded by BASE64 
$ openssl rand -base64 16
tMa1eyjIZw3g3M0dhPC87A==

# show hex format of the binary key saved in a file
$ xxd -ps symantec.key
88cdbf1e106334f1bca57f730758abad

Encode/decode file by AES

Assume using aes-128-cbc algorithm (128 bits key), with 128 bits initialization vector and no salt. Padding algorithm is PKCS#5.

# encode, -K is key in hex format, -iv is initialization vector in hex format
$ openssl enc -e -aes-128-cbc -K abcdef01234567890123456789abcdef -iv 0123456789abcdef0123456789abcdef -nosalt -in file.txt -out file.txt.encode

# decode
$ openssl enc -d -aes-128-cbc -K abcdef01234567890123456789abcdef -iv 0123456789abcdef0123456789abcdef -nosalt -in file.txt.encode -out file.txt

Establish HTTPS connection

$ openssl s_client -connect www.google.com:443