DEV Community

Cover image for AES Encryption in Linux
Ashutosh Kumar
Ashutosh Kumar

Posted on

AES Encryption in Linux

Ever felt the need of hiding stuff from the world. In this article, I'll show you how you can encrypt and decrypt your data using the AES Encryption technique. We'll use the openssl command for this purpose.

What is Symmetric Encryption?

Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt data. By using symmetric encryption algorithms, data is converted to a form that cannot be understood by anyone who does not possess the secret key to decrypt it.

What is Advanced Encryption Standard (AES)?

Advanced Encryption Standard (also known as Rijndael), is one of the best symmetric encryption algorithm. AES is a block encryption algorithm and thus supports five modes which are as follows:

  1. ECB mode: Electronic Code Book mode
  2. CBC mode: Cipher Block Chaining mode
  3. CFB mode: Cipher Feedback mode
  4. OFB mode: Output Feedback mode
  5. CTR mode: Counter mode

In this article, we will encrypt our data using CBC mode. ECB is generally not preferred as it is not secure. The command-line tool that we will use is openssl.

What is OpenSSL

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. OpenSSL supports many different cryptographic operations, such as symmetric key encryption, public/private key pair generation, public-key encryption, hash functions, digital signatures, etc.

openssl comes pre-installed in most Linux distributions. If it is not pre-installed then you can install it using your Linux package manager.

Encrypting a file

The following command is used to encrypt a file:

openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath

After the execution of the command, it will ask you for setting the passphrase (secret key). Without the passphrase, nobody in this world can decrypt your file because brute-forcing AES is very difficult.

Let's learn about the different options that we provided.

  • openssl is the command-line tool that we are using.

  • enc is used to specify the cipher name

  • -aes-256-cbc is the cipher name along with the mode of operation which is CBC(Cipher Block Chaining mode)

  • -md sha512 specifies which digest to use for the generation of the key from the passphrase. The default value from version 1.1.0 is SHA256. Before version 1.1.0 MD5 was the default digest.

  • -pbkdf2 specifies to use PBKDF2 (Password-Based Key Derivation Function 2) algorithm

  • -iter 250000 is overriding the default count of iterations for the password. High values increase the time required to brute-force the resulting file. This option enables the use of the PBKDF2 algorithm to derive the key.

  • -salt Use salt in Key Derivation Function(KDF). This is the default behaviour and thus this option is not required.

Decrypting a file

Use the same command but add -d option to it. The command is as follows:

openssl enc -aes-256-cbc -d -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath

Encrypting and Decrypting Multiple Files

The above command works only on a single file thus to encrypt and decrypt multiple files you can first convert it into a tar file (you can even compress it) and then apply the same command.

My Personal Preference

I also use the same command but I also add -a and -A options to my command. -a is used for Base64 encode/decode and -A is used with -a to specify base64 buffer as a single line.

Thus the command I use for encryption and decryption is:

Encryption

openssl enc -aes-256-cbc -a -A -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath

Decryption

openssl enc -aes-256-cbc -a -A -d -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath

Fun Fact

This is the same encryption algorithm that was used by Elliot Alderson in the TV series Mr Robot to encrypt data.

References

Unix Stackexchange

I hope this article helped you learn about using AES encryption.

Questions, suggestions, a word of thanks is always encouraged.

Discussion (5)

Collapse
alfiosalanitri profile image
alfiosalanitri

Great post. Thanks!
But if you're encrypting to send to someone else then I believe PGP is preferable because you never have to share the secret key
(security.stackexchange.com/a/196913)

Collapse
blastoise profile image
Ashutosh Kumar Author

Yes, that's true.

Collapse
assunluis80 profile image
Luís Assunção

Is exactly the same command used to encrypt and decrypt data?

Collapse
blastoise profile image
Ashutosh Kumar Author

No, if you see carefully the command for decrypting the data has a -d option in it.

Collapse
akshaw profile image
Ayush Kumar Shaw

This was a truly informative read. I liked the explaination of the various flags of your preferred way to use openssl.

Looking forward for more.