DEV Community

Cover image for How to encrypt files with AES using OpenSSL
Pedro Aravena for Vaultree

Posted on


How to encrypt files with AES using OpenSSL

In this article, we will discuss OpenSSL, why to use it ,and most importantly, how to use it. But, before we start: what is OpenSSL?


Image description
Source: OpenSSL

OpenSSL is a program and library that supports lots of different cryptographic operations, some of which are:
Public/private key pair generation, Hash functions, Public key encryption, Symmetric key encryption, Digital signatures, Certificate creation and so on. Each of the operations supported by OpenSSL has a lot of options and functionalities, such as input/output files, algorithm parameters and formats. The OpenSSL implements the TLS / SSL protocols natively in systems and websites. The company has been developing the technology for over 20 years and is widely used by giants in the software industry such as Google and Amazon.

What is AES?

Image description
Source: The SSL Store

AES — Advanced Encryption Standard (also known as Rijndael), is a cryptographic primitive intended to compose symmetric encryption (Symmetric Encryption and Asymmetric, read more here) and decryption systems. Basically, the AES is a symmetric-key algorithm, which means it uses the same key during encryption/decryption.

AES cryptography works as a block cipher, that is, it operates on blocks of fixed size (128 bits, or 16 bytes). Like all block ciphers, it can be transformed into a stream cipher (to operate on data of arbitrary size) via one mode of operation, but that is not the case here. It can work with 128, 192 or 256-bit keys (the Rijndael algorithm, which gave rise to AES, allows for more key sizes).

Now that we already know what AES is and how it initially works, let's access its functionalities through OpenSSL in our terminal. The list of supported ciphers can be viewed using the following command:

openssl list-cipher-commands

Image description
Part of the algorithms in the list

Here I am choosing -aes-26-cbc
The symmetric key encryption is performed using the enc operation of OpenSSL.
The method we are going to use is going to specify the password while giving a command. First, I created a folder on my Desktop named “open-ssl”, where I put the file which I will encrypt (an image file) “vaultree.jpeg”.

Image description

Let's encrypt our image

As we can see in the screenshot above, the folder “open_ssl” has only one image file which we are going to encrypt. And for this purpose, we use the command below:

openssl enc -aes-256-cbc -pass pass:pedroaravena -p -in vaultree.jpeg -out file.enc

Image description

Our image is now encrypted and we received the salt, key and IV values.
Now, in our open-ssl folder we have the image and the encrypted one. The encrypted one receives the name "enc.file".

Image description


Image description

We used lots of commands to encrypt the file. But, what does each one of them mean? Here's a list with an explanation of each part of the command:

-aes-256-cbc: the cipher name (symmetric cipher : AES; block to stream conversion: CBC(cipher block chaining))
-pass pass: — to assign the password (here password is pedroaravena)
-P: Print out the salt, key and IV used.
-in file: input file /input file absolute path (in our example: vaultree.jpeg)
-out file: output file /output file absolute path (here file.enc)

Let’s Decrypt the encrypted image

openssl enc -aes-256-cbc -pass pass:pedroaravena -d -in file.enc -out vaultree_new.jpeg -P

Image description

After the decryption process, we now see a new image named “vaultree_new.jpeg” in the same folder.

Again, let's understand exactly the codes we used in our command:

-d : Is used to decrypt the input data.
-in file: input file an absolute path (file.enc in our case)
-out file: output file an absolute path (vaultree_new.jpeg in our example)
-P: Print out the salt, key and IV used (just like the information we received before).

Pay attention to the line breaks

While working with AES encryption you face a situation where the encoder produces base 64 encoded data with or without line breaks. To solve this possible problem, you simply add -A to your command line. So it should look like this:

openssl enc -aes-256-cbc -pass pass:pedroaravena -d -A -in file.enc -out vaultree_new.jpeg -p

-A: base64 encode/decode, depending on the encryption flag.
openssl enc --help: for more details and options (for example, some other cipher names, how to specify a salt etc).

Now, let’s do it without specifying a password flag

Image description

With the following command for the encryption process:

openssl enc -aes-256-cbc -p -in vaultree.jpeg -out file.enc

It will prompt you to enter a password and verify it.

Following command for decrypt

openssl enc -aes-256-cbc -d -A -in file.enc -out vaultree_new.jpeg -p

Here it will ask the password which we gave while we encrypt.

-nosalt is to not add default salt. In most cases, salt default is on. You can specify it using -Salt.

You can also specify the salt value with the -S flag. If you provide the salt value, then you become responsible for generating proper salts, trying to make them as unique as possible (You have to produce them randomly). We strongly suggest you let openssl handle that.

When the salt is being used, the first eight bytes of the encrypted data are reserved for the salt, it is generated randomly when encrypting a file and read from the encrypted file when it is decrypted.
So if you open that file.enc in a text editor you should see something like this:

Image description


Image description

Pretty cool, huh? Encrypting files using OpenSSL (Learn more about it here), but, what if you want to encrypt a whole database? And not only that, let's suppose you want to encrypt a whole database and still do computations and manipulate encrypted data?!

Image description

Vaultree has developed the technology to encrypt databases and the AES cipher is only one cipher among the several ciphers we support in our SDK. Vaultree's SDK allows you to pick your cipher: AES, DES, 3DES (TripleDES), Blowfish, Twofish, Skipjack, and more, with user-selectable key size: you literally choose what encryption standard fits your needs best.

Our SDK integrates with databases and encrypts all of the data in a fully functional way, from search to arithmetic operations, you choose what you want to do with your data with no need to disclose it. The fully encrypted SQL transacts with the database in a zero-trust environment.

Vaultree has developed the world’s first fully functional data-in-use encryption solution that solves the industry’s fundamental security issue: persistent data encryption, even in the event of a leak. Wanna know more about the database encryption revolution we are building right now? Request a free demo with us. =D


About Vaultree

Vaultree’s Encryption-in-use enables businesses of all sizes to process (search and compute) fully end-to-end encrypted data without the need to decrypt. Easy to use and integrate, Vaultree delivers peak performance without compromising security, neutralising the weak spots of traditional encryption or other Privacy Enhancing Technology (PET) based solutions. Follow Vaultree on Twitter (@Vaultree), LinkedIn, Reddit (r/Vaultree) or Visit, and sign up for a product demo and our newsletter to stay up to date on product development and company news.

Top comments (0)