Encrypt/decrypt files with the OpenSSL CLI
github.comencrypt and decrypt files/streams with the openssl command line.
Q: How would you improve that without increasing the simplicity of the approach?
Q: Is a random 'salt' required here, or does the aes-256-cbc do it for me anyway?
I like the fact that your script is simple, and uses a ubiquitous library! But I do have a few suggestions:
1. You may be using an older version of openssl, but with modern versions, add the `-pbkdf2` option for much saner key derivation.
2. With modern versions of openssl, the `-salt` option is on by default, so you don't need to specify it explicitly (and you almost certainly want this option on, versus not using a salt or generating one yourself).
3. Since no AEAD modes are available with this tool, CTR mode (the `-aes-256-ctr` option) might be the best mode to use with AES (see https://security.stackexchange.com/questions/27776/block-cha...).
4. Alternatively, you might prefer to use ChaCha20 (the `-chacha20` option) over AES (see https://crypto.stackexchange.com/questions/34455/whats-the-a...).
So I would suggest this for the encryption command (instead of `openssl enc -aes-256-cbc -salt -a`):
> openssl enc -chacha20 -pbkdf2 -a
Also, instead of using openssl, you might prefer to use `age`, as it uses modern crypto best practices by default (see https://age-encryption.org/). With it, you could substitute this encryption command for the above:
> age -p -a
hey, thank you!
i am running :
$ openssl version LibreSSL 2.8.3
chacha20 is not available:
Valid ciphername values:
-aes-128-cbc -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-gcm -aes-128-ofb -aes-128-xts -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr -aes-192-ecb -aes-192-gcm -aes-192-ofb -aes-256-cbc -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr -aes-256-ecb -aes-256-gcm -aes-256-ofb -aes-256-xts -aes128 -aes192 -aes256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ecb -camellia-128-ofb -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ecb -camellia-192-ofb -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ecb -camellia-256-ofb -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc -cast5-cfb -cast5-ecb -cast5-ofb -chacha -des -des-cbc -des-cfb -des-cfb1 -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ofb -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ofb -des-ofb -des3 -desx -desx-cbc -gost89 -gost89-cnt -gost89-ecb -id-aes128-GCM -id-aes192-GCM -id-aes256-GCM -rc2 -rc2-40-cbc -rc2-64-cbc -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -rc4-hmac-md5
Ah, in that case I think `-aes-256-gcm` is probably your best option (which isn't available with regular old OpenSSL).
got it, thank you!