Wednesday, 20 September 2017

Using openSSL on macOS to encrypt a file using a password

I had a requirement to share a file with a colleague, which I did using Box. However, I wanted to go one step further and encrypt the file BEFORE sharing.

This is known, in some circles, as Pre-Internet Encryption (PIE), which is funny, because I like pie - fish pie, apple pie, mince pie, you name it :-)

This is what I did: -

Encrypt the file

openssl enc -aes-256-cbc -in Patent.doc > Patent_enc.doc 

This example uses the AES-256-CBC cipher and requests a password, which is used, with the chosen block/stream cipher, to encrypt the file.

My colleague then used a similar command: -

openssl enc -aes-256-cbc -in Patent_enc.doc -d > Patent.doc 

to decrypt the file.

I could've used one of a number of ciphers: -

For the record, whilst I shared the file with him via Box, I shared the decryption command via Slack, and the password via a third, separate channel.

Don't call me paranoid :-)

From the Wiki here: -

This page describes the command line tools for encryption and decryption. Enc is used for various block and stream ciphers using keys based on passwords or explicitly provided. It can also be used for Base64 encoding or decoding.

It's also worth noting that the openSSL command on macOS is somewhat limited / out-of-date.

This is what I have: -

openssl version

OpenSSL 0.9.8zh 14 Jan 2016

as compared to Red Hat: -

openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013

So the macOS version is older but newer :-)

As an example, this command ( from the Wiki ): -

openssl list-cipher-algorithms

gives this error on macOS: -

openssl:Error: 'list-cipher-algorithms' is an invalid command.

whereas on RHEL, it gives a huge list :-)

However, I was able to work out what ciphers the command supported: -

openssl help

openssl:Error: 'help' is an invalid command.

Standard commands
asn1parse      ca             ciphers        crl            crl2pkcs7      
dgst           dh             dhparam        dsa            dsaparam       
ec             ecparam        enc            engine         errstr         
gendh          gendsa         genrsa         nseq           ocsp           
passwd         pkcs12         pkcs7          pkcs8          prime          
rand           req            rsa            rsautl         s_client       
s_server       s_time         sess_id        smime          speed          
spkac          verify         version        x509           

Message Digest commands (see the `dgst' command for more details)
md2            md4            md5            mdc2           rmd160         
sha            sha1           

Cipher commands (see the `enc' command for more details)
aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc    
aes-256-ecb    base64         bf             bf-cbc         bf-cfb         
bf-ecb         bf-ofb         cast           cast-cbc       cast5-cbc      
cast5-cfb      cast5-ecb      cast5-ofb      des            des-cbc        
des-cfb        des-ecb        des-ede        des-ede-cbc    des-ede-cfb    
des-ede-ofb    des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb   
des-ofb        des3           desx           rc2            rc2-40-cbc     
rc2-64-cbc     rc2-cbc        rc2-cfb        rc2-ecb        rc2-ofb        
rc4            rc4-40         seed           seed-cbc       seed-cfb       
seed-ecb       seed-ofb       

No comments: