Upgrade to OpenSSL 0.9.8h.
[dragonfly.git] / secure / usr.bin / openssl / man / enc.1
CommitLineData
aac4ff6f 1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
8b0cefbb 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
8b0cefbb 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
8b0cefbb 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
8b0cefbb
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
aac4ff6f
PA
28.\" double quote, and \*(R" will give a right double quote. | will give a
29.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
30.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
31.\" expand to `' in nroff, nothing in troff, for use with C<>.
32.tr \(*W-|\(bv\*(Tr
8b0cefbb 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
8b0cefbb
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
8b0cefbb
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
8b0cefbb
JR
50.\"
51.\" If the F register is turned on, we'll generate index entries on stderr for
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
53.\" entries marked with X<> in POD. Of course, you'll have to process the
54.\" output yourself in some meaningful fashion.
55.if \nF \{\
56. de IX
57. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 58..
8b0cefbb
JR
59. nr % 0
60. rr F
984263bc 61.\}
8b0cefbb 62.\"
aac4ff6f
PA
63.\" For nroff, turn off justification. Always turn off hyphenation; it makes
64.\" way too many mistakes in technical documents.
65.hy 0
66.if n .na
67.\"
8b0cefbb
JR
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69.\" Fear. Run. Save yourself. No user-serviceable parts.
70. \" fudge factors for nroff and troff
984263bc 71.if n \{\
8b0cefbb
JR
72. ds #H 0
73. ds #V .8m
74. ds #F .3m
75. ds #[ \f1
76. ds #] \fP
984263bc
MD
77.\}
78.if t \{\
8b0cefbb
JR
79. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
80. ds #V .6m
81. ds #F 0
82. ds #[ \&
83. ds #] \&
984263bc 84.\}
8b0cefbb 85. \" simple accents for nroff and troff
984263bc 86.if n \{\
8b0cefbb
JR
87. ds ' \&
88. ds ` \&
89. ds ^ \&
90. ds , \&
91. ds ~ ~
92. ds /
984263bc
MD
93.\}
94.if t \{\
8b0cefbb
JR
95. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 101.\}
8b0cefbb 102. \" troff and (daisy-wheel) nroff accents
984263bc
MD
103.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110.ds ae a\h'-(\w'a'u*4/10)'e
111.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 112. \" corrections for vroff
984263bc
MD
113.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 115. \" for low resolution devices (crt and lpr)
984263bc
MD
116.if \n(.H>23 .if \n(.V>19 \
117\{\
8b0cefbb
JR
118. ds : e
119. ds 8 ss
120. ds o a
121. ds d- d\h'-1'\(ga
122. ds D- D\h'-1'\(hy
123. ds th \o'bp'
124. ds Th \o'LP'
125. ds ae ae
126. ds Ae AE
984263bc
MD
127.\}
128.rm #[ #] #H #V #F C
8b0cefbb
JR
129.\" ========================================================================
130.\"
131.IX Title "ENC 1"
aac4ff6f 132.TH ENC 1 "2008-09-06" "0.9.8h" "OpenSSL"
984263bc
MD
133.SH "NAME"
134enc \- symmetric cipher routines
135.SH "SYNOPSIS"
8b0cefbb
JR
136.IX Header "SYNOPSIS"
137\&\fBopenssl enc \-ciphername\fR
984263bc
MD
138[\fB\-in filename\fR]
139[\fB\-out filename\fR]
140[\fB\-pass arg\fR]
141[\fB\-e\fR]
142[\fB\-d\fR]
143[\fB\-a\fR]
144[\fB\-A\fR]
145[\fB\-k password\fR]
146[\fB\-kfile filename\fR]
147[\fB\-K key\fR]
8b0cefbb 148[\fB\-iv \s-1IV\s0\fR]
984263bc
MD
149[\fB\-p\fR]
150[\fB\-P\fR]
151[\fB\-bufsize number\fR]
152[\fB\-nopad\fR]
153[\fB\-debug\fR]
154.SH "DESCRIPTION"
8b0cefbb 155.IX Header "DESCRIPTION"
984263bc
MD
156The symmetric cipher commands allow data to be encrypted or decrypted
157using various block and stream ciphers using keys based on passwords
158or explicitly provided. Base64 encoding or decoding can also be performed
159either by itself or in addition to the encryption or decryption.
160.SH "OPTIONS"
8b0cefbb
JR
161.IX Header "OPTIONS"
162.IP "\fB\-in filename\fR" 4
163.IX Item "-in filename"
984263bc 164the input filename, standard input by default.
8b0cefbb
JR
165.IP "\fB\-out filename\fR" 4
166.IX Item "-out filename"
984263bc 167the output filename, standard output by default.
8b0cefbb
JR
168.IP "\fB\-pass arg\fR" 4
169.IX Item "-pass arg"
984263bc 170the password source. For more information about the format of \fBarg\fR
8b0cefbb
JR
171see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
172.IP "\fB\-salt\fR" 4
173.IX Item "-salt"
984263bc
MD
174use a salt in the key derivation routines. This option should \fB\s-1ALWAYS\s0\fR
175be used unless compatibility with previous versions of OpenSSL or SSLeay
176is required. This option is only present on OpenSSL versions 0.9.5 or
177above.
8b0cefbb
JR
178.IP "\fB\-nosalt\fR" 4
179.IX Item "-nosalt"
984263bc
MD
180don't use a salt in the key derivation routines. This is the default for
181compatibility with previous versions of OpenSSL and SSLeay.
8b0cefbb
JR
182.IP "\fB\-e\fR" 4
183.IX Item "-e"
984263bc 184encrypt the input data: this is the default.
8b0cefbb
JR
185.IP "\fB\-d\fR" 4
186.IX Item "-d"
984263bc 187decrypt the input data.
8b0cefbb
JR
188.IP "\fB\-a\fR" 4
189.IX Item "-a"
984263bc
MD
190base64 process the data. This means that if encryption is taking place
191the data is base64 encoded after encryption. If decryption is set then
192the input data is base64 decoded before being decrypted.
8b0cefbb
JR
193.IP "\fB\-A\fR" 4
194.IX Item "-A"
984263bc 195if the \fB\-a\fR option is set then base64 process the data on one line.
8b0cefbb
JR
196.IP "\fB\-k password\fR" 4
197.IX Item "-k password"
984263bc
MD
198the password to derive the key from. This is for compatibility with previous
199versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
8b0cefbb
JR
200.IP "\fB\-kfile filename\fR" 4
201.IX Item "-kfile filename"
984263bc 202read the password to derive the key from the first line of \fBfilename\fR.
8b0cefbb 203This is for compatibility with previous versions of OpenSSL. Superseded by
984263bc 204the \fB\-pass\fR argument.
8b0cefbb
JR
205.IP "\fB\-S salt\fR" 4
206.IX Item "-S salt"
984263bc
MD
207the actual salt to use: this must be represented as a string comprised only
208of hex digits.
8b0cefbb
JR
209.IP "\fB\-K key\fR" 4
210.IX Item "-K key"
984263bc
MD
211the actual key to use: this must be represented as a string comprised only
212of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
213using the \fB\-iv\fR option. When both a key and a password are specified, the
214key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
215password will be taken. It probably does not make much sense to specify
216both key and password.
8b0cefbb
JR
217.IP "\fB\-iv \s-1IV\s0\fR" 4
218.IX Item "-iv IV"
984263bc
MD
219the actual \s-1IV\s0 to use: this must be represented as a string comprised only
220of hex digits. When only the key is specified using the \fB\-K\fR option, the
8b0cefbb 221\&\s-1IV\s0 must explicitly be defined. When a password is being specified using
984263bc 222one of the other options, the \s-1IV\s0 is generated from this password.
8b0cefbb
JR
223.IP "\fB\-p\fR" 4
224.IX Item "-p"
984263bc 225print out the key and \s-1IV\s0 used.
8b0cefbb
JR
226.IP "\fB\-P\fR" 4
227.IX Item "-P"
984263bc
MD
228print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
229or decryption.
8b0cefbb
JR
230.IP "\fB\-bufsize number\fR" 4
231.IX Item "-bufsize number"
984263bc 232set the buffer size for I/O
8b0cefbb
JR
233.IP "\fB\-nopad\fR" 4
234.IX Item "-nopad"
984263bc 235disable standard block padding
8b0cefbb
JR
236.IP "\fB\-debug\fR" 4
237.IX Item "-debug"
984263bc
MD
238debug the BIOs used for I/O.
239.SH "NOTES"
8b0cefbb 240.IX Header "NOTES"
984263bc 241The program can be called either as \fBopenssl ciphername\fR or
8b0cefbb 242\&\fBopenssl enc \-ciphername\fR.
984263bc 243.PP
8b0cefbb 244A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
984263bc 245.PP
8b0cefbb 246The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived
984263bc
MD
247from a password unless you want compatibility with previous versions of
248OpenSSL and SSLeay.
249.PP
250Without the \fB\-salt\fR option it is possible to perform efficient dictionary
251attacks on the password and to attack stream cipher encrypted data. The reason
252for this is that without the salt the same password always generates the same
253encryption key. When the salt is being used the first eight bytes of the
254encrypted data are reserved for the salt: it is generated at random when
255encrypting a file and read from the encrypted file when it is decrypted.
256.PP
257Some of the ciphers do not have large keys and others have security
258implications if not used correctly. A beginner is advised to just use
8b0cefbb 259a strong block cipher in \s-1CBC\s0 mode such as bf or des3.
984263bc
MD
260.PP
261All the block ciphers normally use PKCS#5 padding also known as standard block
262padding: this allows a rudimentary integrity or password check to be
263performed. However since the chance of random data passing the test is
264better than 1 in 256 it isn't a very good test.
265.PP
266If padding is disabled then the input data must be a multiple of the cipher
267block length.
268.PP
8b0cefbb 269All \s-1RC2\s0 ciphers have the same key and effective key length.
984263bc 270.PP
8b0cefbb 271Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
984263bc 272.SH "SUPPORTED CIPHERS"
8b0cefbb 273.IX Header "SUPPORTED CIPHERS"
984263bc
MD
274.Vb 1
275\& base64 Base 64
aac4ff6f
PA
276.Ve
277.PP
278.Vb 5
279\& bf-cbc Blowfish in CBC mode
280\& bf Alias for bf-cbc
281\& bf-cfb Blowfish in CFB mode
282\& bf-ecb Blowfish in ECB mode
283\& bf-ofb Blowfish in OFB mode
284.Ve
285.PP
286.Vb 6
287\& cast-cbc CAST in CBC mode
288\& cast Alias for cast-cbc
289\& cast5-cbc CAST5 in CBC mode
290\& cast5-cfb CAST5 in CFB mode
291\& cast5-ecb CAST5 in ECB mode
292\& cast5-ofb CAST5 in OFB mode
293.Ve
294.PP
295.Vb 5
296\& des-cbc DES in CBC mode
297\& des Alias for des-cbc
298\& des-cfb DES in CBC mode
299\& des-ofb DES in OFB mode
300\& des-ecb DES in ECB mode
301.Ve
302.PP
303.Vb 4
304\& des-ede-cbc Two key triple DES EDE in CBC mode
305\& des-ede Two key triple DES EDE in ECB mode
306\& des-ede-cfb Two key triple DES EDE in CFB mode
307\& des-ede-ofb Two key triple DES EDE in OFB mode
308.Ve
309.PP
310.Vb 5
311\& des-ede3-cbc Three key triple DES EDE in CBC mode
312\& des-ede3 Three key triple DES EDE in ECB mode
313\& des3 Alias for des-ede3-cbc
314\& des-ede3-cfb Three key triple DES EDE CFB mode
315\& des-ede3-ofb Three key triple DES EDE in OFB mode
316.Ve
317.PP
318.Vb 1
984263bc 319\& desx DESX algorithm.
aac4ff6f
PA
320.Ve
321.PP
322.Vb 5
323\& idea-cbc IDEA algorithm in CBC mode
324\& idea same as idea-cbc
325\& idea-cfb IDEA in CFB mode
326\& idea-ecb IDEA in ECB mode
327\& idea-ofb IDEA in OFB mode
328.Ve
329.PP
330.Vb 7
331\& rc2-cbc 128 bit RC2 in CBC mode
332\& rc2 Alias for rc2-cbc
333\& rc2-cfb 128 bit RC2 in CFB mode
334\& rc2-ecb 128 bit RC2 in ECB mode
335\& rc2-ofb 128 bit RC2 in OFB mode
336\& rc2-64-cbc 64 bit RC2 in CBC mode
337\& rc2-40-cbc 40 bit RC2 in CBC mode
338.Ve
339.PP
340.Vb 3
984263bc 341\& rc4 128 bit RC4
aac4ff6f
PA
342\& rc4-64 64 bit RC4
343\& rc4-40 40 bit RC4
344.Ve
345.PP
346.Vb 5
347\& rc5-cbc RC5 cipher in CBC mode
348\& rc5 Alias for rc5-cbc
349\& rc5-cfb RC5 cipher in CFB mode
350\& rc5-ecb RC5 cipher in ECB mode
351\& rc5-ofb RC5 cipher in OFB mode
352.Ve
353.PP
354.Vb 7
355\& aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode
356\& aes-[128|192|256] Alias for aes-[128|192|256]-cbc
357\& aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode
358\& aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
359\& aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
360\& aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode
361\& aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode
2c0715f4 362.Ve
984263bc 363.SH "EXAMPLES"
8b0cefbb 364.IX Header "EXAMPLES"
984263bc
MD
365Just base64 encode a binary file:
366.PP
367.Vb 1
aac4ff6f 368\& openssl base64 -in file.bin -out file.b64
984263bc 369.Ve
8b0cefbb 370.PP
984263bc
MD
371Decode the same file
372.PP
373.Vb 1
aac4ff6f 374\& openssl base64 -d -in file.b64 -out file.bin
984263bc 375.Ve
8b0cefbb
JR
376.PP
377Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password:
984263bc
MD
378.PP
379.Vb 1
aac4ff6f 380\& openssl des3 -salt -in file.txt -out file.des3
984263bc 381.Ve
8b0cefbb 382.PP
984263bc
MD
383Decrypt a file using a supplied password:
384.PP
385.Vb 1
aac4ff6f 386\& openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
984263bc 387.Ve
8b0cefbb 388.PP
984263bc 389Encrypt a file then base64 encode it (so it can be sent via mail for example)
8b0cefbb 390using Blowfish in \s-1CBC\s0 mode:
984263bc
MD
391.PP
392.Vb 1
aac4ff6f 393\& openssl bf -a -salt -in file.txt -out file.bf
984263bc 394.Ve
8b0cefbb 395.PP
984263bc
MD
396Base64 decode a file then decrypt it:
397.PP
398.Vb 1
aac4ff6f 399\& openssl bf -d -salt -a -in file.bf -out file.txt
984263bc 400.Ve
8b0cefbb
JR
401.PP
402Decrypt some data using a supplied 40 bit \s-1RC4\s0 key:
984263bc
MD
403.PP
404.Vb 1
aac4ff6f 405\& openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
984263bc
MD
406.Ve
407.SH "BUGS"
8b0cefbb 408.IX Header "BUGS"
984263bc
MD
409The \fB\-A\fR option when used with large files doesn't work properly.
410.PP
411There should be an option to allow an iteration count to be included.
412.PP
413The \fBenc\fR program only supports a fixed number of algorithms with
8b0cefbb
JR
414certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
41576 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.