Update build for OpenSSL-0.9.8j upgrade.
[dragonfly.git] / secure / usr.bin / openssl / man / enc.1
CommitLineData
e257b235 1.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
8b0cefbb 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
8b0cefbb 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
8b0cefbb 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
8b0cefbb
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
28.\" double quote, and \*(R" will give a right double quote. \*(C+ will
29.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
30.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
31.\" nothing in troff, for use with C<>.
32.tr \(*W-
8b0cefbb 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
8b0cefbb
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
8b0cefbb
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
8b0cefbb 50.\"
e257b235
PA
51.\" Escape single quotes in literal strings from groff's Unicode transform.
52.ie \n(.g .ds Aq \(aq
53.el .ds Aq '
54.\"
8b0cefbb
JR
55.\" If the F register is turned on, we'll generate index entries on stderr for
56.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
57.\" entries marked with X<> in POD. Of course, you'll have to process the
58.\" output yourself in some meaningful fashion.
e257b235 59.ie \nF \{\
8b0cefbb
JR
60. de IX
61. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 62..
8b0cefbb
JR
63. nr % 0
64. rr F
984263bc 65.\}
e257b235
PA
66.el \{\
67. de IX
68..
69.\}
aac4ff6f 70.\"
8b0cefbb
JR
71.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
72.\" Fear. Run. Save yourself. No user-serviceable parts.
73. \" fudge factors for nroff and troff
984263bc 74.if n \{\
8b0cefbb
JR
75. ds #H 0
76. ds #V .8m
77. ds #F .3m
78. ds #[ \f1
79. ds #] \fP
984263bc
MD
80.\}
81.if t \{\
8b0cefbb
JR
82. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
83. ds #V .6m
84. ds #F 0
85. ds #[ \&
86. ds #] \&
984263bc 87.\}
8b0cefbb 88. \" simple accents for nroff and troff
984263bc 89.if n \{\
8b0cefbb
JR
90. ds ' \&
91. ds ` \&
92. ds ^ \&
93. ds , \&
94. ds ~ ~
95. ds /
984263bc
MD
96.\}
97.if t \{\
8b0cefbb
JR
98. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
99. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
100. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
101. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
102. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
103. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 104.\}
8b0cefbb 105. \" troff and (daisy-wheel) nroff accents
984263bc
MD
106.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
107.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
108.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
109.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
110.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
111.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
112.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
113.ds ae a\h'-(\w'a'u*4/10)'e
114.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 115. \" corrections for vroff
984263bc
MD
116.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
117.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 118. \" for low resolution devices (crt and lpr)
984263bc
MD
119.if \n(.H>23 .if \n(.V>19 \
120\{\
8b0cefbb
JR
121. ds : e
122. ds 8 ss
123. ds o a
124. ds d- d\h'-1'\(ga
125. ds D- D\h'-1'\(hy
126. ds th \o'bp'
127. ds Th \o'LP'
128. ds ae ae
129. ds Ae AE
984263bc
MD
130.\}
131.rm #[ #] #H #V #F C
8b0cefbb
JR
132.\" ========================================================================
133.\"
134.IX Title "ENC 1"
e257b235
PA
135.TH ENC 1 "2009-01-11" "0.9.8j" "OpenSSL"
136.\" For nroff, turn off justification. Always turn off hyphenation; it makes
137.\" way too many mistakes in technical documents.
138.if n .ad l
139.nh
984263bc
MD
140.SH "NAME"
141enc \- symmetric cipher routines
142.SH "SYNOPSIS"
8b0cefbb
JR
143.IX Header "SYNOPSIS"
144\&\fBopenssl enc \-ciphername\fR
984263bc
MD
145[\fB\-in filename\fR]
146[\fB\-out filename\fR]
147[\fB\-pass arg\fR]
148[\fB\-e\fR]
149[\fB\-d\fR]
150[\fB\-a\fR]
151[\fB\-A\fR]
152[\fB\-k password\fR]
153[\fB\-kfile filename\fR]
154[\fB\-K key\fR]
8b0cefbb 155[\fB\-iv \s-1IV\s0\fR]
984263bc
MD
156[\fB\-p\fR]
157[\fB\-P\fR]
158[\fB\-bufsize number\fR]
159[\fB\-nopad\fR]
160[\fB\-debug\fR]
161.SH "DESCRIPTION"
8b0cefbb 162.IX Header "DESCRIPTION"
984263bc
MD
163The symmetric cipher commands allow data to be encrypted or decrypted
164using various block and stream ciphers using keys based on passwords
165or explicitly provided. Base64 encoding or decoding can also be performed
166either by itself or in addition to the encryption or decryption.
167.SH "OPTIONS"
8b0cefbb
JR
168.IX Header "OPTIONS"
169.IP "\fB\-in filename\fR" 4
170.IX Item "-in filename"
984263bc 171the input filename, standard input by default.
8b0cefbb
JR
172.IP "\fB\-out filename\fR" 4
173.IX Item "-out filename"
984263bc 174the output filename, standard output by default.
8b0cefbb
JR
175.IP "\fB\-pass arg\fR" 4
176.IX Item "-pass arg"
984263bc 177the password source. For more information about the format of \fBarg\fR
8b0cefbb
JR
178see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
179.IP "\fB\-salt\fR" 4
180.IX Item "-salt"
984263bc
MD
181use a salt in the key derivation routines. This option should \fB\s-1ALWAYS\s0\fR
182be used unless compatibility with previous versions of OpenSSL or SSLeay
183is required. This option is only present on OpenSSL versions 0.9.5 or
184above.
8b0cefbb
JR
185.IP "\fB\-nosalt\fR" 4
186.IX Item "-nosalt"
984263bc
MD
187don't use a salt in the key derivation routines. This is the default for
188compatibility with previous versions of OpenSSL and SSLeay.
8b0cefbb
JR
189.IP "\fB\-e\fR" 4
190.IX Item "-e"
984263bc 191encrypt the input data: this is the default.
8b0cefbb
JR
192.IP "\fB\-d\fR" 4
193.IX Item "-d"
984263bc 194decrypt the input data.
8b0cefbb
JR
195.IP "\fB\-a\fR" 4
196.IX Item "-a"
984263bc
MD
197base64 process the data. This means that if encryption is taking place
198the data is base64 encoded after encryption. If decryption is set then
199the input data is base64 decoded before being decrypted.
8b0cefbb
JR
200.IP "\fB\-A\fR" 4
201.IX Item "-A"
984263bc 202if the \fB\-a\fR option is set then base64 process the data on one line.
8b0cefbb
JR
203.IP "\fB\-k password\fR" 4
204.IX Item "-k password"
984263bc
MD
205the password to derive the key from. This is for compatibility with previous
206versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
8b0cefbb
JR
207.IP "\fB\-kfile filename\fR" 4
208.IX Item "-kfile filename"
984263bc 209read the password to derive the key from the first line of \fBfilename\fR.
8b0cefbb 210This is for compatibility with previous versions of OpenSSL. Superseded by
984263bc 211the \fB\-pass\fR argument.
8b0cefbb
JR
212.IP "\fB\-S salt\fR" 4
213.IX Item "-S salt"
984263bc
MD
214the actual salt to use: this must be represented as a string comprised only
215of hex digits.
8b0cefbb
JR
216.IP "\fB\-K key\fR" 4
217.IX Item "-K key"
984263bc
MD
218the actual key to use: this must be represented as a string comprised only
219of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
220using the \fB\-iv\fR option. When both a key and a password are specified, the
221key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
222password will be taken. It probably does not make much sense to specify
223both key and password.
8b0cefbb
JR
224.IP "\fB\-iv \s-1IV\s0\fR" 4
225.IX Item "-iv IV"
984263bc
MD
226the actual \s-1IV\s0 to use: this must be represented as a string comprised only
227of hex digits. When only the key is specified using the \fB\-K\fR option, the
8b0cefbb 228\&\s-1IV\s0 must explicitly be defined. When a password is being specified using
984263bc 229one of the other options, the \s-1IV\s0 is generated from this password.
8b0cefbb
JR
230.IP "\fB\-p\fR" 4
231.IX Item "-p"
984263bc 232print out the key and \s-1IV\s0 used.
8b0cefbb
JR
233.IP "\fB\-P\fR" 4
234.IX Item "-P"
984263bc
MD
235print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
236or decryption.
8b0cefbb
JR
237.IP "\fB\-bufsize number\fR" 4
238.IX Item "-bufsize number"
984263bc 239set the buffer size for I/O
8b0cefbb
JR
240.IP "\fB\-nopad\fR" 4
241.IX Item "-nopad"
984263bc 242disable standard block padding
8b0cefbb
JR
243.IP "\fB\-debug\fR" 4
244.IX Item "-debug"
984263bc
MD
245debug the BIOs used for I/O.
246.SH "NOTES"
8b0cefbb 247.IX Header "NOTES"
984263bc 248The program can be called either as \fBopenssl ciphername\fR or
8b0cefbb 249\&\fBopenssl enc \-ciphername\fR.
984263bc 250.PP
8b0cefbb 251A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
984263bc 252.PP
8b0cefbb 253The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived
984263bc
MD
254from a password unless you want compatibility with previous versions of
255OpenSSL and SSLeay.
256.PP
257Without the \fB\-salt\fR option it is possible to perform efficient dictionary
258attacks on the password and to attack stream cipher encrypted data. The reason
259for this is that without the salt the same password always generates the same
260encryption key. When the salt is being used the first eight bytes of the
261encrypted data are reserved for the salt: it is generated at random when
262encrypting a file and read from the encrypted file when it is decrypted.
263.PP
264Some of the ciphers do not have large keys and others have security
265implications if not used correctly. A beginner is advised to just use
8b0cefbb 266a strong block cipher in \s-1CBC\s0 mode such as bf or des3.
984263bc
MD
267.PP
268All the block ciphers normally use PKCS#5 padding also known as standard block
269padding: this allows a rudimentary integrity or password check to be
270performed. However since the chance of random data passing the test is
271better than 1 in 256 it isn't a very good test.
272.PP
273If padding is disabled then the input data must be a multiple of the cipher
274block length.
275.PP
8b0cefbb 276All \s-1RC2\s0 ciphers have the same key and effective key length.
984263bc 277.PP
8b0cefbb 278Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
984263bc 279.SH "SUPPORTED CIPHERS"
8b0cefbb 280.IX Header "SUPPORTED CIPHERS"
984263bc
MD
281.Vb 1
282\& base64 Base 64
e257b235
PA
283\&
284\& bf\-cbc Blowfish in CBC mode
285\& bf Alias for bf\-cbc
286\& bf\-cfb Blowfish in CFB mode
287\& bf\-ecb Blowfish in ECB mode
288\& bf\-ofb Blowfish in OFB mode
289\&
290\& cast\-cbc CAST in CBC mode
291\& cast Alias for cast\-cbc
292\& cast5\-cbc CAST5 in CBC mode
293\& cast5\-cfb CAST5 in CFB mode
294\& cast5\-ecb CAST5 in ECB mode
295\& cast5\-ofb CAST5 in OFB mode
296\&
297\& des\-cbc DES in CBC mode
298\& des Alias for des\-cbc
299\& des\-cfb DES in CBC mode
300\& des\-ofb DES in OFB mode
301\& des\-ecb DES in ECB mode
302\&
303\& des\-ede\-cbc Two key triple DES EDE in CBC mode
304\& des\-ede Two key triple DES EDE in ECB mode
305\& des\-ede\-cfb Two key triple DES EDE in CFB mode
306\& des\-ede\-ofb Two key triple DES EDE in OFB mode
307\&
308\& des\-ede3\-cbc Three key triple DES EDE in CBC mode
309\& des\-ede3 Three key triple DES EDE in ECB mode
310\& des3 Alias for des\-ede3\-cbc
311\& des\-ede3\-cfb Three key triple DES EDE CFB mode
312\& des\-ede3\-ofb Three key triple DES EDE in OFB mode
313\&
984263bc 314\& desx DESX algorithm.
e257b235
PA
315\&
316\& idea\-cbc IDEA algorithm in CBC mode
317\& idea same as idea\-cbc
318\& idea\-cfb IDEA in CFB mode
319\& idea\-ecb IDEA in ECB mode
320\& idea\-ofb IDEA in OFB mode
321\&
322\& rc2\-cbc 128 bit RC2 in CBC mode
323\& rc2 Alias for rc2\-cbc
324\& rc2\-cfb 128 bit RC2 in CFB mode
325\& rc2\-ecb 128 bit RC2 in ECB mode
326\& rc2\-ofb 128 bit RC2 in OFB mode
327\& rc2\-64\-cbc 64 bit RC2 in CBC mode
328\& rc2\-40\-cbc 40 bit RC2 in CBC mode
329\&
984263bc 330\& rc4 128 bit RC4
e257b235
PA
331\& rc4\-64 64 bit RC4
332\& rc4\-40 40 bit RC4
333\&
334\& rc5\-cbc RC5 cipher in CBC mode
335\& rc5 Alias for rc5\-cbc
336\& rc5\-cfb RC5 cipher in CFB mode
337\& rc5\-ecb RC5 cipher in ECB mode
338\& rc5\-ofb RC5 cipher in OFB mode
339\&
340\& aes\-[128|192|256]\-cbc 128/192/256 bit AES in CBC mode
341\& aes\-[128|192|256] Alias for aes\-[128|192|256]\-cbc
342\& aes\-[128|192|256]\-cfb 128/192/256 bit AES in 128 bit CFB mode
343\& aes\-[128|192|256]\-cfb1 128/192/256 bit AES in 1 bit CFB mode
344\& aes\-[128|192|256]\-cfb8 128/192/256 bit AES in 8 bit CFB mode
345\& aes\-[128|192|256]\-ecb 128/192/256 bit AES in ECB mode
346\& aes\-[128|192|256]\-ofb 128/192/256 bit AES in OFB mode
2c0715f4 347.Ve
984263bc 348.SH "EXAMPLES"
8b0cefbb 349.IX Header "EXAMPLES"
984263bc
MD
350Just base64 encode a binary file:
351.PP
352.Vb 1
e257b235 353\& openssl base64 \-in file.bin \-out file.b64
984263bc 354.Ve
8b0cefbb 355.PP
984263bc
MD
356Decode the same file
357.PP
358.Vb 1
e257b235 359\& openssl base64 \-d \-in file.b64 \-out file.bin
984263bc 360.Ve
8b0cefbb
JR
361.PP
362Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password:
984263bc
MD
363.PP
364.Vb 1
e257b235 365\& openssl des3 \-salt \-in file.txt \-out file.des3
984263bc 366.Ve
8b0cefbb 367.PP
984263bc
MD
368Decrypt a file using a supplied password:
369.PP
370.Vb 1
e257b235 371\& openssl des3 \-d \-salt \-in file.des3 \-out file.txt \-k mypassword
984263bc 372.Ve
8b0cefbb 373.PP
984263bc 374Encrypt a file then base64 encode it (so it can be sent via mail for example)
8b0cefbb 375using Blowfish in \s-1CBC\s0 mode:
984263bc
MD
376.PP
377.Vb 1
e257b235 378\& openssl bf \-a \-salt \-in file.txt \-out file.bf
984263bc 379.Ve
8b0cefbb 380.PP
984263bc
MD
381Base64 decode a file then decrypt it:
382.PP
383.Vb 1
e257b235 384\& openssl bf \-d \-salt \-a \-in file.bf \-out file.txt
984263bc 385.Ve
8b0cefbb
JR
386.PP
387Decrypt some data using a supplied 40 bit \s-1RC4\s0 key:
984263bc
MD
388.PP
389.Vb 1
e257b235 390\& openssl rc4\-40 \-in file.rc4 \-out file.txt \-K 0102030405
984263bc
MD
391.Ve
392.SH "BUGS"
8b0cefbb 393.IX Header "BUGS"
984263bc
MD
394The \fB\-A\fR option when used with large files doesn't work properly.
395.PP
396There should be an option to allow an iteration count to be included.
397.PP
398The \fBenc\fR program only supports a fixed number of algorithms with
8b0cefbb
JR
399certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
40076 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.