Update files for OpenSSL-1.0.0f import.
[dragonfly.git] / secure / usr.bin / openssl / man / enc.1
CommitLineData
e3261593 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
8b0cefbb 5.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
6.if t .sp .5v
7.if n .sp
8..
8b0cefbb 9.de Vb \" Begin verbatim text
984263bc
MD
10.ft CW
11.nf
12.ne \\$1
13..
8b0cefbb 14.de Ve \" End verbatim text
984263bc 15.ft R
984263bc
MD
16.fi
17..
8b0cefbb
JR
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
8b0cefbb 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 26.ie n \{\
8b0cefbb
JR
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
984263bc
MD
35'br\}
36.el\{\
8b0cefbb
JR
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
984263bc 41'br\}
8b0cefbb 42.\"
e257b235
PA
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
8b0cefbb 47.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
8b0cefbb
JR
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
e257b235 51.ie \nF \{\
8b0cefbb
JR
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 54..
8b0cefbb
JR
55. nr % 0
56. rr F
984263bc 57.\}
e257b235
PA
58.el \{\
59. de IX
60..
61.\}
aac4ff6f 62.\"
8b0cefbb
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
8b0cefbb
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
8b0cefbb
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
8b0cefbb 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
8b0cefbb
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
8b0cefbb
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
8b0cefbb 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
8b0cefbb
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
8b0cefbb
JR
124.\" ========================================================================
125.\"
126.IX Title "ENC 1"
e3261593 127.TH ENC 1 "2012-01-04" "1.0.0f" "OpenSSL"
e257b235
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc
MD
132.SH "NAME"
133enc \- symmetric cipher routines
134.SH "SYNOPSIS"
8b0cefbb
JR
135.IX Header "SYNOPSIS"
136\&\fBopenssl enc \-ciphername\fR
984263bc
MD
137[\fB\-in filename\fR]
138[\fB\-out filename\fR]
139[\fB\-pass arg\fR]
140[\fB\-e\fR]
141[\fB\-d\fR]
01185282 142[\fB\-a/\-base64\fR]
984263bc
MD
143[\fB\-A\fR]
144[\fB\-k password\fR]
145[\fB\-kfile filename\fR]
146[\fB\-K key\fR]
8b0cefbb 147[\fB\-iv \s-1IV\s0\fR]
01185282
PA
148[\fB\-S salt\fR]
149[\fB\-salt\fR]
150[\fB\-nosalt\fR]
151[\fB\-z\fR]
152[\fB\-md\fR]
984263bc
MD
153[\fB\-p\fR]
154[\fB\-P\fR]
155[\fB\-bufsize number\fR]
156[\fB\-nopad\fR]
157[\fB\-debug\fR]
01185282
PA
158[\fB\-none\fR]
159[\fB\-engine id\fR]
984263bc 160.SH "DESCRIPTION"
8b0cefbb 161.IX Header "DESCRIPTION"
984263bc
MD
162The symmetric cipher commands allow data to be encrypted or decrypted
163using various block and stream ciphers using keys based on passwords
164or explicitly provided. Base64 encoding or decoding can also be performed
165either by itself or in addition to the encryption or decryption.
166.SH "OPTIONS"
8b0cefbb
JR
167.IX Header "OPTIONS"
168.IP "\fB\-in filename\fR" 4
169.IX Item "-in filename"
984263bc 170the input filename, standard input by default.
8b0cefbb
JR
171.IP "\fB\-out filename\fR" 4
172.IX Item "-out filename"
984263bc 173the output filename, standard output by default.
8b0cefbb
JR
174.IP "\fB\-pass arg\fR" 4
175.IX Item "-pass arg"
984263bc 176the password source. For more information about the format of \fBarg\fR
8b0cefbb
JR
177see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
178.IP "\fB\-salt\fR" 4
179.IX Item "-salt"
01185282 180use a salt in the key derivation routines. This is the default.
8b0cefbb
JR
181.IP "\fB\-nosalt\fR" 4
182.IX Item "-nosalt"
01185282
PA
183don't use a salt in the key derivation routines. This option \fB\s-1SHOULD\s0 \s-1NOT\s0\fR be
184used except for test purposes or compatibility with ancient versions of OpenSSL
185and SSLeay.
8b0cefbb
JR
186.IP "\fB\-e\fR" 4
187.IX Item "-e"
984263bc 188encrypt the input data: this is the default.
8b0cefbb
JR
189.IP "\fB\-d\fR" 4
190.IX Item "-d"
984263bc 191decrypt the input data.
8b0cefbb
JR
192.IP "\fB\-a\fR" 4
193.IX Item "-a"
984263bc
MD
194base64 process the data. This means that if encryption is taking place
195the data is base64 encoded after encryption. If decryption is set then
196the input data is base64 decoded before being decrypted.
01185282
PA
197.IP "\fB\-base64\fR" 4
198.IX Item "-base64"
199same as \fB\-a\fR
8b0cefbb
JR
200.IP "\fB\-A\fR" 4
201.IX Item "-A"
984263bc 202if the \fB\-a\fR option is set then base64 process the data on one line.
8b0cefbb
JR
203.IP "\fB\-k password\fR" 4
204.IX Item "-k password"
984263bc
MD
205the password to derive the key from. This is for compatibility with previous
206versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
8b0cefbb
JR
207.IP "\fB\-kfile filename\fR" 4
208.IX Item "-kfile filename"
984263bc 209read the password to derive the key from the first line of \fBfilename\fR.
8b0cefbb 210This is for compatibility with previous versions of OpenSSL. Superseded by
984263bc 211the \fB\-pass\fR argument.
01185282
PA
212.IP "\fB\-nosalt\fR" 4
213.IX Item "-nosalt"
214do not use a salt
215.IP "\fB\-salt\fR" 4
216.IX Item "-salt"
217use salt (randomly generated or provide with \fB\-S\fR option) when
218encrypting (this is the default).
8b0cefbb
JR
219.IP "\fB\-S salt\fR" 4
220.IX Item "-S salt"
01185282 221the actual salt to use: this must be represented as a string of hex digits.
8b0cefbb
JR
222.IP "\fB\-K key\fR" 4
223.IX Item "-K key"
984263bc
MD
224the actual key to use: this must be represented as a string comprised only
225of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
226using the \fB\-iv\fR option. When both a key and a password are specified, the
227key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
228password will be taken. It probably does not make much sense to specify
229both key and password.
8b0cefbb
JR
230.IP "\fB\-iv \s-1IV\s0\fR" 4
231.IX Item "-iv IV"
984263bc
MD
232the actual \s-1IV\s0 to use: this must be represented as a string comprised only
233of hex digits. When only the key is specified using the \fB\-K\fR option, the
8b0cefbb 234\&\s-1IV\s0 must explicitly be defined. When a password is being specified using
984263bc 235one of the other options, the \s-1IV\s0 is generated from this password.
8b0cefbb
JR
236.IP "\fB\-p\fR" 4
237.IX Item "-p"
984263bc 238print out the key and \s-1IV\s0 used.
8b0cefbb
JR
239.IP "\fB\-P\fR" 4
240.IX Item "-P"
984263bc
MD
241print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
242or decryption.
8b0cefbb
JR
243.IP "\fB\-bufsize number\fR" 4
244.IX Item "-bufsize number"
984263bc 245set the buffer size for I/O
8b0cefbb
JR
246.IP "\fB\-nopad\fR" 4
247.IX Item "-nopad"
984263bc 248disable standard block padding
8b0cefbb
JR
249.IP "\fB\-debug\fR" 4
250.IX Item "-debug"
984263bc 251debug the BIOs used for I/O.
01185282
PA
252.IP "\fB\-z\fR" 4
253.IX Item "-z"
254Compress or decompress clear text using zlib before encryption or after
255decryption. This option exists only if OpenSSL with compiled with zlib
256or zlib-dynamic option.
257.IP "\fB\-none\fR" 4
258.IX Item "-none"
259Use \s-1NULL\s0 cipher (no encryption or decryption of input).
984263bc 260.SH "NOTES"
8b0cefbb 261.IX Header "NOTES"
984263bc 262The program can be called either as \fBopenssl ciphername\fR or
01185282
PA
263\&\fBopenssl enc \-ciphername\fR. But the first form doesn't work with
264engine-provided ciphers, because this form is processed before the
265configuration file is read and any ENGINEs loaded.
266.PP
267Engines which provide entirely new encryption algorithms (such as ccgost
268engine which provides gost89 algorithm) should be configured in the
269configuration file. Engines, specified in the command line using \-engine
270options can only be used for hadrware-assisted implementations of
271ciphers, which are supported by OpenSSL core or other engine, specified
272in the configuration file.
273.PP
274When enc command lists supported ciphers, ciphers provided by engines,
275specified in the configuration files are listed too.
984263bc 276.PP
8b0cefbb 277A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
984263bc 278.PP
8b0cefbb 279The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived
984263bc
MD
280from a password unless you want compatibility with previous versions of
281OpenSSL and SSLeay.
282.PP
283Without the \fB\-salt\fR option it is possible to perform efficient dictionary
284attacks on the password and to attack stream cipher encrypted data. The reason
285for this is that without the salt the same password always generates the same
286encryption key. When the salt is being used the first eight bytes of the
287encrypted data are reserved for the salt: it is generated at random when
288encrypting a file and read from the encrypted file when it is decrypted.
289.PP
290Some of the ciphers do not have large keys and others have security
291implications if not used correctly. A beginner is advised to just use
8b0cefbb 292a strong block cipher in \s-1CBC\s0 mode such as bf or des3.
984263bc
MD
293.PP
294All the block ciphers normally use PKCS#5 padding also known as standard block
295padding: this allows a rudimentary integrity or password check to be
296performed. However since the chance of random data passing the test is
297better than 1 in 256 it isn't a very good test.
298.PP
299If padding is disabled then the input data must be a multiple of the cipher
300block length.
301.PP
8b0cefbb 302All \s-1RC2\s0 ciphers have the same key and effective key length.
984263bc 303.PP
8b0cefbb 304Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
984263bc 305.SH "SUPPORTED CIPHERS"
8b0cefbb 306.IX Header "SUPPORTED CIPHERS"
01185282
PA
307Note that some of these ciphers can be disabled at compile time
308and some are available only if an appropriate engine is configured
309in the configuration file. The output of the \fBenc\fR command run with
310unsupported options (for example \fBopenssl enc \-help\fR) includes a
311list of ciphers, supported by your versesion of OpenSSL, including
312ones provided by configured engines.
313.PP
984263bc
MD
314.Vb 1
315\& base64 Base 64
e257b235
PA
316\&
317\& bf\-cbc Blowfish in CBC mode
318\& bf Alias for bf\-cbc
319\& bf\-cfb Blowfish in CFB mode
320\& bf\-ecb Blowfish in ECB mode
321\& bf\-ofb Blowfish in OFB mode
322\&
323\& cast\-cbc CAST in CBC mode
324\& cast Alias for cast\-cbc
325\& cast5\-cbc CAST5 in CBC mode
326\& cast5\-cfb CAST5 in CFB mode
327\& cast5\-ecb CAST5 in ECB mode
328\& cast5\-ofb CAST5 in OFB mode
329\&
330\& des\-cbc DES in CBC mode
331\& des Alias for des\-cbc
332\& des\-cfb DES in CBC mode
333\& des\-ofb DES in OFB mode
334\& des\-ecb DES in ECB mode
335\&
336\& des\-ede\-cbc Two key triple DES EDE in CBC mode
337\& des\-ede Two key triple DES EDE in ECB mode
338\& des\-ede\-cfb Two key triple DES EDE in CFB mode
339\& des\-ede\-ofb Two key triple DES EDE in OFB mode
340\&
341\& des\-ede3\-cbc Three key triple DES EDE in CBC mode
342\& des\-ede3 Three key triple DES EDE in ECB mode
343\& des3 Alias for des\-ede3\-cbc
344\& des\-ede3\-cfb Three key triple DES EDE CFB mode
345\& des\-ede3\-ofb Three key triple DES EDE in OFB mode
346\&
984263bc 347\& desx DESX algorithm.
e257b235 348\&
01185282
PA
349\& gost89 GOST 28147\-89 in CFB mode (provided by ccgost engine)
350\& gost89\-cnt \`GOST 28147\-89 in CNT mode (provided by ccgost engine)
351\&
e257b235
PA
352\& idea\-cbc IDEA algorithm in CBC mode
353\& idea same as idea\-cbc
354\& idea\-cfb IDEA in CFB mode
355\& idea\-ecb IDEA in ECB mode
356\& idea\-ofb IDEA in OFB mode
357\&
358\& rc2\-cbc 128 bit RC2 in CBC mode
359\& rc2 Alias for rc2\-cbc
360\& rc2\-cfb 128 bit RC2 in CFB mode
361\& rc2\-ecb 128 bit RC2 in ECB mode
362\& rc2\-ofb 128 bit RC2 in OFB mode
363\& rc2\-64\-cbc 64 bit RC2 in CBC mode
364\& rc2\-40\-cbc 40 bit RC2 in CBC mode
365\&
984263bc 366\& rc4 128 bit RC4
e257b235
PA
367\& rc4\-64 64 bit RC4
368\& rc4\-40 40 bit RC4
369\&
370\& rc5\-cbc RC5 cipher in CBC mode
371\& rc5 Alias for rc5\-cbc
372\& rc5\-cfb RC5 cipher in CFB mode
373\& rc5\-ecb RC5 cipher in ECB mode
374\& rc5\-ofb RC5 cipher in OFB mode
375\&
376\& aes\-[128|192|256]\-cbc 128/192/256 bit AES in CBC mode
377\& aes\-[128|192|256] Alias for aes\-[128|192|256]\-cbc
378\& aes\-[128|192|256]\-cfb 128/192/256 bit AES in 128 bit CFB mode
379\& aes\-[128|192|256]\-cfb1 128/192/256 bit AES in 1 bit CFB mode
380\& aes\-[128|192|256]\-cfb8 128/192/256 bit AES in 8 bit CFB mode
381\& aes\-[128|192|256]\-ecb 128/192/256 bit AES in ECB mode
382\& aes\-[128|192|256]\-ofb 128/192/256 bit AES in OFB mode
2c0715f4 383.Ve
984263bc 384.SH "EXAMPLES"
8b0cefbb 385.IX Header "EXAMPLES"
984263bc
MD
386Just base64 encode a binary file:
387.PP
388.Vb 1
e257b235 389\& openssl base64 \-in file.bin \-out file.b64
984263bc 390.Ve
8b0cefbb 391.PP
984263bc
MD
392Decode the same file
393.PP
394.Vb 1
e257b235 395\& openssl base64 \-d \-in file.b64 \-out file.bin
984263bc 396.Ve
8b0cefbb
JR
397.PP
398Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password:
984263bc
MD
399.PP
400.Vb 1
e257b235 401\& openssl des3 \-salt \-in file.txt \-out file.des3
984263bc 402.Ve
8b0cefbb 403.PP
984263bc
MD
404Decrypt a file using a supplied password:
405.PP
406.Vb 1
e257b235 407\& openssl des3 \-d \-salt \-in file.des3 \-out file.txt \-k mypassword
984263bc 408.Ve
8b0cefbb 409.PP
984263bc 410Encrypt a file then base64 encode it (so it can be sent via mail for example)
8b0cefbb 411using Blowfish in \s-1CBC\s0 mode:
984263bc
MD
412.PP
413.Vb 1
e257b235 414\& openssl bf \-a \-salt \-in file.txt \-out file.bf
984263bc 415.Ve
8b0cefbb 416.PP
984263bc
MD
417Base64 decode a file then decrypt it:
418.PP
419.Vb 1
e257b235 420\& openssl bf \-d \-salt \-a \-in file.bf \-out file.txt
984263bc 421.Ve
8b0cefbb
JR
422.PP
423Decrypt some data using a supplied 40 bit \s-1RC4\s0 key:
984263bc
MD
424.PP
425.Vb 1
e257b235 426\& openssl rc4\-40 \-in file.rc4 \-out file.txt \-K 0102030405
984263bc
MD
427.Ve
428.SH "BUGS"
8b0cefbb 429.IX Header "BUGS"
984263bc
MD
430The \fB\-A\fR option when used with large files doesn't work properly.
431.PP
432There should be an option to allow an iteration count to be included.
433.PP
434The \fBenc\fR program only supports a fixed number of algorithms with
8b0cefbb
JR
435certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
43676 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.