1 .\" Automatically generated by Pod::Man version 1.15
2 .\" Wed Feb 19 16:49:33 2003
5 .\" ======================================================================
6 .de Sh \" Subsection heading
14 .de Sp \" Vertical space (when we can't use .PP)
20 .ie \\n(.$>=3 .ne \\$3
24 .de Vb \" Begin verbatim text
29 .de Ve \" End verbatim text
34 .\" Set up some character translations and predefined strings. \*(-- will
35 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
36 .\" double quote, and \*(R" will give a right double quote. | will give a
37 .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used
38 .\" to do unbreakable dashes and therefore won't be available. \*(C` and
39 .\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
41 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
45 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
46 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
59 .\" If the F register is turned on, we'll generate index entries on stderr
60 .\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
61 .\" index entries marked with X<> in POD. Of course, you'll have to process
62 .\" the output yourself in some meaningful fashion.
65 . tm Index:\\$1\t\\n%\t"\\$2"
71 .\" For nroff, turn off justification. Always turn off hyphenation; it
72 .\" makes way too many mistakes in technical documents.
76 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
77 .\" Fear. Run. Save yourself. No user-serviceable parts.
79 . \" fudge factors for nroff and troff
88 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
94 . \" simple accents for nroff and troff
104 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
105 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
106 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
107 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
108 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
109 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
111 . \" troff and (daisy-wheel) nroff accents
112 .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
113 .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
114 .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
115 .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
116 .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
117 .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
118 .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
119 .ds ae a\h'-(\w'a'u*4/10)'e
120 .ds Ae A\h'-(\w'A'u*4/10)'E
121 . \" corrections for vroff
122 .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
123 .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
124 . \" for low resolution devices (crt and lpr)
125 .if \n(.H>23 .if \n(.V>19 \
138 .\" ======================================================================
141 .TH ENC 1 "0.9.7a" "2003-02-19" "OpenSSL"
144 enc \- symmetric cipher routines
146 .IX Header "SYNOPSIS"
147 \&\fBopenssl enc \-ciphername\fR
148 [\fB\-in filename\fR]
149 [\fB\-out filename\fR]
156 [\fB\-kfile filename\fR]
158 [\fB\-iv \s-1IV\s0\fR]
161 [\fB\-bufsize number\fR]
165 .IX Header "DESCRIPTION"
166 The symmetric cipher commands allow data to be encrypted or decrypted
167 using various block and stream ciphers using keys based on passwords
168 or explicitly provided. Base64 encoding or decoding can also be performed
169 either by itself or in addition to the encryption or decryption.
172 .Ip "\fB\-in filename\fR" 4
173 .IX Item "-in filename"
174 the input filename, standard input by default.
175 .Ip "\fB\-out filename\fR" 4
176 .IX Item "-out filename"
177 the output filename, standard output by default.
178 .Ip "\fB\-pass arg\fR" 4
180 the password source. For more information about the format of \fBarg\fR
181 see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
184 use a salt in the key derivation routines. This option should \fB\s-1ALWAYS\s0\fR
185 be used unless compatibility with previous versions of OpenSSL or SSLeay
186 is required. This option is only present on OpenSSL versions 0.9.5 or
188 .Ip "\fB\-nosalt\fR" 4
190 don't use a salt in the key derivation routines. This is the default for
191 compatibility with previous versions of OpenSSL and SSLeay.
194 encrypt the input data: this is the default.
197 decrypt the input data.
200 base64 process the data. This means that if encryption is taking place
201 the data is base64 encoded after encryption. If decryption is set then
202 the input data is base64 decoded before being decrypted.
205 if the \fB\-a\fR option is set then base64 process the data on one line.
206 .Ip "\fB\-k password\fR" 4
207 .IX Item "-k password"
208 the password to derive the key from. This is for compatibility with previous
209 versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
210 .Ip "\fB\-kfile filename\fR" 4
211 .IX Item "-kfile filename"
212 read the password to derive the key from the first line of \fBfilename\fR.
213 This is for computability with previous versions of OpenSSL. Superseded by
214 the \fB\-pass\fR argument.
215 .Ip "\fB\-S salt\fR" 4
217 the actual salt to use: this must be represented as a string comprised only
219 .Ip "\fB\-K key\fR" 4
221 the actual key to use: this must be represented as a string comprised only
222 of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
223 using the \fB\-iv\fR option. When both a key and a password are specified, the
224 key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
225 password will be taken. It probably does not make much sense to specify
226 both key and password.
227 .Ip "\fB\-iv \s-1IV\s0\fR" 4
229 the actual \s-1IV\s0 to use: this must be represented as a string comprised only
230 of hex digits. When only the key is specified using the \fB\-K\fR option, the
231 \&\s-1IV\s0 must explicitly be defined. When a password is being specified using
232 one of the other options, the \s-1IV\s0 is generated from this password.
235 print out the key and \s-1IV\s0 used.
238 print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
240 .Ip "\fB\-bufsize number\fR" 4
241 .IX Item "-bufsize number"
242 set the buffer size for I/O
243 .Ip "\fB\-nopad\fR" 4
245 disable standard block padding
246 .Ip "\fB\-debug\fR" 4
248 debug the BIOs used for I/O.
251 The program can be called either as \fBopenssl ciphername\fR or
252 \&\fBopenssl enc \-ciphername\fR.
254 A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
256 The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived
257 from a password unless you want compatibility with previous versions of
260 Without the \fB\-salt\fR option it is possible to perform efficient dictionary
261 attacks on the password and to attack stream cipher encrypted data. The reason
262 for this is that without the salt the same password always generates the same
263 encryption key. When the salt is being used the first eight bytes of the
264 encrypted data are reserved for the salt: it is generated at random when
265 encrypting a file and read from the encrypted file when it is decrypted.
267 Some of the ciphers do not have large keys and others have security
268 implications if not used correctly. A beginner is advised to just use
269 a strong block cipher in \s-1CBC\s0 mode such as bf or des3.
271 All the block ciphers normally use PKCS#5 padding also known as standard block
272 padding: this allows a rudimentary integrity or password check to be
273 performed. However since the chance of random data passing the test is
274 better than 1 in 256 it isn't a very good test.
276 If padding is disabled then the input data must be a multiple of the cipher
279 All \s-1RC2\s0 ciphers have the same key and effective key length.
281 Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
282 .SH "SUPPORTED CIPHERS"
283 .IX Header "SUPPORTED CIPHERS"
288 \& bf-cbc Blowfish in CBC mode
289 \& bf Alias for bf-cbc
290 \& bf-cfb Blowfish in CFB mode
291 \& bf-ecb Blowfish in ECB mode
292 \& bf-ofb Blowfish in OFB mode
295 \& cast-cbc CAST in CBC mode
296 \& cast Alias for cast-cbc
297 \& cast5-cbc CAST5 in CBC mode
298 \& cast5-cfb CAST5 in CFB mode
299 \& cast5-ecb CAST5 in ECB mode
300 \& cast5-ofb CAST5 in OFB mode
303 \& des-cbc DES in CBC mode
304 \& des Alias for des-cbc
305 \& des-cfb DES in CBC mode
306 \& des-ofb DES in OFB mode
307 \& des-ecb DES in ECB mode
310 \& des-ede-cbc Two key triple DES EDE in CBC mode
311 \& des-ede Alias for des-ede
312 \& des-ede-cfb Two key triple DES EDE in CFB mode
313 \& des-ede-ofb Two key triple DES EDE in OFB mode
316 \& des-ede3-cbc Three key triple DES EDE in CBC mode
317 \& des-ede3 Alias for des-ede3-cbc
318 \& des3 Alias for des-ede3-cbc
319 \& des-ede3-cfb Three key triple DES EDE CFB mode
320 \& des-ede3-ofb Three key triple DES EDE in OFB mode
323 \& desx DESX algorithm.
326 \& idea-cbc IDEA algorithm in CBC mode
327 \& idea same as idea-cbc
328 \& idea-cfb IDEA in CFB mode
329 \& idea-ecb IDEA in ECB mode
330 \& idea-ofb IDEA in OFB mode
333 \& rc2-cbc 128 bit RC2 in CBC mode
334 \& rc2 Alias for rc2-cbc
335 \& rc2-cfb 128 bit RC2 in CBC mode
336 \& rc2-ecb 128 bit RC2 in CBC mode
337 \& rc2-ofb 128 bit RC2 in CBC mode
338 \& rc2-64-cbc 64 bit RC2 in CBC mode
339 \& rc2-40-cbc 40 bit RC2 in CBC mode
347 \& rc5-cbc RC5 cipher in CBC mode
348 \& rc5 Alias for rc5-cbc
349 \& rc5-cfb RC5 cipher in CBC mode
350 \& rc5-ecb RC5 cipher in CBC mode
351 \& rc5-ofb RC5 cipher in CBC mode
354 .IX Header "EXAMPLES"
355 Just base64 encode a binary file:
358 \& openssl base64 -in file.bin -out file.b64
363 \& openssl base64 -d -in file.b64 -out file.bin
365 Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password:
368 \& openssl des3 -salt -in file.txt -out file.des3
370 Decrypt a file using a supplied password:
373 \& openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
375 Encrypt a file then base64 encode it (so it can be sent via mail for example)
376 using Blowfish in \s-1CBC\s0 mode:
379 \& openssl bf -a -salt -in file.txt -out file.bf
381 Base64 decode a file then decrypt it:
384 \& openssl bf -d -salt -a -in file.bf -out file.txt
386 Decrypt some data using a supplied 40 bit \s-1RC4\s0 key:
389 \& openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
393 The \fB\-A\fR option when used with large files doesn't work properly.
395 There should be an option to allow an iteration count to be included.
397 The \fBenc\fR program only supports a fixed number of algorithms with
398 certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
399 76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.