« Back to Blog

The Developer Toolbox: Encryption/Decryption with the OpenSSL Command-Line Interface

By Wes Dunn
Jun 4, 2018

Every software developer has a toolbox. This toolbox may look a bit different from that of a toolbox used by, let’s say … a carpenter, but the purpose behind the toolbox is about the same: Everything inside the toolbox is there for a reason, to aid the owner in accomplishing their task(s) in the most efficient manner possible.

For example, here are some of the tools you’ll likely find in every developer toolbox (besides a computer, of course):

While there are certainly tools that most every developer will have in their toolbox, each developer will likely have a vastly different set of tools from the next developer. The tools in the toolbox will be largely dependent upon the area of work/focus for that specific developer. Much like our earlier comparison to a carpenter, most carpenters will have some of the same tools (hammer, screwdriver, tape measure, etc.) and have vastly different tools based on their specialization (e.g. not every carpenter is going to have a socket awl in their toolbox).

Over the past couple of weeks, I have been working on a project that implements strong encryption of data that is shared between different backend services we run and maintain in support of our desktop client software. As a part of this project, I needed a tool to be able to quickly test encryption and decryption of data without using only the code I was writing. This type of testing would allow me to make sure that my encryption/decryption methods were correct and reliable. So, what kind of tool would allow me to do this?

The OpenSSL Command-Line Interface

One of the backend services I was working on is written in C/C++ and utilizes the OpenSSL library for both SSL/TLS as well as other cryptographic functions. If you’re unfamiliar with OpenSSL, it’s likely one of most widely implemented open-source libraries out there today, so there is a wealth of documentation and other information freely available.

In addition to being a library that can be used in our programs, OpenSSL can also be downloaded and installed as a command-line interface. If you’re a Mac or Linux user, this is already installed on your computer! (Note: after High Sierra/MacOS 10.13 was released, Apple no longer uses the OpenSSL library, but has switched to LibreSSL. Despite the change, much of the functionality should be identical to that in OpenSSL, and where this post is concerned, the functionality will definitely be the same.) If you are running Windows, you will need to download and install OpenSSL, you can find download links here.

The specific functionality I was interested in was to be able to encrypt and decrypt a string using the same cipher I would be using in the applications I was working on. Turns out the OpenSSL command-line interface (CLI), specifically the enc command, would be the perfect tool to help me test my implementations! Let’s take a look at a few examples and how this tool works and how it made me more efficient in my work.

Let’s walk through a few different commands. If you want to follow along, just open a terminal!

Encrypt a string

Let’s say we wanted to encrypt the string “hello” with the passphrase “world” using the AES-256 algorithm in CBC (Cipher Block Chaining) mode.

$ echo "hello" | openssl enc -aes-256-cbc -base64 -p -k world

Let’s break down this command before we look at the output:

So, let’s see what we get when we run this command:

salt=28E81662F21E8F44
key=7727DBCC7C11E479564F13C93E28BA8AEABFD3CFF1F81C78858869050D75F5CA
iv =69E71D3EFF53EF6B4B751622CD272A62
U2FsdGVkX18o6BZi8h6PRJ7AUNyeMDHnhLEl06AS3KA=

The last line here is the really important one. This is the base64 encoded output of the encryption method. This is what we’re now going to attempt to decrypt.

Decrypt a string

So, we know that the encrypted message is just the word “hello,” but for the sake of the article, let’s pretend we don’t know that. Given we knew the passphrase used to encrypt the original data, how could we go about decrypting the string U2FsdGVkX18o6BZi8h6PRJ7AUNyeMDHnhLEl06AS3KA=? Let’s find out!

$ echo "U2FsdGVkX18o6BZi8h6PRJ7AUNyeMDHnhLEl06AS3KA=" | openssl \
enc -aes-256-cbc -d -a -p -k world

So, what’s going on here?

Well … let’s run it and see what we get:

salt=28E81662F21E8F44
key=7727DBCC7C11E479564F13C93E28BA8AEABFD3CFF1F81C78858869050D75F5CA
iv =69E71D3EFF53EF6B4B751622CD272A62
hello

AWESOME!! This is exactly what we wanted to see! We see that our encrypted message is hello and that our salt, key, and IV all match!

So, to conclude, I’ve used a fairly trivial example to demonstrate how the OpenSSL CLI can be used to encrypt and decrypt data. There is much more this tool can do and many different ways in which it can be helpful. For full documentation of the openssl enc command, please see this page. You can further use the tool to use different ciphers, you can encrypt and decrypt complete files, you can specify the digest algorithm used to generate the key from the passphrase you provide (default is SHA-256), and much more.