-e
Encrypt the input data: this is the default.
-d
Decrypt the input data.
-k <password>
Only use this if you want to pass the password as an argument.
Usually you can leave this out and you will be prompted for a
password. The password is used to derive the actual key which
is used to encrypt your data. Using this parameter is typically
not considered secure because your password appears in
plain-text on the command line and will likely be recorded in
bash history.
-kfile <filename>
Read the password from the first line of <filename> instead of
from the command line as above.
-a
base64 process the data. This means that if encryption is taking
place the data is base64 encoded after encryption. If decryption
is set then the input data is base64 decoded before being
decrypted.
You likely DON'T need to use this. This will likely increase the
file size for non-text data. Only use this if you need to send
data in the form of text format via email etc.
-salt
To use a salt (randomly generated) when encrypting. You always
want to use a salt while encrypting. This parameter is actually
redundant because a salt is used whether you use this or not
which is why it was not used in the "Short Answer" above!
-K key
The actual key to use: this must be represented as a string
comprised only of hex digits. If only the key is specified, the
IV must additionally be specified using the -iv option. When
both a key and a password are specified, the key given with the
-K option will be used and the IV generated from the password
will be taken. It probably does not make much sense to specify
both key and password.
-iv IV
The actual IV to use: this must be represented as a string
comprised only of hex digits. When only the key is specified
using the -K option, the IV must explicitly be defined. When a
password is being specified using one of the other options, the
IV is generated from this password.
7 回答
这是来自谷歌的问题的最佳答案:http://tombuntu.com/index.php/2007/12/12/simple-file-encryption-with-openssl/
加密:
解密:
但这根本没有使用公钥基础设施,所以有点像用螺丝刀锤击钉子:-)
简答:
您可能希望使用
gpg而不是openssl,因此请参阅本答案末尾的 "Additional Notes" . 但要使用openssl回答这个问题:To Encrypt:
To Decrypt:
注意:加密或解密时将提示您输入密码 .
完整答案:
openssl enc的最佳信息来源可能是:https://www.openssl.org/docs/apps/enc.htmlCommand line:
openssl enc采用以下形式:关于您的问题的最有用参数的说明:
附加说明:
虽然您已经特别询问了OpenSSL,但您可能需要考虑使用GPG代替基于本文的加密目的OpenSSL vs GPG for encrypting off-site backups?
要使用GPG执行相同操作,您可以使用以下命令:
To Encrypt:
To Decrypt:
注意:加密或解密时将提示您输入密码 .
加密:
解密:
有关详细信息,请参阅openssl(1) docs .
To Encrypt:
To Decrypt:
bf === CBC模式下的Blowfish
我在网上找到一个开源程序,它使用openssl来加密和解密文件 . 它使用单个密码执行此操作 . 这个开源脚本的好处是它通过粉碎文件来删除原始的未加密文件 . 但危险的是,一旦原始的未加密文件消失,你必须确保你记住你的密码,否则他们无法解密你的文件 .
这里是github上的链接
https://github.com/EgbieAnderson1/linux_file_encryptor/blob/master/file_encrypt.py
使用随机生成的公钥进行更新 .
Encypt:
Decrypt:
我在http://bigthinkingapplied.com/key-based-encryption-using-openssl/有一个完整的教程
请注意,OpenSSL CLI使用弱非标准算法将密码转换为密钥,并将GPG结果安装到添加到主目录的各种文件中,并运行gpg-agent后台进程 . 如果您希望使用现有工具实现最大的可移植性和控制,则可以使用PHP或Python访问较低级别的API,并直接传入完整的AES密钥和IV .
通过Bash调用PHP示例:
这输出:
您还可以使用PHP的
openssl_pbkdf2函数将密码安全地转换为密钥 .