How to encrypt file using OpenSSL and AES-256 with SHA-256?

Question

System: Linux Mint 18.3 Cinnamon 64-bit.

OpenSSL: 1.0.2g

Ordinarily, I would encrypt a file as follows:

openssl enc -aes-256-cbc -salt -in somefile -out somefile.enc

But I wonder what algorithm will be used to hash my password and if I can change it?

Dupe https://superuser.com/questions/455463/openssl-hash-function-for-generating-aes-key except that was out of date until just now; for full details see https://crypto.stackexchange.com/questions/3298/is-there-a-standard-for-openssl-interoperable-aes-encryption . Note that any single hash is a bad PBKDF; SHA-256 is not noticeably better than MD5. And `-salt` has been the default for over a decade, nearly two. — dave_thompson_085, Dec 10 '17 at 07:36
@dave_thompson_085: OpenSSL _does_ use a KDF instead of simple hash, although it still seems to be homegrown and rather weak (see EVP_BytesToKey). — u1686_grawity, Dec 11 '17 at 15:46
@grawity my answer to the crypto Q I linked explains this in detail. EVP_BytesToKey is a tweak of PBKDF1 from PKCS5, but commandline enc uses EVP_BytesToKey with iteration count 1 so it does only a single hash per output block, it does NOT actually iterate as PBKDF should. The bear agrees: https://security.stackexchange.com/questions/29106/openssl-recover-key-and-iv-by-passphrase — dave_thompson_085, Dec 12 '17 at 03:31
Vlastimil: You're not using this for bulletproof security, are you? Consider GPG/PGP instead, it should still stump the biggest players. @dave_thompson_085 They're still only iterating once? Yowza. Moving away from MD5 is a baby step at least. Do they track the hash & encryption used, or you still have to remember yourself too? (I've [quoted the bear too](https://stackoverflow.com/questions/28247821/openssl-vs-gpg-for-encrypting-off-site-backups/28248800#28248800) ;-) — Xen2050, Dec 14 '17 at 21:10

score 2 · Accepted Answer · answered Dec 10 '17 at 06:15

I found out by accident, here, that for openssl version 1.1.0:

-md digest
    Use the specified digest to create the key from the passphrase. The default algorithm is sha-256.

So, there is no point of specifying the message digest algorithm for the newer version of openssl as it already uses SHA-256.

But since on my system there is openssl version 1.0.2g, I dug further and found out, here, that:

... In OpenSSL 1.1.0 we changed from MD5 to SHA-256 ...

Essentially, this means, my openssl will by default use the old and obsolete MD5.

Luckily, this can be changed to SHA-256 with openssl version 1.0.2g:

openssl enc -aes-256-cbc -md sha256 -salt -in somefile -out somefile.enc

If you have an older openssl version than me, you might want to try -md sha1, if the above fails.

With all the changes to openssl (digest, and the new recommended pbkdf2 password hashing (which has been LONG overdue), it is now nessary to save more information (metadata) with encrypted files, so that you know how that specific encrypted file was actually encrypted. This is especially important as the default iteration count (10000) is woefully inadequate. As such you may like to look at a script that wrappers around "openssl enc" to save and re-read this metadata with the encrypted file. See https://antofthy.gitlab.io/software/#keepout — anthony, Sep 24 '20 at 01:31

How to encrypt file using OpenSSL and AES-256 with SHA-256?

1 Answers1