How can I encrypt / decrypt AES-256 CBC with OpenSSL?

Question

I just installed Linux (Ubuntu) for the first time and downloaded package OpenSSL as well. Opened command line too and tried some commands but none of them worked.

So what I have is initial vector: 5a04ec902686fb05a6b7a338b6e07760, also have ciphertext: 14c4e6965fc2ed2cd358754494aceffa and the corresponding plaintext: We're blown. Run

Now I imagine there must be a command where you enter the initial vector and the plaintext and as a result you should get the ciphertext...? Another possibility: Enter initial vector and ciphertext, get the plaintext.

But how can I do this in the command line? I've already tried the command:

openssl aes-256-cbc -e -nosalt -a -in  input.txt -out  output.txt -k key -iv ivkey

about input.txt: I have created this file on my Desktop and wrote the plaintext in it. About output.txt, I created it as well and put it on Desktop, it's empty. After using this command, nothing happens!

Is there any other command that could help me? I have also tried to find some helpful tool on the internet but nothing seemed to work! : /

The `-k` should be `-K` if you want to specify the raw hex key. — forest, Jun 01 '18 at 16:17
You also don't want `-a` if you want a hex output. Pipe it to `xxd` instead. Since the plaintext and ciphertext are both exactly 16 bytes you'll also want `-nopad`. — AndrolGenhald, Jun 01 '18 at 16:22
@AndrolGenhald Great it seems like I got one step further. Now I'm asked to "enter aes-256-cbc encryption password". I just entered "1" 32 times but again, nothing has happened after. — , Jun 01 '18 at 16:28
Then it seems it doesn't realize that you are specifying the raw keys. Remember to use `-K` with the hex key and `-iv` with the hex IV. That will allow it to take that directly rather than prompting you for a password. When it's asking you for a password, it is looking for ASCII which it will hash with SHA-256 (on newer builds) or MD5 (on older builds) before using directly as the key. — forest, Jun 01 '18 at 16:29
@forest as hex key -K i have just used the ciphertext. Maybe that was the mistake? But what else can I use if that caused the problem? — , Jun 01 '18 at 16:32
You have to use the key used to encrypt it. If you don't know the key you can't decrypt it...that's how cryptography works. — AndrolGenhald, Jun 01 '18 at 16:33
@roblind The ciphertext is in the file for `-in` (if you're doing decryption). `-K` is for the key, not the ciphertext. — forest, Jun 01 '18 at 16:35
@forest Ok the final command I used: openssl aes-256-cbc -d xxd -nosalt -nopad -in theciphertext -out output.txt -iv theinitialvector but I'm still asked for the password — , Jun 01 '18 at 16:54
You're still missing the `-K`. And what's the xxd in there for? You'd want to use xxd to view the file after decryption. — forest, Jun 01 '18 at 16:57

SergA · Accepted Answer · 2023-01-09T09:32:27.390

Prepare input text:

echo "We're blown. Run" >input.txt

Encrypt:

openssl enc -aes-256-cbc -nosalt -e \
        -in input.txt -out input.txt.enc \
        -K '2222233333232323' -iv '5a04ec902686fb05a6b7a338b6e07760'

Decrypt to stdout original text:

openssl enc -aes-256-cbc -nosalt -d \
        -in input.txt.enc \
        -K '2222233333232323' -iv '5a04ec902686fb05a6b7a338b6e07760'

Note 1: for -K and -iv you must pass a string comprised only of hex digits. You can get this string from a binary file like this:

hexdump -e '16/1 "%02x"' FILE_WITH_KEY

Note 2: Here I used AES-256 algo that get key of 256-bit length. But in -K there is only 8 bytes/16 hex/64 bits. In this case openssl pads private key with zeros, so in example above used the following key: '2222233333232323000000000000000000000000000000000000000000000000'. This is a significant weakening, please use more strong keys in real life. The same story refer to -iv, but it's length depends on chosen algorithm's mode and block length, see related question.

How can I encrypt / decrypt AES-256 CBC with OpenSSL?

1 Answers1