How to use OpenSSL to encrypt/decrypt files?

I want to crypt and decrypt one file using one password.

How can I use OpenSSL to do that?

How to use OpenSSL with Android?

I have a project to use OpenSSL in Android application. I am just a bit confused about this lib. I read that OpenSSL already exists on Android… Is this true ? If so, how do I use it… If it does no

How to use OpenSSL exacly?

Okay, I need to use md5() function from OpenSSL library, but when I compile gcc gives me an error – undefined reference to md5. I tried few things, which I found in different StackOverFlow questions

How to use byte[] ssl certificate instead of .pem files used in openssl

My device doesn’t have any file system, so I want to convert ssl certificates in .pem format to byte[] and use it in openssl in place of .pem certificated. Using this openssl x509 -in mycert.pem -C, I

How can I use keytool or openssl to generate a signed certificate?

How can I use keytool or openssl to generate a signed certificate?

Starting to use OpenSSL

I want to use SSL in my cross platform program. I decided to use OpenSSL. I have OpenSSL installed, and at this point I am looking through the code and documentation trying to figure out how to use t

How to sign files trustedly with OpenSSL

How can you sign files on the command line while using a trusted identity? For emails you get a x509 certificate, signed by a CA – can you use the same to sign files? Or would the CA need to sign your

how to use API and to initialize openssl properly?

how to use API and to initialize openssl properly? I got to make opevpn work with russian crypto standard called GOST. I know that there are existing products by cryptocom which provides this opportun

How can I check if OpenSSL is suport/use the Intel AES-NI?

Tell me please, how can I check if OpenSSL is support/use the Intel AES-NI?

How to use SSL_CERT_FILE for OpenSSL Windows (OpenSSL 1.0.1c)

How (if at all) can one define a single trusted certificate file for OpenSSL on Windows (Win-7, OpenSSL 1.0.1c) using the SSL_CERT_FILE environment variable? Various research led me to download the De

How to use openSSL Library in the ANDROID application

i am trying to embed the openssl library in my Android application using Android NDK but i don’t know how to use exactly that library and so please any one can tell me how to use that please send a so


This is the top answer to your question from google:


openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc


openssl aes-256-cbc -d -a -in secrets.txt.enc -out

But this does not make use of the public key infrastructure at all, so a bit like hammering in a nail with a screwdriver 🙂


openssl enc -in infile.txt -out encrypted.dat -e -aes256 -k symmetrickey


openssl enc -in encrypted.dat -out outfile.txt -d -aes256 -k symmetrickey

For details, see the openssl(1) docs.

Update using a random generated public key.


openssl enc -aes-256-cbc -a -salt -in {raw data} -out {encrypted data} -pass file:{random key}


openssl enc -d -aes-256-cbc -in {ciphered data} -out {raw data}

I have a full tutorial on this at

There is an open source program that I find online it uses openssl to encrypt and decrypt files. It does this with a single password. The great thing about this open source script is that it deletes the original unencrypted file by shredding the file. But the dangerous thing about is once the original unencrypted file is gone you have to make sure you remember your password otherwise they be no other way to decrypt your file.

Here the link it is on github

Short Answer:

To Encrypt:

openssl enc -aes-256-cbc -in -out

To Decrypt:

openssl enc -d -aes-256-cbc -in -out

Note: You will be prompted for a password when encrypting or decrypt.

Long Answer:

Your best source of information for openssl enc would probably be:

Command line: openssl enc takes the following form:

openssl enc -ciphername [-in filename] [-out filename] [-pass arg]
[-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] 
[-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p] [-P] 
[-bufsize number] [-nopad] [-debug] [-none] [-engine id]

Explanation of most useful parameters with regards to your question:

    Encrypt the input data: this is the default.

    Decrypt the input data.

-k <password>
    Only use this if you want to pass the password as an argument. 
    Usually you can leave this out and you will be prompted for a 
    password. The password is used to derive the actual key which 
    is used to encrypt your data. Using this parameter is typically
    not considered secure because your password appears in 
    plain-text on the command line and will likely be recorded in 
    bash history.

-kfile <filename>
    Read the password from the first line of <filename> instead of
    from the command line as above.

    base64 process the data. This means that if encryption is taking 
    place the data is base64 encoded after encryption. If decryption 
    is set then the input data is base64 decoded before being 
    You likely DON'T need to use this. This will likely increase the
    file size for non-text data. Only use this if you need to send 
    data in the form of text format via email etc.

    To use a salt (randomly generated) when encrypting. You always
    want to use a salt while encrypting. This parameter is actually
    redundant because a salt is used whether you use this or not 
    which is why it was not used in the "Short Answer" above!

-K key    
    The actual key to use: this must be represented as a string
    comprised only of hex digits. If only the key is specified, the
    IV must additionally be specified using the -iv option. When 
    both a key and a password are specified, the key given with the
    -K option will be used and the IV generated from the password 
    will be taken. It probably does not make much sense to specify 
    both key and password.

-iv IV
    The actual IV to use: this must be represented as a string 
    comprised only of hex digits. When only the key is specified 
    using the -K option, the IV must explicitly be defined. When a
    password is being specified using one of the other options, the 
    IV is generated from this password.

To Encrypt:

$ openssl bf < arquivo.txt >

To Decrypt:

$ openssl bf -d < > arquivo.txt

bf === Blowfish in CBC mode

Note that the OpenSSL CLI uses a weak non-standard algorithm to convert the passphrase to a key, and installing GPG results in various files added to your home directory and a gpg-agent background process running. If you want maximum portability and control with existing tools, you can use PHP or Python to access the lower-level APIs and directly pass in a full AES Key and IV.

Example PHP invocation via Bash:


ENCRYPTED=$(php -r "print(openssl_encrypt('$INPUT','aes-256-ctr',base64_decode('$KEY'),OPENSSL_ZERO_PADDING,base64_decode('$IV')));")
DECRYPTED=$(php -r "print(openssl_decrypt('$ENCRYPTED','aes-256-ctr',base64_decode('$KEY'),OPENSSL_ZERO_PADDING,base64_decode('$IV')));")

This outputs:


You could also use PHP’s openssl_pbkdf2 function to convert a passphrase to a key securely.