How to Encrypt & Decrypt Files with OpenSSL on Ubuntu and Mac OS X

OpenSSL is an open source library that provides a full-featured toolkit and APIs for secure computer network communication over Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols on Linux and other Unix-like systems

The source code of the project lives on GitHub and is managed by a worldwide community of software engineering volunteers with over 300 contributors.

Most network communication apps, personal computers, web servers, cell phone and tools that use TLS/SSL protocols have a version of OpenSSL installed on them.

The default toolkit of OpenSSL that comes with Ubuntu isn’t the latest. To get the latest, you must download it yourself and install. An older version will work with the tutorial as well. You do not need to upgrade to follow this tutorial.

Just as mentioned in the title, in this tutorial we will be using OpenSSL in a slightly unusual way, we will be using it to encrypt and decrypt a file on our computer.

Since OpenSSL allows us to specify the encryption algorithm to use, we’ll use the des3 encryption algorithm, which in simple terms means a complex encryption algorithm is applied three times to each data block, making it difficult to crack through brute force methods or other computer hacking methods.

While we will be focusing on Mac OS X and Ubuntu in this article, these commands will work anywhere that OpenSSL is installed, including older versions of OS X, CentOS, and all other Linux variants.

How to install OpenSSL on a Ubuntu

Most versions of Ubuntu come with OpenSSL installed, it is usually not the latest version but just as mentioned above it you can use it for this tutorial. If you want to verify which version of OpenSSL you have installed, you can do that easily by typing the command below in your terminal.

openssl version -a

This should display all information related to the version of OpenSSL you have installed on your computer, it should be similar to the output below:

LibreSSL 2.2.7
built on: date not available
platform: information not available
options:  bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) blowfish(idx)
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"

If you don’t have it installed, you can just use the commands below to install it and all it’s associated development libraries.

sudo apt-get install libssl-dev
sudo apt-get install openssl

How to install OpenSSL on a Mac

To install OpenSSL on a Mac we will be using homebrew. By running the commands below you will have OpenSSL installed and linked correctly on a Mac

    brew install openssl
    brew link --force openssl

How to Encrypt Files with OpenSSL

With OpenSSL installed and verified on our system, we can so ahead and use it to encrypt and decrypt individual files.

The syntax for using OpenSSL is pretty basic: It starts with the command
openssl and you specify the type of encryption, and then you add the file that needs to be encrypted. Below is a template of the command used.

openssl [encryption type] -in [file to encrypt]

We’ll be using the des3 encryption algorithm for this example, and we’ll be using a text file as the input. We’re also going to specify a different output file to prevent any errors.

Here is what the command would look like:
des3 which is short for Triple Data Encryption Standard (DES) is a type of computerized cryptography where block cipher algorithms are applied three times to each data block.

openssl des3 -in file.txt -out encrypted.txt

You will be asked to set and confirm a password before the encryption is complete, do not lose this password or you will lose access to the file.

Additionally, you can also just use an input file within filename, but that may cause issues. To prevent any unexpected problems, do not specify the same file as the input and output. This means the original file will stick around either before or after encryption, and you will want to deal with that file individually, preferably through a secure delete method.

Decrypting Files with OpenSSL

openssl des3 -d -in encrypted.txt -out normal.txt

In the previous section, we set password will be required to decrypt the file. Once you execute the command above, you will be asked for the password you used. Other than switching the placement of the input and output, where again the original file stays put, the main difference here is the -d flag which tells OpenSSL to decrypt the file.

If you are wondering what happens when the password is invalid, you’ll get an error message, but if you force open the file with something like TextEdit, you’ll see the text encrypted version followed by a bunch of gibberish like so:

The file will remain unreadable until it has been decrypted through OpenSSL again. For more about file security follow us on Twitter, Facebook and sign up for our newsletter.