How to pass string (not file) to openssl?

Question

I want to encrypt a bunch of strings using openssl. How do I pass plaintext in console to openssl (instead of specifying input file which has plaintext).

openssl man page has only these two options related to input/output:

-in <file>     input file
-out <file>    output file

Here is what I have tried so far:

This works fine,

openssl aes-256-cbc -a -K 00000000000000000000000000000000 -iv 00000000000000000000000000000000 -in plain.txt -out encrypted.txt

If I omit the -out parameter I get encrypted string in console,

openssl aes-256-cbc -a -K 00000000000000000000000000000000 -iv 00000000000000000000000000000000 -in plain.txt

But If I omit both -in and -out, I get an error - unknown option 'Encrypt ME',

openssl aes-256-cbc -a -K 00000000000000000000000000000000 -iv 00000000000000000000000000000000 "Encrypt ME"

chaos · Accepted Answer · 2023-09-06T09:25:08.110

Use this:

user@host:~$ echo "my string to encrypt" | openssl aes-256-cbc -e -a -K 00000000000000000000000000000000 -iv 00000000000000000000000000000000
a7svR6j/uAz4kY9jvWbJaUR/d5QdH5ua/vztLN7u/FE=
user@host:~$ echo "a7svR6j/uAz4kY9jvWbJaUR/d5QdH5ua/vztLN7u/FE=" | openssl aes-256-cbc -d -a -K 00000000000000000000000000000000 -iv 00000000000000000000000000000000
my string to encrypt

Or you could use command substitution:

user@host:~$ openssl aes-256-cbc -a -K 00000000000000000000000000000000 -iv \
00000000000000000000000000000000 -in <(echo "my string to encrypt") -out encrypted.txt

The flags are documented in the manual page man openssl-enc:

-a: base64 process the data. This means that if encryption is taking place the data is base64 encoded after encryption. If decryption is set then the input data is base64 decoded before being decrypted.
-d: decrypt the input data.
-e: encrypt the input data
-K: the actual key to use: this must be represented as a string comprised only of hex digits. If only the key is specified, the IV must additionally specified using the -iv option. When both a key and a password are specified, the key given with the -K option will be used and the IV generated from the password will be taken. It probably does not make much sense to specify both key and password.
-iv: the actual IV to use: this must be represented as a string comprised only of hex digits. When only the key is specified using the -K option, the IV must explicitly be defined. When a password is being specified using one of the other options, the IV is generated from this password.

Thanks chaos. 'command substitution' is what I was looking for. — Nitish Parkar, Aug 08 '14 at 09:37
In all of the answers here, echo is used without the "-n" option so it will include a trailing newline that will be included in the hash input. — Ben C, Jan 16 '18 at 11:54

Archemar · Answer 2 · 2014-08-08T09:48:21.833

2

what about

echo encrypt Me | openssl aes-256-cbc -a -K 00000000000000000000000000000000 -iv 00000000000000000000000000000000

If your concerne is that a ps will show the plain text 'encrypt me', then you'd better sitck with file, beeing carefull to erase them.

edited Aug 08 '14 at 09:48

answered Aug 08 '14 at 07:25

Archemar

31,554

Thanks. I am not concerned about command history but I will keep that in mind. – Nitish Parkar Aug 08 '14 at 09:36

score 2 · Answer 3 · edited Oct 03 '16 at 04:32

2

Enter multiline input, use ctrl+d to finish. e='e' will clear the env var, for privacy.

e=$(cat); echo "$e" | openssl enc -aes-256-cbc -e -a; e='e'

edited Oct 03 '16 at 04:32

HalosGhost

4,790

answered Oct 03 '16 at 03:55

Bryan

21

How to pass string (not file) to openssl?

3 Answers3