Another easy-to-use method of file encryption included with Red Hat and SUSE is one that s sure to be familiar to anyone who has set up or upgraded SSH. It is OpenSSL, and while people commonly use it as a component of other programs, like Apache or SSH, the package is more than just the libcrypto or libssl libraries whose misplacement occasionally causes grief for developers. Also included in the package is the openssl program, which permits fairly simple encryption operations on files using a wide variety of cryptographic algorithms. The following list is selectable for use:
bf , bf-cbc , bf-cfb , bf-ecb , bf-ofb Variations of the Blowfish cipher.
cast , cast-cbc A pair of encoding variations for the CAST cipher.
cast5-cbc , cast5-cfb , cast5-ecb , cast5-ofb A later version of the CAST cipher. As you can see, there are more encoding variations available to use with the CAST5 cipher.
des , des-cbc , des-cfb , des-ecb , des-ede , des-ede-cbc , des-ede-cfb , des-ede-ofb , des-ofb The many variations of encoding for the DES cipher, not all of which are what you would normally want to use. Additionally, DES is not the most secure of ciphers anymore.
des3 , desx , des-ede3 , des-ede3-cbc , des-ede3-cfb , des-ede3-ofb DES3 is the Triple-DES cipher, a more advanced and more secure variant of DES.
idea , idea-cbc , idea-cfb , idea-ecb , idea-ofb The IDEA cipher and variants.
rc2 , rc2-cbc , rc2-cfb , rc2-ecb , rc2-ofb The RC2 cipher and its encoding variants.
rc4 The RC4 cipher without encoding varieties.
rc5 , rc5-cbc , rc5-cfb , rc5-ecb , rc5-ofb The RC5 cipher and encoding variants.
In using these ciphers to encrypt files, there isn t much need to worry about encoding variants, as these are mainly used for communications purposes. Using them for file encryption is fairly straightforward, and some of the options are used for similar purposes in GnuPG as well. The programs are remarkably different, however, and often are used differently as well. OpenSSL is often used as a research tool and as part of other programs to perform cryptography, whereas GnuPG is used more commonly in standalone mode as a primary application.
The use of openssl to encrypt or decrypt a file is a barebones affair compared to the steps that are necessary to use gpg . There are no elaborate keyring files, no options file to tweak default behavior, and no separate key generation tasks . Instead, keys are stored in your head, or barring that, in some other form of secure media. Keys can be fed to openssl on the command line or as a part of a program, but this is usually a bad idea as the keys get exposed to anyone who happens to look at the process table while the command is running.
The command sequence to encrypt a file with openssl using the Blowfish cipher can look something like the following example:
# openssl enc -bf -e -a -in example1.txt -out example1.bf enter bf-cbc encryption password: Verifying password - enter bf-cbc encryption password:
In this example, we end up with a file named example1.bf, and the file extension is one that was chosen for this example; there is no default. In fact, we could have specified the output filename to be anything at all.
In breaking down the switches in the previous example you will see some similarities in operations with what you might do while using gpg . The first command of the openssl program is enc , which tells the program you plan on encoding with ciphers. The second command is a cipher name , in this case the Blowfish cipher. Notice that it is specified with a hyphen ( - ) before the cipher name, resulting in -bf . This could easily have been -des3 or some other cipher. The next flag is -e , which stands for encrypt. Conversely, the -d flag tells the program that you plan on decrypting a file. The next command is the -a switch, which tells openssl to use ASCII armoring suitable for use in e-mail programs. Without this, you end up with a data file that is smaller, but not suitable for mailing. Next is the -in command. This flag specifies the plaintext file that you are using for input and are planning on encrypting. This is followed by the -out command, which specifies a file to output your now encrypted text into. Running the command produces file contents that look something like this:
This is the beginning of the file, and the entire contents look much the same. You may notice there is no header information like that found in GnuPG or PGP files. There is nothing at all in the file to indicate what type of cipher was used to encrypt it, and had the output file example been named differently, there would be no hint whatsoever as to what cipher was used to encrypt the file. The result is that it becomes important to remember both your password and what cipher you used to encrypt a file, as neither is obvious afterward.
To decrypt the same file, the commands look like this:
# openssl enc -bf -d -a -in example1.bf -out example1.txt enter bf-cbc decryption password:
Notice there is no prompt for any password verification. This is because if you make an error you can always try again to decrypt the file. You may notice that the filenames were reversed from the first example. After encrypting the file, we removed the plaintext, which left only the ciphertext file. This made output using the original filename a complete restoration, but any name would have served . They are reversed in order from the first example because in the above operation we are decrypting the ciphertext . The way this is indicated to openssl is via the -d switch, which tells the program to decrypt the ciphertext.
If you need quick and dirty encryption, openssl can be just the right tool to do it with. It leaves no obvious tracks if discretion is desired, and files created with it are indistinguishable from any other anonymous data files. The major difference is that files encrypted with openssl will have smaller key spaces than those in use with gpg .