Before we begin the exciting journey to secure our sensitive data on our personal computers, let’s touch base on some relevant basic knowledge.
AES ( Advanced Encryption Standard or Rijndael ) is a specification for encrypting electronic data established by the U.S National Institute of Standards and Technology. It is a symmetric encryption based of the block encryption algorithm.
AES supports five modes of encryption:
Cipher Block Chaining (CBC) mode has been the most commonly used mode of operation. With CBC mode, an Initialization Vector is used to encrypt the first plaintext block, then each plaintext block is XORed with the previous ciphertext block and encrypted. Its main drawbacks are that encryption cannot be parallelized.
Electronic Code Book (ECB) mode is the simplest of the five encryption modes. With ECB, the message is divided into blocks, and each block is encrypted separately. ECB is outdated and its use is not recommended in a cryptographic protocol.
Cipher Feedback (CFB) mode, similar to CBC mode, the previous ciphertext block is encrypted and the output is XORed with the current plaintext block to create the current ciphertext block. CFB mode uses an initial chaining vector (ICV) and operates on segments instead of blocks. In its simplest form, CFB uses the entire output of the block cipher.
Output Feedback (OFB) mode makes a block cipher into a synchronous stream cipher. It generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error-correcting codes to function normally even when applied before encryption.
Counter (CTR) mode is well suited to operate on a multi-processor machine, where blocks can be encrypted in parallel. Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a “counter”. The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular
We will be using Cipher Block Chaining (CBC) mode to encrypt our files.
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. OpenSSL supports many different cryptographic operations, such as symmetric key encryption, public/private key pair generation, public-key encryption, hash functions, digital signatures, etc.
To use OpenSSL on your system, follow one of the given steps below:
OpenSSL comes pre-installed on most linux distributions. To check if OpenSSL is installed, run the following command:
which openssl
If you get zero output, you can install openssl as follows.
First, update and upgrade the apt package manager:
sudo apt-get update; sudo apt-get upgrade
second, install openssl:
sudo apt-get install openssl
you can install openssl on windows by following the instructions in the article provided:
to install openssl on Mac OS, you can simply run the folowing command in the command line:
brew install openssl
Now that we have covered the necessary basic knowledge, we’re all set up to begin securing our personal data. Let’s start the show.
To begin encrypting your data, run the following command:
openssl enc -aes-256-cbc -a -A -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath
After the command is executed, you’ll be prompted to set a passphrase. The passphrase is required to decrypt the data and it is virtually impossible to decrypt the file without the passphrase, even with brute force.
Used to specify the cipher name
The cipher name along with the mode of operation which is CBC (Cipher Block Chaining) mode
Used for Base64 encode/decode
Used with -a
to specify base64 buffer as a single line
sha512 specifies which digest to use for the generation of the key from the passphrase. The default value from version 1.1.0 is SHA256. Before version 1.1.0 MD5 was the default digest
Specifies to use PBKDF2 (Password-Based Key Derivation Function 2) algorithm
Used to override the default count of iterations for the password. High values increase the time required to brute-force the resulting file. This option enables the use of the PBKDF2 algorithm to derive the key
Use salt in Key Derivation Function (KDF). This is the default behaviour and thus this option is not required.
To decrypt your data/file, use the same commands for encryption, but with a -d
option in it, as follows:
openssl enc -aes-256-cbc -a -A -d -md sha512 -pbkdf2 -iter 250000 -salt -in InputFilePath -out OutputFilePath
The above commands to encrypt and decrypt only works on single files. To encrypt/decrypt multiple files, you’ll need to first convert it into a tar file, then run the same commands on the tar file.
You should now have the knowledge to secure your data/file for your eyes only.
One Love, and be secured in the matrix.
We’re here to handle all the headaches and little details. Get A free consultation to get started quickly.