Encrypting Files On The CLI Using OpenSSL

[linkstandalone] Encrypting files on the CLI using OpenSSL

In short, don’t. Use GnuPG instead.

More specifically, don’t use the enc interface for symmetric encryption. I wrote a tool called qe. I could never remember all the proper flags to use when encrypting and decrypting files with OpenSSL. After spending some time reading up on OpenSSL’s enc CLI it was apparent that there are too many gotchas to continue using it. Some users online recommend it, like here and here, but they don’t address the known problems. In short:

While I spent some time working around these issues by doing my own authentication (encrypt-then-MAC), you can’t solve all of them. For instance passing your key as an argument exposes it in the process list. Which any user can see (bad!). While newer versions of OpenSSL include changes to address some of the issues, if the recipient isn’t up to date on their software they’re out of luck. Moving my tool (qe) to use GPG addresses all the above issues. Since the goal of the qe tool is to use a strong and sane defaults and provide a dead simple interface, using GPG is simply easier than working around the holes in OpenSSL. If you want to read more about some of the current issues facing OpenSSL, I’ll include some links below. If you have any updated information on this subject please email me.

Readings: 1, 2