How to use password argument in via command line to openssl for decryption

Question

So it's not the most secure practice to pass a password in through a command line argument. That said, the documentation for openssl confused me on how to pass a password argument to the openssl command.

Here's what I'm trying to do

openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d

This then prompts for the pass key for decryption. I searched the openssl documents and the interwebs to try and find the answer if I simply wanted to give the password to the command without trying to echo the password to the file. I tried adding -pass:somepassword and -pass somepassword both with and without quotes to no avail.

I finally figured out the answer and saw in some other forums people had similar questions, so I thought I would post my question and answer here for the community.

note: I'm using openssl version 0.9.8y

score 228 · Accepted Answer · edited Dec 08 '15 at 17:23

The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.

Here's how to do it:

openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword

Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.

Additionally the documentation specifies you can provide other passphrase sources by doing the following:

env:somevar to get the password from an environment variable
file:somepathname to get the password from the first line of the file at location pathname
fd:number to get the password from the file descriptor number.
stdin to read from standard input

Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)

With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:

openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword

score 39 · Answer 2 · answered Jan 24 '19 at 15:40

39

I used -passin and -passout to set passwords to both files in example:

openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321

where 123 and 321 are password

answered Jan 24 '19 at 15:40

Mikhailo Karpenko

491

score 7 · Answer 3 · edited Dec 27 '15 at 13:37

7

At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16

In this version the parameter to use is -k

Example:

openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword

edited Dec 27 '15 at 13:37

karel

13,706

answered Dec 27 '15 at 13:31

Javier

71

How to use password argument in via command line to openssl for decryption

3 Answers3