1

I need help with openssl decryption of a file.

I need to use an encrypted password for the decryption of a file and not in a plain text. So how can I use the following command and at the same time pass an encrypted password (this will be done automatically and not manually):

openssl aes-256-cbc -d -a -in test.txt.enc -out test.txt.new -pass pass:password

If I put the encrypted password here (both directly and using a file (-pass file:filename)) the file does not get decrypted (I have encrypted it manually with the plain text password).

Thanks, Ana

Pawan
  • 1,537
  • 1
  • 15
  • 19
fanciulla
  • 175
  • 1
  • 5
  • 18

1 Answers1

0

Perhaps I don't understand your reasoning but it seems you want some facility to hold the password for your encrypted file in a safe manner i.e. you want to hold your password itself encrypted. And all decryption has to be automated/script-able?

The problem is you will face the same issue of plain-text password security for the password on the encrypted password file when it has to be decrypted. There is no way around this except to control permissions on the password file. Your password will have to be stored in some form in plain-text whether for the password file or for the final file to be decrypted.

One possible compromise might be to do this using a agent program which can store your plain-text password in some obfuscated form in memory eg: ssh-agent or gpg-agent for gpg which is what you might be looking for. However, I believe these might only be usable with Public/Private Key (PPK) type encryption and not symmetric key encryption which is what you have used above (see: link1 and link2)

Also you probably want to use gpg instead openssl for your encryption/decryption needs (See: OpenSSL vs GPG for encrypting off-site backups?)

More information on using openssl/gpg for symmetric key encryption: https://stackoverflow.com/a/31552829/3242988

Community
  • 1
  • 1
moo
  • 2,908
  • 1
  • 12
  • 10
  • There are other reasons for using an encrypted password such as the ability to change the top password without having to re-encrypt the data Ex: The data is encrypted with key0. Key0 is encrypted with password1, this is the password that is used by user1. Now user1 needs to be dis-allowed access and user2 allowed access. key0 is retrieved with the user1 password and re-encrypted with password2 for user2. Encrypted password1 is destroyed. – zaph Jun 03 '16 at 00:14
  • @zaph Agreed. Though in this case user1 would know what key0 is because user1 can decrypt it so encrypting with password2 does not exactly disallow user1. So your logic does not hold in this scenario at least not with symmetric keys. – moo Jun 08 '16 at 05:43