OpenSSL - João's Brain

# OpenSSL ## Directory Encryption (Tar + AES-256) **Encrypt:** ```bash tar -czvf - /path/to/directory | openssl enc -aes-256-cbc -salt -out backup.tar.gz.enc ``` **Decrypt:** ```bash openssl enc -d -aes-256-cbc -in backup.tar.gz.enc | tar -xzvf - ``` ## File Encryption **Encrypt (with strong key derivation):** ```bash openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -salt -in file.txt -out file.txt.enc ``` **Decrypt:** ```bash openssl enc -d -aes-256-cbc -pbkdf2 -in file.txt.enc -out file.txt ``` ## Options | Option | Purpose | |--------|---------| | `-aes-256-cbc` | AES-256 in CBC mode | | `-pbkdf2` | PBKDF2 key derivation (more secure) | | `-iter 100000` | Iterations for key derivation | | `-salt` | Add salt to strengthen encryption | ## Quick Reference | Task | Command | |------|---------| | Encrypt directory | `tar -czf - dir/ \| openssl enc -aes-256-cbc -salt -out dir.tar.gz.enc` | | Decrypt archive | `openssl enc -d -aes-256-cbc -in dir.tar.gz.enc \| tar -xzf -` | | Encrypt file | `openssl enc -aes-256-cbc -pbkdf2 -salt -in file -out file.enc` | | Decrypt file | `openssl enc -d -aes-256-cbc -pbkdf2 -in file.enc -out file` | ## Tips - Always use `-pbkdf2` — the default key derivation is weak - Store passphrases securely (see [[1Password]]) - Verify decryption before deleting originals --- See also: [[GPG]], [[Age]] (simpler, modern alternative), [[SSH]]