OpenSSL command

This post may contain affiliate links. Affiliate links are special links which allow the destination website know that we sent that visit. Should you then sign up and/or purchase their product or service, we may get a commission. Learn more.

The OpenSSL command is built into most Linux distributions, and can be used for encrypted and encoding things.

Encrypting a message

OpenSSL can be used to encrypt and decrypt messages. The following command will encrypt a message:

echo "Hello" | openssl enc -bf -pass pass:abc123

I chose to use blowfish, but you can get a list of all available ciphers with:

openssl --show-ciphers

However, you’ll notice it gives you non-unicode characters:


To fix this, simply tell OpenSSL to use base64 encoding:

echo "Hello" | openssl enc -a -bf -pass pass:abc123

this will return something like:


but, it will be different each time because OpenSSL adds a salt to make it harder to crack.

Decrypting a message

To decrypt a message, simple run the same thing, but with the -d flag:

echo "U2FsdGVkX1+gY6RSJ4HUntrKFFzJbdQt" | openssl enc -d -a -bf -pass pass:abc123

this should return:


Encrypting a file

To encrypt a file, you simply need to add a few options to OpenSSL. First, make a file:

echo "test" > test.txt

then, let’s encrypt it with blowfish:

openssl enc -a -bf -in test.txt -out test.enc -pass pass:abc123

The file test.enc will now contain:


While you don’t really need to use base64 since it’s in a file, I still recommend it because it makes copying and pasting possible.

Decrypting a file

Simply run the same command to encrypt, but with the -d flag.

openssl enc -d -a -bf -in test.enc -out test.dec -pass pass:abc123

and, check test.dec, ad you should see:


This means everything worked! Also, if you don’t use the -pass flag, OpenSSL will automatically ask you for the password, so it’s not needed, but it makes copying and pasting the commands easier.


If you ever need to hash something, to verify it hasn’t been tampered with, OpenSSL can also help you out. Simply use openssl dgst:

echo "test" | openssl dgst -sha512

will return:

(stdin)= 0e3e75234abc68f4378a86b3f4b32a198ba301845b0cd6e50106e874345700cc6663a86c1ea125dc5e92be17c98f9a0f85ca9d5f595db2012f7cc3571945c123

there are other hashing algorithms, but SHA512 is currently the most secure one.

Hashing files

To get the hash of a file, simply use the cat command, as I couldn’t find a way to hash a file directly with OpenSSL, as the help page returns:

options are
-c              to output the digest with separating colons
-r              to output the digest in coreutils format
-d              to output debug info
-hex            output as hex dump
-binary         output in binary form
-hmac arg       set the HMAC key to arg
-non-fips-allow allow use of non FIPS digest
-sign   file    sign digest using private key in file
-verify file    verify a signature using public key in file
-prverify file  verify a signature using private key in file
-keyform arg    key file format (PEM or ENGINE)
-out filename   output to filename rather than stdout
-signature file signature to verify
-sigopt nm:v    signature parameter
-hmac key       create hashed MAC with key
-mac algorithm  create MAC (not neccessarily HMAC)
-macopt nm:v    MAC algorithm parameters or key
-engine e       use engine e, possibly a hardware device.
-md4            to use the md4 message digest algorithm
-md5            to use the md5 message digest algorithm
-ripemd160      to use the ripemd160 message digest algorithm
-sha            to use the sha message digest algorithm
-sha1           to use the sha1 message digest algorithm
-sha224         to use the sha224 message digest algorithm
-sha256         to use the sha256 message digest algorithm
-sha384         to use the sha384 message digest algorithm
-sha512         to use the sha512 message digest algorithm
-whirlpool      to use the whirlpool message digest algorithm

so, just run:

cat file | openssl dgst -sha512

Also, if you want to get just the hash, run:

echo "test" | openssl dgst -sha512 | cut -d " " -f 2

which returns:


instead of (stdin)= and then the hash.

Subscribe Via Email

Do you like content like this? Enter your email to get new posts as soon as they come out. No spam, I promise.

%d bloggers like this: