LabEx
Log InJoin Free

Symmetric Encryption Basics in Cryptography

LinuxBeginner
Practice Now

Introduction

Symmetric encryption is a fundamental concept in cryptography where a single key is used for both encrypting and decrypting information. This method is fast and efficient, making it ideal for encrypting large amounts of data.

In this lab, you will get hands-on experience with symmetric encryption using the powerful openssl command-line tool in a Linux environment. You will walk through the complete process: generating a secret key, encrypting a text file, decrypting it, and finally, verifying that the decrypted file is identical to the original.

Symmetric Encryption Concept

In this step, we will briefly review the core concept of symmetric encryption. The "symmetric" part means that the same key that locks (encrypts) the data is also used to unlock (decrypt) it.

Imagine you have a physical lockbox. You use a key to lock it. To open it again, you must use the exact same key. In symmetric encryption, this key is a piece of digital information, and it must be shared securely between the parties who need to encrypt and decrypt the data. If this single key is compromised, the security of the encrypted data is lost.

For this lab, we will work with a simple text file. A file named original.txt has been pre-created for you in the ~/project directory. You can view its contents and confirm it's a plain, readable text file.

Let's list the files in the current directory to see it:

ls -l

You should see the original.txt file in the output:

-rw-rw-r-- 1 labex labex 26 Oct 20 08:56 original.txt

Now, let's view its content:

cat original.txt

The output will be the simple text message inside the file:

This is a secret message.

In the next steps, we will encrypt this file to make it unreadable and then decrypt it back to its original form.

Generate AES Key

In this step, you will generate a secure, random key for our encryption process. The strength of symmetric encryption heavily relies on the secrecy and randomness of the key. A predictable key is easy to guess, rendering the encryption useless.

We will use the openssl rand command to generate a cryptographically strong random key. We'll generate a 256-bit key, which is a standard length for the AES (Advanced Encryption Standard) algorithm.

Execute the following command to generate a 32-byte (256-bit) key in hexadecimal format and save it to a file named aes.key:

openssl rand -hex 32 > aes.key

Let's break down this command:

  • openssl rand: The command to generate random data.
  • -hex: Formats the output as a hexadecimal string.
  • 32: Specifies the number of bytes of random data to generate. Since each hex character represents 4 bits (or half a byte), 32 bytes of data will result in a 64-character hex string.
  • > aes.key: Redirects the output of the command and saves it into the aes.key file.

Now, let's view the generated key. Remember, your key will be different from the example below, as it is randomly generated.

cat aes.key

You will see a long string of hexadecimal characters, which is your 256-bit secret key:

2da75d4f284618ed6933d0e743757ed014ba39a1a8aa1879ebbbfe53b92d519a

This file, aes.key, now holds the secret we will use to both encrypt and decrypt our data.

Encrypt File with AES

In this step, you will use the key you generated to encrypt the original.txt file. We will use the openssl enc command, which is a versatile tool for encryption and decryption.

We will use the AES-256-CBC cipher.

  • AES-256: Refers to the Advanced Encryption Standard with a 256-bit key.
  • CBC: Stands for Cipher Block Chaining, a mode of operation that adds randomness and ensures that identical blocks of plaintext do not result in identical blocks of ciphertext.

Run the following command to encrypt the file:

openssl enc -aes-256-cbc -pbkdf2 -salt -in original.txt -out encrypted.dat -pass file:./aes.key

Let's examine the command options:

  • openssl enc: The command for encryption ciphers.
  • -aes-256-cbc: Specifies the encryption algorithm to use.
  • -pbkdf2: Uses a modern, standard-based password-based key derivation function (PBKDF2) to prevent deprecation warnings.
  • -salt: Adds a random salt to the key before encryption. This is a crucial security practice that protects against certain types of attacks.
  • -in original.txt: Specifies the input file to be encrypted.
  • -out encrypted.dat: Specifies the name of the output file that will store the encrypted data.
  • -pass file:./aes.key: Tells OpenSSL to read the password (in our case, the symmetric key) from the aes.key file.

After running the command, a new file named encrypted.dat will be created. Let's try to view its contents:

cat encrypted.dat

The output will be a jumble of unreadable characters, confirming that the file is encrypted.

Salted___Mi72j)NU_nJ_h9s(0]%

You have now successfully encrypted your secret message. Anyone who gets this file without the aes.key will not be able to read its contents.

Decrypt File with AES

In this step, you will decrypt the encrypted.dat file to retrieve the original message. Since this is symmetric encryption, we will use the same key (aes.key) and the same base command (openssl enc) as we did for encryption.

The key difference is the addition of the -d flag, which tells OpenSSL to perform decryption instead of encryption.

Execute the following command to decrypt the file:

openssl enc -d -aes-256-cbc -pbkdf2 -in encrypted.dat -out decrypted.txt -pass file:./aes.key

This command is very similar to the encryption command:

  • -d: This flag specifies that we want to decrypt the input file.
  • -aes-256-cbc: We must specify the same cipher that was used for encryption.
  • -pbkdf2: You must use the same key derivation function that was used for encryption.
  • -in encrypted.dat: The input file is now our encrypted data.
  • -out decrypted.txt: The output file where the decrypted, readable text will be saved.
  • -pass file:./aes.key: We provide the same key that was used to encrypt the file.

After the command completes, a new file named decrypted.txt will be created. Let's view its contents to see if the decryption was successful.

cat decrypted.txt

The output should be the original message, exactly as it was in original.txt:

This is a secret message.

Congratulations! You have successfully completed a full encryption and decryption cycle.

Verify File Integrity

In this final step, we will verify that the decryption process was perfect and that the decrypted.txt file is an exact copy of the original.txt file. While we can visually confirm this for a short message, a programmatic check is necessary for larger files or automated scripts.

The diff command in Linux is the perfect tool for this job. It compares two files line by line and reports any differences. If the files are identical, diff will produce no output.

Run the diff command to compare the original and decrypted files:

diff original.txt decrypted.txt

If the command runs and you are returned to the command prompt with no messages, it means the files are identical. This silence is the confirmation of success. It proves that our data has maintained its integrity throughout the encryption and decryption cycle.

To see all the files you've worked with in this lab, you can run ls -l one more time:

ls -l

You will see the original file, the key, the encrypted data, and the final decrypted file:

-rw-rw-r-- 1 labex labex 65 Oct 20 08:57 aes.key
-rw-rw-r-- 1 labex labex 26 Oct 20 08:57 decrypted.txt
-rw-rw-r-- 1 labex labex 48 Oct 20 08:57 encrypted.dat
-rw-rw-r-- 1 labex labex 26 Oct 20 08:56 original.txt

This confirms that you have successfully managed the entire lifecycle of symmetric encryption.

Summary

In this lab, you gained practical experience with the fundamentals of symmetric encryption using openssl in a Linux environment.

You successfully performed a complete encryption and decryption workflow:

  • You learned the core concept of a single, shared key for both encryption and decryption.
  • You used openssl rand to generate a strong, 256-bit AES key.
  • You used openssl enc to encrypt a text file, rendering it unreadable.
  • You used the same command with the -d flag to decrypt the file back to its original state.
  • Finally, you used the diff command to programmatically verify that the decrypted data was identical to the original, confirming data integrity.

This hands-on exercise provides a solid foundation for understanding how symmetric ciphers work and how they are applied in practice to protect data.

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

linux
Become a Junior System Administrator

Become a Junior System Administrator

linuxshell
Linux for Noobs

Linux for Noobs

linux