Encrypt Files in OpenSSL

WiresharkWiresharkBeginner
Practice Now

Introduction

In this lab, you will learn how to use OpenSSL for file encryption and decryption, a crucial skill in cybersecurity. You'll practice generating symmetric keys and applying AES encryption to protect sensitive data through hands-on exercises.

The lab walks you through installing OpenSSL, creating test files, and performing complete encryption-decryption cycles. This practical experience will help you understand fundamental data protection techniques used in real-world applications.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/decrypt_ssl_tls("Decrypting SSL/TLS") subgraph Lab Skills wireshark/decrypt_ssl_tls -.-> lab-549935{{"Encrypt Files in OpenSSL"}} end

Install OpenSSL

In this step, you will install OpenSSL, which is a powerful toolkit for implementing secure communications. OpenSSL provides essential cryptographic functions that we'll use to encrypt and decrypt files later in this lab. It's widely used for securing data transmission and storage.

Before we begin, it's important to understand that OpenSSL is typically included by default in most Linux distributions. However, we'll go through the installation process to ensure you have the correct version and all necessary components. Here's what we'll do:

  1. First, we need to update the package list. This ensures your system knows about the latest available software versions:

    sudo apt update
  2. Now we'll install OpenSSL. The -y flag automatically confirms the installation, saving you from having to type 'yes' during the process:

    sudo apt install openssl -y
  3. After installation, let's verify it worked by checking the version. This command shows which version of OpenSSL is currently active on your system:

    openssl version

    You should see output similar to:

    OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
  4. Finally, we'll check the help menu. This displays all available OpenSSL commands and confirms the installation is functioning properly:

    openssl help

    The help output shows you the various cryptographic operations OpenSSL can perform, which we'll explore in the following steps of this lab.

Create a Sample File

In this step, you will create a simple text file that will serve as our test data for encryption and decryption exercises. Working with a known text file helps verify that our encryption process works correctly, as we can easily compare the original and decrypted contents.

Let's begin by creating this sample file in your project directory. We'll use the nano text editor, which is user-friendly for beginners, but you could use any text editor you're comfortable with.

  1. First, navigate to your project directory. This ensures all your files stay organized in one place:

    cd ~/project
  2. Now create and open a new file called sample.txt using nano:

    nano sample.txt
  3. When nano opens, you'll see a blank editing space. Type the following two lines exactly as shown:

    This is a sample text file for encryption testing.
    LabEx Cybersecurity Lab - AES Encryption Demo.
  4. To save your work in nano:

    • Press Ctrl+O (the letter O, not zero) to "Write Out" (save) the file
    • Press Enter to confirm the filename sample.txt
    • Press Ctrl+X to exit the editor
  5. Let's verify the file was created correctly by displaying its contents:

    cat sample.txt

    The terminal should show exactly the two lines you entered. If anything looks different, you may need to edit the file again.

  6. Finally, check the file's details to confirm it exists and has content:

    ls -l sample.txt

    This command shows the file's permissions, owner, size and other details. A non-zero size (typically 80-100 bytes) confirms your text was saved properly.

Having this sample file ready is crucial for the next steps where we'll encrypt and decrypt it, allowing us to clearly see the encryption process working when we get our original text back after decryption.

Generate a Symmetric Key

In this step, you will generate a symmetric encryption key using OpenSSL that we'll use to encrypt our sample file in the next step. Symmetric encryption means the same key is used for both locking (encrypting) and unlocking (decrypting) the data, unlike asymmetric encryption which uses separate keys. This makes the key generation process particularly important for security.

Let's break down what we're about to do: We'll create a strong random key using OpenSSL's cryptographic functions, store it safely, and verify its properties. The key will use AES-256 encryption, which is currently considered very secure for most purposes.

Follow these steps carefully to generate a secure AES-256 encryption key:

  1. First, ensure you're in the correct working directory where we'll store our key file. This helps keep your project files organized:

    cd ~/project
  2. Now we'll generate the actual key. The openssl rand command creates cryptographically strong random data. We're asking for 32 bytes (256 bits) of random data and formatting it as hexadecimal (base-16) for readability:

    openssl rand -hex 32 > symmetric_key.hex
  3. Let's view the generated key to confirm it was created correctly. The key should appear as a long string of random characters:

    cat symmetric_key.hex

    You should see a 64-character hexadecimal string (representing 32 bytes) similar to:

    a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4e5f67890
  4. Since this key can unlock your encrypted data, we need to protect it. The chmod 600 command ensures only you can read or write this file:

    chmod 600 symmetric_key.hex
  5. Finally, let's verify the key file's properties to confirm everything is set up correctly:

    ls -l symmetric_key.hex

    The output should show:

    • Your username as owner
    • -rw------- permissions (only you can read/write)
    • 65 bytes size (64 characters + newline character)

Remember to keep this key file safe - anyone who has it can decrypt your encrypted files. In real-world scenarios, you might want to store it in a more secure location than your project directory.

Encrypt the File with AES

In this step, you will use the symmetric key generated in the previous step to encrypt your sample file using AES-256-CBC. AES (Advanced Encryption Standard) is a widely-used symmetric encryption algorithm that provides strong security. The 256-bit key length offers high protection, while CBC (Cipher Block Chaining) mode ensures each block of data is processed securely in sequence.

Before starting, let's understand what we're doing: we'll take your original readable text file and transform it into an encrypted version that appears as random data. Only someone with the correct key can decrypt it back to the original form.

Follow these steps to encrypt your file:

  1. First, ensure you're in the correct working directory where your sample file is located. This is important because OpenSSL needs to find both your input file and the key file:

    cd ~/project
  2. Now we'll use OpenSSL's encryption command. The -aes-256-cbc specifies the algorithm, -in points to our input file, -out specifies where to save the encrypted version, and -pass file: tells OpenSSL where to find the encryption key:

    openssl enc -aes-256-cbc -in sample.txt -out sample.enc -pass file:symmetric_key.hex
  3. After running the encryption command, let's verify the encrypted file was created properly. The encrypted file should be slightly larger than the original due to the encryption process adding some additional data:

    ls -l sample.enc

    The output should show:

    • Your username as owner
    • A file size larger than the original (due to encryption overhead)
  4. To confirm the encryption worked, let's try viewing the encrypted content. Unlike your original text file, this should appear as random binary data because it's now securely encrypted:

    cat sample.enc

    You should see random-looking binary data, confirming the encryption was successful.

  5. For additional verification, we can check how the system identifies the file type. The file command examines file contents to determine their type:

    file sample.enc

    The output should indicate it's "data" (not "ASCII text" like the original), which is what we expect from an encrypted file.

Decrypt and Verify the File

In this final step, you will decrypt the encrypted file using the symmetric key and verify that the decrypted content matches the original file. This completes the encryption/decryption cycle and validates that our cryptographic operations worked correctly. Decryption is essentially the reverse process of encryption - it takes the scrambled data and transforms it back to its original form using the same key that was used for encryption.

Follow these steps to decrypt and verify your file:

  1. First, ensure you're in the correct working directory where your encrypted file and key are stored:

    cd ~/project
  2. Decrypt the encrypted file using the same symmetric key. The -d flag tells OpenSSL we're decrypting, while other parameters match those used during encryption:

    openssl enc -d -aes-256-cbc -in sample.enc -out sample.dec -pass file:symmetric_key.hex
  3. Verify the decrypted file was created. The ls -l command shows detailed file information including its size and creation time:

    ls -l sample.dec
  4. Compare the decrypted file with the original. The diff command checks for any differences between files line by line:

    diff sample.txt sample.dec

    If the files are identical (as they should be), there will be no output from this command. Any output would indicate a mismatch between original and decrypted content.

  5. View the decrypted content to confirm it matches the original. The cat command displays the entire file contents in your terminal:

    cat sample.dec

    You should see the exact same text as in your original sample.txt file. This visual confirmation is important for verifying the decryption worked properly.

  6. For additional verification, check the file type. The file command examines the file's contents to determine its type:

    file sample.dec

    The output should indicate it's "ASCII text" like the original, confirming the decryption successfully restored the file to its original text format.

Summary

In this lab, you have learned how to encrypt and decrypt files using OpenSSL through hands-on practice. The exercises covered installing OpenSSL, creating test files, and performing encryption/decryption operations with AES symmetric keys.

The lab demonstrated the complete workflow from key generation to file encryption and decryption verification. This practical experience helps solidify understanding of fundamental cryptographic operations in cybersecurity applications.