How to use password argument in via command line to openssl for decryption












43















So it's not the most secure practice to pass a password in through a command line argument. That said, the documentation for openssl confused me on how to pass a password argument to the openssl command.



Here's what I'm trying to do



openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d



This then prompts for the pass key for decryption. I searched the openssl documents and the interwebs to try and find the answer if I simply wanted to give the password to the command without trying to echo the password to the file. I tried adding -pass:somepassword and -pass somepassword both with and without quotes to no avail.



I finally figured out the answer and saw in some other forums people had similar questions, so I thought I would post my question and answer here for the community.



note: I'm using openssl version 0.9.8y










share|improve this question



























    43















    So it's not the most secure practice to pass a password in through a command line argument. That said, the documentation for openssl confused me on how to pass a password argument to the openssl command.



    Here's what I'm trying to do



    openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d



    This then prompts for the pass key for decryption. I searched the openssl documents and the interwebs to try and find the answer if I simply wanted to give the password to the command without trying to echo the password to the file. I tried adding -pass:somepassword and -pass somepassword both with and without quotes to no avail.



    I finally figured out the answer and saw in some other forums people had similar questions, so I thought I would post my question and answer here for the community.



    note: I'm using openssl version 0.9.8y










    share|improve this question

























      43












      43








      43


      20






      So it's not the most secure practice to pass a password in through a command line argument. That said, the documentation for openssl confused me on how to pass a password argument to the openssl command.



      Here's what I'm trying to do



      openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d



      This then prompts for the pass key for decryption. I searched the openssl documents and the interwebs to try and find the answer if I simply wanted to give the password to the command without trying to echo the password to the file. I tried adding -pass:somepassword and -pass somepassword both with and without quotes to no avail.



      I finally figured out the answer and saw in some other forums people had similar questions, so I thought I would post my question and answer here for the community.



      note: I'm using openssl version 0.9.8y










      share|improve this question














      So it's not the most secure practice to pass a password in through a command line argument. That said, the documentation for openssl confused me on how to pass a password argument to the openssl command.



      Here's what I'm trying to do



      openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d



      This then prompts for the pass key for decryption. I searched the openssl documents and the interwebs to try and find the answer if I simply wanted to give the password to the command without trying to echo the password to the file. I tried adding -pass:somepassword and -pass somepassword both with and without quotes to no avail.



      I finally figured out the answer and saw in some other forums people had similar questions, so I thought I would post my question and answer here for the community.



      note: I'm using openssl version 0.9.8y







      linux command-line openssl






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 5 '14 at 13:52









      David SulpyDavid Sulpy

      1,29421111




      1,29421111






















          3 Answers
          3






          active

          oldest

          votes


















          82














          The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.



          Here's how to do it:



          openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword



          Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.



          Additionally the documentation specifies you can provide other passphrase sources by doing the following:





          • env:somevar to get the password from an environment variable


          • file:somepathname to get the password from the first line of the file at location pathname


          • fd:number to get the password from the file descriptor number.


          • stdin to read from standard input


          Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)



          With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:



          openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword






          share|improve this answer


























          • What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

            – dtmland
            Jun 14 '17 at 22:29













          • Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

            – dave_thompson_085
            Jun 18 '17 at 11:52













          • How about the openssl dgst command? How do you enter the passphrase for that at the command line?

            – frakman1
            May 11 '18 at 16:47






          • 1





            btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

            – drmad
            May 20 '18 at 2:44



















          4














          At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16



          In this version the parameter to use is -k



          Example:



          openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword





          share|improve this answer


























          • in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

            – sibaz
            Aug 24 '17 at 10:55





















          2














          I used -passin and -passout to set passwords to both files in example:



          openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321


          where 123 and 321 are password






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f724986%2fhow-to-use-password-argument-in-via-command-line-to-openssl-for-decryption%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            82














            The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.



            Here's how to do it:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword



            Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.



            Additionally the documentation specifies you can provide other passphrase sources by doing the following:





            • env:somevar to get the password from an environment variable


            • file:somepathname to get the password from the first line of the file at location pathname


            • fd:number to get the password from the file descriptor number.


            • stdin to read from standard input


            Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)



            With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword






            share|improve this answer


























            • What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

              – dtmland
              Jun 14 '17 at 22:29













            • Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

              – dave_thompson_085
              Jun 18 '17 at 11:52













            • How about the openssl dgst command? How do you enter the passphrase for that at the command line?

              – frakman1
              May 11 '18 at 16:47






            • 1





              btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

              – drmad
              May 20 '18 at 2:44
















            82














            The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.



            Here's how to do it:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword



            Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.



            Additionally the documentation specifies you can provide other passphrase sources by doing the following:





            • env:somevar to get the password from an environment variable


            • file:somepathname to get the password from the first line of the file at location pathname


            • fd:number to get the password from the file descriptor number.


            • stdin to read from standard input


            Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)



            With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword






            share|improve this answer


























            • What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

              – dtmland
              Jun 14 '17 at 22:29













            • Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

              – dave_thompson_085
              Jun 18 '17 at 11:52













            • How about the openssl dgst command? How do you enter the passphrase for that at the command line?

              – frakman1
              May 11 '18 at 16:47






            • 1





              btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

              – drmad
              May 20 '18 at 2:44














            82












            82








            82







            The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.



            Here's how to do it:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword



            Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.



            Additionally the documentation specifies you can provide other passphrase sources by doing the following:





            • env:somevar to get the password from an environment variable


            • file:somepathname to get the password from the first line of the file at location pathname


            • fd:number to get the password from the file descriptor number.


            • stdin to read from standard input


            Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)



            With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword






            share|improve this answer















            The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.



            Here's how to do it:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword



            Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.



            Additionally the documentation specifies you can provide other passphrase sources by doing the following:





            • env:somevar to get the password from an environment variable


            • file:somepathname to get the password from the first line of the file at location pathname


            • fd:number to get the password from the file descriptor number.


            • stdin to read from standard input


            Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)



            With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Dec 8 '15 at 17:23









            Björn Tantau

            1032




            1032










            answered Mar 5 '14 at 13:52









            David SulpyDavid Sulpy

            1,29421111




            1,29421111













            • What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

              – dtmland
              Jun 14 '17 at 22:29













            • Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

              – dave_thompson_085
              Jun 18 '17 at 11:52













            • How about the openssl dgst command? How do you enter the passphrase for that at the command line?

              – frakman1
              May 11 '18 at 16:47






            • 1





              btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

              – drmad
              May 20 '18 at 2:44



















            • What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

              – dtmland
              Jun 14 '17 at 22:29













            • Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

              – dave_thompson_085
              Jun 18 '17 at 11:52













            • How about the openssl dgst command? How do you enter the passphrase for that at the command line?

              – frakman1
              May 11 '18 at 16:47






            • 1





              btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

              – drmad
              May 20 '18 at 2:44

















            What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

            – dtmland
            Jun 14 '17 at 22:29







            What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

            – dtmland
            Jun 14 '17 at 22:29















            Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

            – dave_thompson_085
            Jun 18 '17 at 11:52







            Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

            – dave_thompson_085
            Jun 18 '17 at 11:52















            How about the openssl dgst command? How do you enter the passphrase for that at the command line?

            – frakman1
            May 11 '18 at 16:47





            How about the openssl dgst command? How do you enter the passphrase for that at the command line?

            – frakman1
            May 11 '18 at 16:47




            1




            1





            btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

            – drmad
            May 20 '18 at 2:44





            btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

            – drmad
            May 20 '18 at 2:44













            4














            At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16



            In this version the parameter to use is -k



            Example:



            openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword





            share|improve this answer


























            • in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

              – sibaz
              Aug 24 '17 at 10:55


















            4














            At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16



            In this version the parameter to use is -k



            Example:



            openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword





            share|improve this answer


























            • in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

              – sibaz
              Aug 24 '17 at 10:55
















            4












            4








            4







            At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16



            In this version the parameter to use is -k



            Example:



            openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword





            share|improve this answer















            At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16



            In this version the parameter to use is -k



            Example:



            openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Dec 27 '15 at 13:37









            karel

            9,25293138




            9,25293138










            answered Dec 27 '15 at 13:31









            JavierJavier

            412




            412













            • in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

              – sibaz
              Aug 24 '17 at 10:55





















            • in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

              – sibaz
              Aug 24 '17 at 10:55



















            in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

            – sibaz
            Aug 24 '17 at 10:55







            in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

            – sibaz
            Aug 24 '17 at 10:55













            2














            I used -passin and -passout to set passwords to both files in example:



            openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321


            where 123 and 321 are password






            share|improve this answer




























              2














              I used -passin and -passout to set passwords to both files in example:



              openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321


              where 123 and 321 are password






              share|improve this answer


























                2












                2








                2







                I used -passin and -passout to set passwords to both files in example:



                openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321


                where 123 and 321 are password






                share|improve this answer













                I used -passin and -passout to set passwords to both files in example:



                openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321


                where 123 and 321 are password







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 24 at 15:40









                Mikhailo KarpenkoMikhailo Karpenko

                211




                211






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f724986%2fhow-to-use-password-argument-in-via-command-line-to-openssl-for-decryption%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Probability when a professor distributes a quiz and homework assignment to a class of n students.

                    Aardman Animations

                    Are they similar matrix