How to use password argument in via command line to openssl for decryption












43















So it's not the most secure practice to pass a password in through a command line argument. That said, the documentation for openssl confused me on how to pass a password argument to the openssl command.



Here's what I'm trying to do



openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d



This then prompts for the pass key for decryption. I searched the openssl documents and the interwebs to try and find the answer if I simply wanted to give the password to the command without trying to echo the password to the file. I tried adding -pass:somepassword and -pass somepassword both with and without quotes to no avail.



I finally figured out the answer and saw in some other forums people had similar questions, so I thought I would post my question and answer here for the community.



note: I'm using openssl version 0.9.8y






linux command-line openssl







share|improve this question



























    43















    So it's not the most secure practice to pass a password in through a command line argument. That said, the documentation for openssl confused me on how to pass a password argument to the openssl command.



    Here's what I'm trying to do



    openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d



    This then prompts for the pass key for decryption. I searched the openssl documents and the interwebs to try and find the answer if I simply wanted to give the password to the command without trying to echo the password to the file. I tried adding -pass:somepassword and -pass somepassword both with and without quotes to no avail.



    I finally figured out the answer and saw in some other forums people had similar questions, so I thought I would post my question and answer here for the community.



    note: I'm using openssl version 0.9.8y






    linux command-line openssl







    share|improve this question

























      43












      43








      43


      20






      So it's not the most secure practice to pass a password in through a command line argument. That said, the documentation for openssl confused me on how to pass a password argument to the openssl command.



      Here's what I'm trying to do



      openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d



      This then prompts for the pass key for decryption. I searched the openssl documents and the interwebs to try and find the answer if I simply wanted to give the password to the command without trying to echo the password to the file. I tried adding -pass:somepassword and -pass somepassword both with and without quotes to no avail.



      I finally figured out the answer and saw in some other forums people had similar questions, so I thought I would post my question and answer here for the community.



      note: I'm using openssl version 0.9.8y






      linux command-line openssl







      share|improve this question














      So it's not the most secure practice to pass a password in through a command line argument. That said, the documentation for openssl confused me on how to pass a password argument to the openssl command.



      Here's what I'm trying to do



      openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d



      This then prompts for the pass key for decryption. I searched the openssl documents and the interwebs to try and find the answer if I simply wanted to give the password to the command without trying to echo the password to the file. I tried adding -pass:somepassword and -pass somepassword both with and without quotes to no avail.



      I finally figured out the answer and saw in some other forums people had similar questions, so I thought I would post my question and answer here for the community.



      note: I'm using openssl version 0.9.8y






      linux command-line openssl




      linux command-line openssl






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 5 '14 at 13:52









      David SulpyDavid Sulpy

      1,29421111




      1,29421111






















          3 Answers
          3






          active

          oldest

          votes


















          82














          The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.



          Here's how to do it:



          openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword



          Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.



          Additionally the documentation specifies you can provide other passphrase sources by doing the following:





          • env:somevar to get the password from an environment variable


          • file:somepathname to get the password from the first line of the file at location pathname


          • fd:number to get the password from the file descriptor number.


          • stdin to read from standard input


          Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)



          With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:



          openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword






          share|improve this answer


























          • What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

            – dtmland
            Jun 14 '17 at 22:29













          • Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

            – dave_thompson_085
            Jun 18 '17 at 11:52













          • How about the openssl dgst command? How do you enter the passphrase for that at the command line?

            – frakman1
            May 11 '18 at 16:47






          • 1





            btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

            – drmad
            May 20 '18 at 2:44



















          4














          At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16



          In this version the parameter to use is -k



          Example:



          openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword





          share|improve this answer


























          • in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

            – sibaz
            Aug 24 '17 at 10:55





















          2














          I used -passin and -passout to set passwords to both files in example:



          openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321


          where 123 and 321 are password






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f724986%2fhow-to-use-password-argument-in-via-command-line-to-openssl-for-decryption%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            82














            The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.



            Here's how to do it:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword



            Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.



            Additionally the documentation specifies you can provide other passphrase sources by doing the following:





            • env:somevar to get the password from an environment variable


            • file:somepathname to get the password from the first line of the file at location pathname


            • fd:number to get the password from the file descriptor number.


            • stdin to read from standard input


            Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)



            With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword






            share|improve this answer


























            • What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

              – dtmland
              Jun 14 '17 at 22:29













            • Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

              – dave_thompson_085
              Jun 18 '17 at 11:52













            • How about the openssl dgst command? How do you enter the passphrase for that at the command line?

              – frakman1
              May 11 '18 at 16:47






            • 1





              btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

              – drmad
              May 20 '18 at 2:44
















            82














            The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.



            Here's how to do it:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword



            Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.



            Additionally the documentation specifies you can provide other passphrase sources by doing the following:





            • env:somevar to get the password from an environment variable


            • file:somepathname to get the password from the first line of the file at location pathname


            • fd:number to get the password from the file descriptor number.


            • stdin to read from standard input


            Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)



            With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword






            share|improve this answer


























            • What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

              – dtmland
              Jun 14 '17 at 22:29













            • Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

              – dave_thompson_085
              Jun 18 '17 at 11:52













            • How about the openssl dgst command? How do you enter the passphrase for that at the command line?

              – frakman1
              May 11 '18 at 16:47






            • 1





              btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

              – drmad
              May 20 '18 at 2:44














            82












            82








            82







            The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.



            Here's how to do it:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword



            Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.



            Additionally the documentation specifies you can provide other passphrase sources by doing the following:





            • env:somevar to get the password from an environment variable


            • file:somepathname to get the password from the first line of the file at location pathname


            • fd:number to get the password from the file descriptor number.


            • stdin to read from standard input


            Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)



            With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword






            share|improve this answer















            The documentation wasn't very clear to me, but it had the answer, the challenge was not being able to see an example.



            Here's how to do it:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -pass pass:somepassword



            Notice that the command line command syntax is always -pass followed by a space and then the type of passphrase you're providing, i.e. pass: for plain passphrase and then the actual passphrase after the colon with no space.



            Additionally the documentation specifies you can provide other passphrase sources by doing the following:





            • env:somevar to get the password from an environment variable


            • file:somepathname to get the password from the first line of the file at location pathname


            • fd:number to get the password from the file descriptor number.


            • stdin to read from standard input


            Now that I've written this question and answer, it all seems obvious. But it certainly took some time to figure out and I'd seen it take others similar time, so hopefully this can cut down that time and answer faster for others! :)



            With OpenSSL 1.0.1e the parameter to use is -passin or -passout. So this example would be:



            openssl aes-256-cbc -in some_file.enc -out some_file.unenc -d -passin pass:somepassword







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Dec 8 '15 at 17:23









            Björn Tantau

            1032




            1032










            answered Mar 5 '14 at 13:52









            David SulpyDavid Sulpy

            1,29421111




            1,29421111













            • What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

              – dtmland
              Jun 14 '17 at 22:29













            • Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

              – dave_thompson_085
              Jun 18 '17 at 11:52













            • How about the openssl dgst command? How do you enter the passphrase for that at the command line?

              – frakman1
              May 11 '18 at 16:47






            • 1





              btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

              – drmad
              May 20 '18 at 2:44



















            • What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

              – dtmland
              Jun 14 '17 at 22:29













            • Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

              – dave_thompson_085
              Jun 18 '17 at 11:52













            • How about the openssl dgst command? How do you enter the passphrase for that at the command line?

              – frakman1
              May 11 '18 at 16:47






            • 1





              btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

              – drmad
              May 20 '18 at 2:44

















            What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

            – dtmland
            Jun 14 '17 at 22:29







            What's the difference between using passin or passout? - Ha! Just looked it up, stdin vs stdout of course!

            – dtmland
            Jun 14 '17 at 22:29















            Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

            – dave_thompson_085
            Jun 18 '17 at 11:52







            Note that the documentation for password options applying to most openssl commands (not just enc) is in the man page for openssl(1) also on the web under 'OPTIONS'. But I don't believe your last bit about -passin/out; other openssl commands like rsa dsa ec pkey pkcs8 pkcs12 req ca do use those but in every version I've seen including 1.0.1e built directly from upstream source enc uses -pass or -k -kfile as documented (on the enc manpage).

            – dave_thompson_085
            Jun 18 '17 at 11:52















            How about the openssl dgst command? How do you enter the passphrase for that at the command line?

            – frakman1
            May 11 '18 at 16:47





            How about the openssl dgst command? How do you enter the passphrase for that at the command line?

            – frakman1
            May 11 '18 at 16:47




            1




            1





            btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

            – drmad
            May 20 '18 at 2:44





            btw -passin is used to provide a password for the input certificate, and -passout is for the new generated certificate

            – drmad
            May 20 '18 at 2:44













            4














            At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16



            In this version the parameter to use is -k



            Example:



            openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword





            share|improve this answer


























            • in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

              – sibaz
              Aug 24 '17 at 10:55


















            4














            At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16



            In this version the parameter to use is -k



            Example:



            openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword





            share|improve this answer


























            • in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

              – sibaz
              Aug 24 '17 at 10:55
















            4












            4








            4







            At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16



            In this version the parameter to use is -k



            Example:



            openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword





            share|improve this answer















            At this moment Ubuntu 14.04 LTS comes with openssl 1.0.1f-1ubuntu2.16



            In this version the parameter to use is -k



            Example:



            openssl enc -aes-256-cbc -e -in some_file.unenc -out some_file.enc -k somepassword






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Dec 27 '15 at 13:37









            karel

            9,25293138




            9,25293138










            answered Dec 27 '15 at 13:31









            JavierJavier

            412




            412













            • in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

              – sibaz
              Aug 24 '17 at 10:55





















            • in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

              – sibaz
              Aug 24 '17 at 10:55



















            in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

            – sibaz
            Aug 24 '17 at 10:55







            in your example, -k is an option available to the openssl 'enc' command (try man enc) it is not a general option. If you look at man openssl you'll see under the 'Pass Phrase Options' heading, what the general options are; pass:password, env:var, file:pathname, fd:number or stdin, as mentioned in an earlier response.

            – sibaz
            Aug 24 '17 at 10:55













            2














            I used -passin and -passout to set passwords to both files in example:



            openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321


            where 123 and 321 are password






            share|improve this answer




























              2














              I used -passin and -passout to set passwords to both files in example:



              openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321


              where 123 and 321 are password






              share|improve this answer


























                2












                2








                2







                I used -passin and -passout to set passwords to both files in example:



                openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321


                where 123 and 321 are password






                share|improve this answer













                I used -passin and -passout to set passwords to both files in example:



                openssl pkcs12 -in voip.p12 -out voip.pem -passin pass:123 -passout pass:321


                where 123 and 321 are password







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 24 at 15:40









                Mikhailo KarpenkoMikhailo Karpenko

                211




                211






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f724986%2fhow-to-use-password-argument-in-via-command-line-to-openssl-for-decryption%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    How do I know what Microsoft account the skydrive app is syncing to?

                    Image
                    up vote 4 down vote favorite 1 Some time ago, I set up skydrive for my wife on her mac. But now she wants to access the files online, I cannot remember what Microsoft account I setup and linked her skydive app to and nor can I see anything in the skydrive app settings to tell me either? How can I see the name of the Microsoft account the skydive app is currently linked to? I would like to know this for skydrive app for Mac and PC onedrive share | improve this question asked Feb 25 '13 at 4:52 Gary Barrett 260 2 5 12
                    Read more

                    When does type information flow backwards in C++?

                    Image
                    up vote 62 down vote favorite 19 I just watched Stephan T. Lavavej talk at CppCon 2018 on "Class Template Argument Deduction", where at some point he incidentally says: In C++ type information almost never flows backwards ... I had to say "almost" because there's one or two cases, possibly more but very few . Despite trying to figure out which cases he might be referring to, I couldn't come up with anything. Hence the question: In which cases the C++17 standard mandates that type information propagate backwards? c++ language-lawyer c++17 share | improve this question edited 7 hours ago scohe0
                    Read more

                    Grease: Live!

                    Image
                    A tradução deste artigo está abaixo da qualidade média aceitável. É possível que tenha sido feita por um tradutor automático ou por alguém que não conhece bem o português ou a língua original do texto. Caso queira colaborar com a Wikipédia, tente encontrar a página original e melhore este verbete conforme o guia de tradução. Grease: Live! Grease: Live!  (PRT/BRA)  Estados Unidos 2016 •   cor •   130 min. min   Direção Thomas Kail Alex Rudzinski Produção Marc Platt Adam Siegel Roteiro Allan Carr Robert Cary Warren Casey Jim Jacobs Jonathan Tolins Bronte Woodard Baseado em Grease (musical) Grease (filme) Elenco Julianne Hough Aaron Tveit Vanessa Hudgens Carlos Pena Jr. Keke Palmer Carly Rae Jepsen Kether Donohue Jordan Fisher David Del Rio Andrew Call Gênero Musical Música Tom Kitt Figurino William Ivey Long Companhia(s) produtora(s) Warner Bros. Studios Distribuição Fox Lançamento 31 de Janei
                    Read more