[리눅스] OpenSSL로 파일을 암호화/복호화하기

OpenSSL로 파일을 암호화/복호화하기

테스트 환경

$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

$ getconf LONG_BIT
64

OpenSSL 버전

$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

지원되는 Ciphers(Cipher Types|Valid ciphername values)

openssl enc -ciphers(? 알 수 없는 옵션으로 정상적인 옵션을 출력했다)

$ openssl enc -ciphers
unknown option '-ciphers'
options are
-in <file>     input file
-out <file>    output file
-pass <arg>    pass phrase source
-e             encrypt
-d             decrypt
-a/-base64     base64 encode/decode, depending on encryption flag
-k             passphrase is the next argument
-kfile         passphrase is the first line of the file argument
-md            the next argument is the md to use to create a key
                 from a passphrase. See openssl dgst -h for list.
-S             salt in hex is the next argument
-K/-iv         key/iv in hex is the next argument
-[pP]          print the iv/key (then exit if -P)
-bufsize <n>   buffer size
-nopad         disable standard block padding
-engine e      use engine e, possibly a hardware device.
Cipher Types
-aes-128-cbc               -aes-128-cbc-hmac-sha1     -aes-128-cbc-hmac-sha256
-aes-128-ccm               -aes-128-cfb               -aes-128-cfb1
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb
-aes-128-gcm               -aes-128-ofb               -aes-128-xts
-aes-192-cbc               -aes-192-ccm               -aes-192-cfb
-aes-192-cfb1              -aes-192-cfb8              -aes-192-ctr
-aes-192-ecb               -aes-192-gcm               -aes-192-ofb
-aes-256-cbc               -aes-256-cbc-hmac-sha1     -aes-256-cbc-hmac-sha256
-aes-256-ccm               -aes-256-cfb               -aes-256-cfb1
-aes-256-cfb8              -aes-256-ctr               -aes-256-ecb
-aes-256-gcm               -aes-256-ofb               -aes-256-xts
-aes128                    -aes192                    -aes256
-bf                        -bf-cbc                    -bf-cfb
-bf-ecb                    -bf-ofb                    -blowfish
-camellia-128-cbc          -camellia-128-cfb          -camellia-128-cfb1
-camellia-128-cfb8         -camellia-128-ecb          -camellia-128-ofb
-camellia-192-cbc          -camellia-192-cfb          -camellia-192-cfb1
-camellia-192-cfb8         -camellia-192-ecb          -camellia-192-ofb
-camellia-256-cbc          -camellia-256-cfb          -camellia-256-cfb1
-camellia-256-cfb8         -camellia-256-ecb          -camellia-256-ofb
-camellia128               -camellia192               -camellia256
-cast                      -cast-cbc                  -cast5-cbc
-cast5-cfb                 -cast5-ecb                 -cast5-ofb
-des                       -des-cbc                   -des-cfb
-des-cfb1                  -des-cfb8                  -des-ecb
-des-ede                   -des-ede-cbc               -des-ede-cfb
-des-ede-ofb               -des-ede3                  -des-ede3-cbc
-des-ede3-cfb              -des-ede3-cfb1             -des-ede3-cfb8
-des-ede3-ofb              -des-ofb                   -des3
-desx                      -desx-cbc                  -id-aes128-CCM
-id-aes128-GCM             -id-aes128-wrap            -id-aes128-wrap-pad
-id-aes192-CCM             -id-aes192-GCM             -id-aes192-wrap
-id-aes192-wrap-pad        -id-aes256-CCM             -id-aes256-GCM
-id-aes256-wrap            -id-aes256-wrap-pad        -id-smime-alg-CMS3DESwrap
-idea                      -idea-cbc                  -idea-cfb
-idea-ecb                  -idea-ofb                  -rc2
-rc2-40-cbc                -rc2-64-cbc                -rc2-cbc
-rc2-cfb                   -rc2-ecb                   -rc2-ofb
-rc4                       -rc4-40                    -rc4-hmac-md5
-rc5                       -rc5-cbc                   -rc5-cfb
-rc5-ecb                   -rc5-ofb                   -seed
-seed-cbc                  -seed-cfb                  -seed-ecb
-seed-ofb

[MAC] openssl enc -help 명령어

$ openssl enc -help
usage: enc -ciphername [-AadePp] [-base64] [-bufsize number] [-debug]
    [-in file] [-iv IV] [-K key] [-k password]
    [-kfile file] [-md digest] [-none] [-nopad] [-nosalt]
    [-out file] [-pass arg] [-S salt] [-salt]

암호화하는 명령어(encryption)

-e Encrypt the input data (default)

$ file ldap-20210705.tar.gz
ldap-20210705.tar.gz: gzip compressed data, from Unix, last modified: Mon Jul  5 21:28:50 2021

$ openssl enc -aes-128-cbc -in ldap-20210705.tar.gz -out enc_ldap-20210705.tar.gz -K 1234 -iv 00000000000000000000000000000000

$ file enc_ldap-20210705.tar.gz
enc_ldap-20210705.tar.gz: data

복호화하는 명령어(decryption)

-d Decrypt the input data

$ openssl enc -d -aes-128-cbc -in enc_ldap-20210705.tar.gz -out dec_ldap-20210705.tar.gz -K 1234 -iv 00000000000000000000000000000000

$ file dec_ldap-20210705.tar.gz
dec_ldap-20210705.tar.gz: gzip compressed data, from Unix, last modified: Mon Jul  5 21:28:50 2021

복호화 에러

패스워드가 다른 경우

$ openssl enc -d -aes-128-cbc -in enc_ldap-20210705.tar.gz -out dec_ldap-20210705.tar.gz -K 12345 -iv 00000000000000000000000000000000
bad decrypt
139841944201104:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:592:

HEX가 다른 경우

$ openssl enc -d -aes-128-cbc -in enc_ldap-20210705.tar.gz -out dec_ldap-20210705.tar.gz -K 1234 -iv 00000000000000000000000000000011

$ tar xvfz dec_ldap-20210705.tar.gz

gzip: stdin: invalid compressed data--format violated
tar: Child returned status 1
tar: Error is not recoverable: exiting now