Master OpenSSL: From SSL/TLS Basics to Practical Encryption Commands

Linux OpenSSL Overview

OpenSSL is an open‑source toolkit that implements SSL/TLS protocols and provides a rich set of command‑line utilities for encryption, decryption, hashing, and certificate management on Linux systems.

SSL/TLS Basics

SSL (Secure Sockets Layer) originally provided encrypted transport for application data. It has been superseded by TLS (Transport Layer Security), which offers stronger algorithms and broader adoption.

Encrypting at the transport layer gives selective protection for chosen applications, ensures end‑to‑end security, and prevents intermediate devices from reading the data.

OpenSSL Command‑Line Basics

The openssl executable is installed by default on most Linux distributions. Running openssl version shows the installed version.

Symmetric Encryption

Encrypt a file with a chosen algorithm (e.g., DES‑3) and Base64 output:

openssl enc -e -des3 -a -salt -in file1 -out file1.cipher

Key flags: -salt adds a random salt to the encryption process. -des3 selects the DES‑3 algorithm; other algorithms are listed in man openssl enc. -a encodes the ciphertext in Base64.

Symmetric Decryption

Decrypt a previously encrypted file using the same algorithm:

openssl enc -d -des3 -a -salt -in file1.cipher -out file1_new

The algorithm must match the one used for encryption.

The same password is required for both encryption and decryption.

Asymmetric Encryption

Generate a private RSA key: openssl genrsa -out private.key Extract the corresponding public key:

openssl rsa -in private.key -pubout -out public.key

Encrypt with the public key:

openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out ciphertext.bin

Decrypt with the private key:

openssl rsautl -decrypt -inkey private.key -in ciphertext.bin -out decrypted.txt

One‑Way Hash (Digest)

Generate a hash (default SHA‑256) for a file: openssl dgst file1 Options allow selecting other algorithms; the output is a fixed‑length hexadecimal digest that verifies data integrity.

Generating User Password Hashes

OpenSSL can create password hashes for system accounts. Example using SHA‑512 with a random salt: openssl passwd -6 mypassword Other options: -6: SHA‑512 (default salt). -5: SHA‑256 (default salt). -1: MD5 (default salt).

Generating Random Numbers

Produce random bytes in hexadecimal or Base64 format:

openssl rand -hex 16   # 16 bytes → 32‑character hex string
openssl rand -base64 16   # 16 bytes → Base64 string

The -hex flag outputs each byte as two hex characters; -base64 encodes the raw bytes using the Base64 alphabet.

Base64 Encoding Introduction

Base64 encodes arbitrary binary data into an ASCII string using 64 printable characters, making it safe for protocols that only support text (e.g., SMTP, HTTP).

Encoding Principle

Group input bytes in blocks of three (24 bits).

Split each block into four groups of six bits.

Map each 6‑bit value to a character from the Base64 alphabet.

If the final block contains fewer than three bytes, pad with = characters.

}