Simple built-in way to encrypt and decrypt a file on a Mac via command-line?

Are there any built in command-line tools that I can encrypt and decrypt a text file (and provide it some sort of password).

codecompleting

Posted 2011-12-21T20:57:39.737

Reputation: 1 039

Built in = comes with the Mac, pre-installed? – wizlog – 2011-12-21T21:02:14.447

Answers

openssl comes pre-installed on Mac OS X.

You can use the following commands:

# encrypt file.txt to file.enc using 256-bit AES in CBC mode
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc

# the same, only the output is base64 encoded for, e.g., e-mail
openssl enc -aes-256-cbc -a -salt -in file.txt -out file.enc

# decrypt binary file.enc
openssl enc -d -aes-256-cbc -in file.enc -out file.txt

# decrypt base64-encoded version
openssl enc -d -aes-256-cbc -a -in file.enc -out file.txt

(copied from OpenSSL Command-Line HOWTO: How do I simply encrypt a file?)

These commands use 256-bit AES ecryption with Cipher Block Chaining (CBC), which is about as secure as it gets right now.

Dennis

Posted 2011-12-21T20:57:39.737

Reputation: 42 934

1@codecompleting Or specify -pass pass:MYSECRETPASSWORD, although the password is then of course not hidden from ps, etc. – Acumenus – 2014-11-10T05:05:09.260

If you use a salt, you will still be able to decrypt the file on a separate machine using only the password, correct? (I understand that salts are to prevent rainbow tables, I just want to be sure I'm correct that the password is all that I would need to open the file on another box.) – Wildcard – 2016-04-20T01:15:41.407

2@Wildcard Yes, the salt (actually, initialization vector) gets stored with the ciphertext in the encrypted file. – Dennis – 2016-04-20T01:40:50.677

Question? Is this lossy in any way? I'm thinking of using this for important backup, so first I'll zip -er then run this on the zip – Kolob Canyon – 2017-01-01T08:08:19.693

1@KolobCanyon Encryption is never lossy. By definition, it requires being able to decrypt the ciphertext to restore the original plaintext. Just don't forget the key. – Dennis – 2017-01-01T16:42:19.357

You commands work well with cygwin on a PC. – chux - Reinstate Monica – 2017-03-08T20:08:50.557

It should be noted that this is not secure if you manually type in your password. You should use key derivation. – pyrho – 2020-02-09T12:22:07.007

1where do you enter your password? – codecompleting – 2012-01-10T22:38:50.763

3Once you executed any of the above openssl commands, it asks you to enter aes-256-cbc encryption password. – Dennis – 2012-01-10T23:45:22.980

I've built a shell script for that. You can use it on Mac or on Linux.

#!/bin/bash
#encrypt files with aes-256-cbc cipher using openssl

#encrypt files
if [ $1 == "-e" ];
then
    if [ -f "$2" ];
    then
    openssl aes-256-cbc -a -e -salt -in "$2" -out "$2.aes"
    else
       echo "This file does not exist!" 
    fi
#decrypt files
elif [ $1 == "-d" ];
then
    if [ -f "$2" ];
    then
        openssl aes-256-cbc -a -d -salt -in "$2" -out "$2.decrypt"
    else
        echo "This file does not exist!" 
    fi
#show help
elif [ $1 == "--help" ];
then
    echo "This software uses openssl for encrypting files with the aes-256-cbc cipher"
    echo "Usage for encrypting: ./encrypt -e [file]"
    echo "Usage for decrypting: ./encrypt -d [file]"
else
    echo "This action does not exist!"
    echo "Use ./encrypt --help to show help."
fi

Simply save this in a text file in issue chmod +x file to make it executable. after that use ./filename --help to get infos.

persec

Posted 2011-12-21T20:57:39.737

Reputation: 61

2Needless use of -a will needlessly bloat the output file. – Acumenus – 2014-11-10T05:00:44.170

Mac OS X has the ability to create encrypted container files (similar to e.g. Truecrypt), that can optionally grow with the amount of data placed in them. Use Disk Utility to do this.

In Disk Utility, select File » New » Blank Disk Image… with one of the sparse image formats. Select AES-128 or AES-256 as encryption.

From the command line, the same functionality is available via the hdiutil program.

Daniel Beck

Posted 2011-12-21T20:57:39.737

Reputation: 98 421

A bit overkill for a single text file intended for command line access, isn't it? Can you open the file later via Linux et. al.? – Wildcard – 2016-04-20T01:17:16.540

@Wildcard Possibly (scope has a tendency to change); and no, but wasn't part of the question. – Daniel Beck – 2016-04-20T06:18:00.017

@DanielBeck, output bit identical as Ans1? – Pacerier – 2019-03-07T17:52:00.343