Openssl passing a binary pass phrase as a argument

command lineopenssl

This openssl command is working fine for me.

openssl aes-128-ecb -d -in encrypted_base64.txt -K 4D1D75237C31E7732030C69F209F23154418373335E049C4F567C7B6D422ABD0 -base64

How would I do the equivalent with a passphrase file? I'm attempting this:

openssl aes-128-ecb -d -in encrypted_base64.txt -pass file:data_key_plaintext.bin -base64

And I get a bad magic number. data_key_plaintext.bin contains the bytes of the -K of the working command. e.g.

> hexdump data_key_plaintext.bin
0000000 4d 1d 75 23 7c 31 e7 73 20 30 c6 9f 20 9f 23 15
0000010 44 18 37 33 35 e0 49 c4 f5 67 c7 b6 d4 22 ab d0
0000020

The openssl documentation says

file:pathname – the first line of pathname is the password

How would this apply to a binary pass phrase?

Best Answer

A passphrase specified by -pass is different from the actual key for encryption specified by -K. openssl processes a passphrase with hash functions to derive an actual key with specific bit length. So passphrases are usually short and memorable strings using only printable characters.

You can see actual keys, IVs, and salts by -P. Note that your key gets truncated to 128-bit key length with aes-128-ecb. Also note that -ecb mode is weak and not suitable for common use.

$ openssl aes-128-ecb -P -K 4D1D75237C31E7732030C69F209F23154418373335E049C4F567C7B6D422ABD0
salt=EA7B538100000000
key=4D1D75237C31E7732030C69F209F2315
$ openssl aes-256-cbc -P -pass pass:secret
salt=332A7608A01A609A
key=1B27C46F481CFA793C665EEFC3C5B6867735CD326840C598AA6EBCCA5829D066
iv =CE223BAEDAA625C02A397D3E1FCE8E75

According to the manual -K doesn't support file input. You might want to do something like this:

openssl aes-128-ecb -d -in encrypted_base64.txt -K $(hexdump -v -e '"%02X"' data_key_plaintext.bin) -base64
Related Question