c - How to provide string IV and Key to openssl decrypt command?

Question

I am using the encrypt and decrypt functions from the following wiki: https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption

It uses AES-256-cbc algorithm with key = "01234567890123456789012345678901" and iv = "0123456789012345". I am able to encrypt my text, write it to a file encrypted.enc and decrypt is back from the file.

I simply wrote the encrypted ciphertext to file using the following code:

fd = fopen ("/var/local/encrypted.enc", "w");
fwrite ((const char *)ciphertext, sizeof(char), ciphertext_len, fd);
fclose(fd);

Now I want to decrypt this file from bash prompt (not using the above code). I tried different flags but couldn't figure out how to do that exactly.

I tried this:

openssl enc -aes-256-cbc -d -out decrypted.txt -in encrypted.enc -iv 0123456789012345 -k 01234567890123456789012345678901

but got errors regarding width of hexadecimal.. So, converted these values to hex and tried that:

openssl enc -aes-256-cbc -d -out decrypted.txt -in encrypted.enc -iv 30313233343536373839303132333435 -k 3031323334353637383930313233343536373839303132333435363738393031

But now I am getting "Bad Magic Number" error...

How do I decrypt the file using openssl utility?

question from:https://stackoverflow.com/questions/65918428/how-to-provide-string-iv-and-key-to-openssl-decrypt-command

Answer 1

The openssl enc command by default uses a randomly generated salt value when encrypting. It starts the output with that value, preceded by a "magic number" that represents the characters Salted__. Taking the enc version of your command, you can see that illustrated here:

$ printf 1234567890123456 | openssl enc -aes-256-cbc -iv 0123456789012345 -k 01234567890123456789012345678901 | hexdump -C
00000000  53 61 6c 74 65 64 5f 5f  ed 6c b5 aa e2 92 4a 00  |Salted__.l....J.|
00000010  68 f7 b2 40 d2 44 44 8b  fa 4c 05 95 99 cf 76 32  |[email protected]|
00000020  4e 15 37 65 93 00 d6 b2  ff 4d 1b 6c af 46 64 f6  |N.7e.....M.l.Fd.|
00000030

When decrypting, this same magic number is expected. Your file does not contain it, hence the error. This is an OpenSSL proprietary thing.

It is possible (but not recommended) to avoid the salting, using the -nosalt option:

$ printf 1234567890123456 | openssl enc -aes-256-cbc  -iv 0123456789012345 -k 01234567890123456789012345678901 -nosalt | hexdump -C
00000000  54 05 6a fb c3 60 a9 32  3d 2e e0 4c 2a 21 4a a1  |T.j..`.2=..L*!J.|
00000010  3c a7 34 f3 8f c4 15 33  99 dd 08 f7 e5 ef ea 57  |<.4....3.......W|
00000020

Using that same -nosalt option on your decryption command, you should no longer get that bad magic number. You may still run into other issues, depending on what kind of padding (if any) you used when encrypting your data, but you did not give enough information to draw any conclusions on that.

---

Like mentioned in the comments, there is a difference between -k lowercase and -K uppercase. It is relevant for your situation and you are probably using the wrong one. Check out the openssl enc man page for more info, and to read more about the -nosalt option as well.