Skip to content
Latchkey

openssl enc: Symmetric Encryption in Scripts

openssl enc encrypts or decrypts a file with a password-derived symmetric key.

A common pattern is encrypting a secrets bundle into the repo and decrypting it in CI with a key from the environment. Use a modern KDF.

What it does

openssl enc applies a symmetric cipher such as AES-256-CBC, deriving the key from a password with a KDF. -d decrypts. Modern usage pairs -pbkdf2 with -salt so the derivation is sound.

Common usage

Terminal
openssl enc -aes-256-cbc -pbkdf2 -salt \
  -in secrets.env -out secrets.enc -pass pass:"$KEY"
openssl enc -aes-256-cbc -pbkdf2 -d \
  -in secrets.enc -out secrets.env -pass pass:"$KEY"

Options

FlagWhat it does
-aes-256-cbcCipher to use
-pbkdf2Use PBKDF2 for key derivation (recommended)
-saltAdd a random salt (default on; -nosalt disables)
-dDecrypt instead of encrypt
-pass pass:<x> / -pass env:VARSupply the password non-interactively
-iter <n>PBKDF2 iteration count

In CI

OpenSSL 1.1.0+ warns and historically defaulted to a weak MD5-based KDF without -pbkdf2; files encrypted with one set of options must be decrypted with the same options. Encrypt and decrypt with identical -pbkdf2/-iter flags or decryption fails.

Common errors in CI

"bad decrypt" with "error:...:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt" means the wrong password or mismatched KDF flags between encrypt and decrypt. "hex string is too short" means a bad -K/-iv. On 3.x, a file encrypted with an old default cipher may need -provider legacy.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →