I had to write a small program which at some point need to encrypt a piece of
data that I intended to be able to decrypt later (at least) using OpenSLL.
So I started to review the doc about the enc command.
I saw that it was possible to use salt, key, IV and/or a passphrase.
Though I believed naively it will be a simple task ... but it was not so easy.
First I tried :
openssl enc -aes-128-cbc -iv ... -K ... -in ... -out ...
openssl enc -d -aes-128-cbc -iv ... -K ... -in ...
It works as expected.
I checked it was possible to retrieve the key and IV given the salt :
openssl enc -aes-128-cbc -S ... -P
It also works as expected.
I checked [unfortunately] with a passphrase :
openssl enc -aes-128-cbc -S ... -in ... -out ...
openssl enc -d -aes-128-cbc -S ... -in ...
I was happy with that and confident enouth to start working.
Then I tried :
But it fails with "bad decrypt"
So I search for errors in my code.
Then trying desperately anything and everything I was surprised that :
openssl enc -d -aes-128-cbc -in ...
I started to understand that the salt was stored with the data.
Happy again (not for long), I tried :
But this time got 'bad magic number'.
It was late and I felt down as I didn't see any 'magic', just curse !
Now the reason :
Yes the salt is stored with the encrypting data. But not always.
And not only when it is not supplied (therefore generated).
It is stored when no key is given.
And when stored, even good IV and key fails to decrypt.
You must enter the password (but are NOT prompted for).
In the hope it will save some time to others,