Cheat sheet — Cryptography with openssl¶
Companion to Module 09 — Cryptography Basics · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
Hashing (one-way — integrity, not secrecy)¶
openssl dgst -sha256 file.txt # hash a file
echo -n "string" | openssl dgst -sha256 # hash a string (-n: don't hash the trailing newline)
openssl dgst -md5 file.txt # MD5 — broken; only for matching legacy hashes
The algorithm is always a flag named after itself: -sha256, -sha1, -md5, -sha512. Output
matches the system sha256sum / shasum -a 256 tools.
Base64 (encoding, not encryption — no key, anyone reverses it)¶
Symmetric encryption (AES — one shared password)¶
echo -n "secret" | openssl enc -aes-256-cbc -pbkdf2 -base64 # encrypt (prompts for password)
echo "U2FsdGVkX1..." | openssl enc -aes-256-cbc -pbkdf2 -base64 -d # decrypt
openssl enc -list # list available ciphers
- Always pass
-pbkdf2with a password — without it you get weak legacy key derivation (and a warning). - Same input + same password ≠ same output. Password mode adds a random salt per run and derives
a fresh key from it — output starting
U2FsdGVkX1is Base64 forSalted__. That's a feature: deterministic ciphertext leaks which messages are equal. Only demos should use a fixed raw key (-K <hex> -nosalt), which is also how you show why ECB mode is broken. openssl encrefuses AEAD modes (GCM) — for authenticated encryption use a library (e.g. Pythoncryptography'sAESGCM).
Asymmetric encryption (RSA keypair)¶
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem # private key
openssl pkey -in private.pem -pubout -out public.pem # derive public key
echo -n "secret" | openssl pkeyutl -encrypt -pubin -inkey public.pem -out ct.bin # public encrypts
openssl pkeyutl -decrypt -inkey private.pem -in ct.bin # private decrypts
pkeyutlreplaces the deprecatedrsautl;genpkey/pkeyreplacegenrsa/rsa.- RSA only fits tiny payloads (~200 bytes at 2048-bit). Real systems are hybrid: RSA/ECDH exchanges a symmetric key, AES encrypts the data.
TLS certificates¶
# quick facts: who issued it, for whom, valid when
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
# full dump (SANs, key size, signature algorithm, chain)
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null \
| openssl x509 -noout -text
openssl x509 -in cert.pem -noout -text # inspect a local cert file
-servername sets SNI so multi-domain hosts return the right cert; `
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).