Skip to content
OpenSSL file encryption / decryption POSIX shell scripts
Branch: master
Clone or download
burianvlastimil 5th attempt on OpenBSD + NetBSD compatibility
Still debugging all of the issues. Please use stable release instead of cloning the repository in the meantime.
Latest commit b80751d Oct 23, 2018

OpenSSL file encryption / decryption shell scripts

Cipher: AES-256 in CBC mode

Message digest algorithm: SHA-256

These scripts have been created for general use under the LICENSE terms.

They are standard POSIX shell scripts, so you most probably can run it in every Linux environment.

They should contain every safety measure / error check, that I thought of.

Multiple arguments (files) and / or pipes are currently not supported.

Download, Authenticity check, and Extract

  1. Download the latest release and its signature from here:

  2. Go to the download directory, where you have saved the files (note that you need the signature file too).

  3. Import my public GPG key:

    gpg --recv-keys 7D2E022E39A88ACF3EF6D4498F37AF4CE46008C3
  4. Verify autenticity of the archive:

    gpg --verify openssl-encryption.tar.xz.asc openssl-encryption.tar.xz
  5. Extract the xz packed tarball with:

    tar -xJvf openssl-encryption.tar.xz


There are basically 3 ways to install the scripts:

  1. Easy being to use the Makefile's default location, which is /usr/local/bin:

    sudo make install
  2. Advanced users may install the scripts wherever they wish, in this example to current directory's ./test sub-directory:

    make install PREFIX=./test

    Note 1: the destination directory will be created if it does not exist. Note 2: sudo is not needed in this case, so even non-root users can install them easily.

  3. Experts may avoid the Makefile altogether and copy the two files into whichever destination they wish.

Uninstallation / Removal

It is as simple as the installation method you chose.

  1. If you have chosen to use the Makefile method #1, it is as simple as:

    sudo make uninstall
  2. If you have chosen to use the Makefile method #2, it is also very easy:

    make uninstall PREFIX=./test
  3. If you have chosen to avoid the makefile, you are advanced enough to handle this.


  1. Encryption

    encrypt-file-aes256 filename

    will always produce the filename with .enc extension, even if you encrypt a file multiple files, for instance the following file:


    has been encrypted 3 times.

  2. Decryption

    decrypt-file-aes256 filename.enc

    will strip the defined .enc extension and produce a file named:


    Note, that it is entirely possible to decrypt files without the defined extension. In this case we will append .dec to the filename and produce for example:


Exit codes

0 - Successful encryption / decryption.

1 - Some error occurred.


I did the following tests so far:

  • every fail exit code has been tested: PASS

  • encrypting / decrypting a very small file, 1 KB: PASS

  • encrypting / decrypting a medium size file, 15 GB: PASS

  • encrypting / decrypting a very large file, 750 GB: PASS

If you like the script, consider donating any amount to my cryptocurrency accounts



Bitcoin Cash




Ethereum Classic




Thank you!

Reporting bugs and suggestions

Please open a new issue ticket.

You can’t perform that action at this time.