Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

OpenSSL file encryption / decryption shell scripts

Encryption cipher is AES-256 in CBC mode.

Message digest is SHA-512 (from SHA-2 family); this had changed from SHA-256 used before version 2.0.

They are standard POSIX shell scripts, which should work in any Linux distribution (more precisely, your shell).

Multiple arguments (files) and / or pipes are currently not supported.

Requirements (dependencies)

openssl >= 1.1.1, df, du, tail, awk

Download, Authenticity check, and Extract

  1. Download the latest release and its signature from here:

  2. Go to the download directory, where you have saved the files (note that you need the signature file too).

  3. Import my public GPG key:

    gpg --recv-keys 7D2E022E39A88ACF3EF6D4498F37AF4CE46008C3
  4. Verify autenticity of the archive:

    gpg --verify openssl-encryption.tar.xz.asc openssl-encryption.tar.xz
  5. Extract the xz packed tarball with:

    tar -xJvf openssl-encryption.tar.xz


There are basically 3 ways to install the scripts:

  1. Easy being to use the Makefile's default location, which is /usr/local/bin:

    sudo make install
  2. Advanced users may install the scripts wherever they wish, in this example to current directory's ./test sub-directory:

    make install PREFIX=./test

    Note 1: the destination directory will be created if it does not exist. Note 2: sudo is not needed in this case, so even non-root users can install them easily.

  3. Experts may avoid the Makefile altogether and copy the two files into whichever destination they wish.

Uninstallation / Removal

It is as simple as the installation method you chose.

  1. If you have chosen to use the Makefile method #1, it is as simple as:

    sudo make uninstall
  2. If you have chosen to use the Makefile method #2, it is also very easy:

    make uninstall PREFIX=./test
  3. If you have chosen to avoid the makefile, you are advanced enough to handle this.


  1. Encryption

    encrypt-file-aes256 filename

    will always produce the filename with .enc extension, even if you encrypt a file multiple files, for instance the following file:


    has been encrypted 3 times.

  2. Decryption

    decrypt-file-aes256 filename.enc

    will strip the defined .enc extension and produce a file named:


    Note, that it is entirely possible to decrypt files without the defined extension. In this case we will append .dec to the filename and produce for example:


Exit codes

0 - Successful encryption / decryption.

1 - Some error occurred.


I did the following tests so far:

  • every fail exit code has been tested: PASS

  • encrypting / decrypting a very small file, 1 KB: PASS

  • encrypting / decrypting a medium size file, 15 GB: PASS

  • encrypting / decrypting a very large file, 750 GB: PASS

Reporting bugs and suggestions

Please open a new issue ticket.