Storing sensitive information like passwords in plain text is a serious security risk. Linux provides powerful built-in tools, such as OpenSSL, to encrypt data and protect it
We explore how to use OpenSSL on Linux (Kali) to encrypt a password file using AES-256-CBC encryption.
Prerequisites
Before starting, make sure you have:
- A Linux system (Kali, Ubuntu, Rocky Linux, etc.)
- OpenSSL installed
openssl version- Basic knowledge of Linux commands
- Permission to create files in your home directory
ALSO READ:
- Secure Password Management in PowerShell Using Encrypted Credentials 2026
- Linux Server Health Checks Dashboard: Build a Powerful Monitoring Tool 2026
- AWS S3 Backups with This Efficient Shell Script
- Bash Brackets Explained in Simple Words (With 8 Examples)
Click here to go to the GitHub repos link
Create and Protect a Secret Key
First, we store a secret key in a hidden file and restrict its permissions so only the owner can read or write it:
printf "mysecretkey" > ~/.key
chmod 600 ~/.keyOutput
┌──(krishna㉿kali)-[~]
└─$ echo "mysecretkey" > ~/.key
┌──(krishna㉿kali)-[~]
└─$ cat ~/.key
mysecretkey
┌──(krishna㉿kali)-[~]
└─$ chmod 600 ~/.keyThe chmod 600 command ensures only the file owner has read and write access. Group members and other users have no access at all.
Create the Password File
Write the password you want to protect into a plain text file
echo "123456" > pass.txtEncrypt the Password File
Encrypt the file using OpenSSL:
openssl enc -aes-256-cbc -salt -pbkdf2 -in pass.txt -out pass.txt.enc -pass file:/home/krishna/.keyOutput
┌──(krishna㉿kali)-[~]
└─$ ls -ltr
total 8
-rw-rw-r-- 1 krishna krishna 7 Mar 28 11:47 pass.txt
-rw-rw-r-- 1 krishna krishna 32 Mar 28 11:56 pass.txt.enc
┌──(krishna㉿kali)-[~]
└─$ cat pass.txt.enc
Salted__▒q▒/▒▒<A,▒▒
7▒ۤb▒▒6Let’s break down each flag:
- -aes-256-cbc — Use AES with a 256-bit key in CBC (Cipher Block Chaining) mode
- -salt — Adds random salt to prevent identical outputs for same inputs
- -pbkdf2 — Uses Password-Based Key Derivation Function 2 to strengthen the encryption key
Remove the Plain Text Password File (Important)
After encryption, it’s a good practice to delete the original unencrypted file:
rm -rf pass.txtThis ensures:
- No plain-text password remains on the system
- Reduces the risk if someone accesses the machine
- Only the encrypted file (pass.txt.enc) is kept
Decrypt the Password File
To retrieve the original password, decrypt using the key file:
apps_password=$(openssl enc -aes-256-cbc -d -pbkdf2 -in pass.txt.enc -pass file:/home/krishna/.key)
echo $apps_passwordThe -d flag tells OpenSSL to decrypt (not encrypt). The -pass file: option reads the decryption password from the key file instead of prompting the user
Output
┌──(krishna㉿kali)-[~]
└─$ echo $apps_password
123456Key Concepts Summary
- AES-256-CBC – Industry-standard symmetric encryption algorithm
- chmod 600 – Restricts file access to the owner only (read + write)
- -pbkdf2 – Strengthens the key derivation, not a decryption flag
- -d – The actual flag used to decrypt in OpenSSL