Storing sensitive information like passwords in plain text is a serious security risk. Linux provides powerful built-in tools, such as OpenSSL, to encrypt and protect sensitive data.
We will learn how to use OpenSSL on Linux (Kali) to encrypt a password file using AES-256-CBC
Prerequisites
Before starting, make sure you have:
- A Linux system (Kali, Ubuntu, Rocky Linux, etc.)
- OpenSSL installed
openssl version- Basic knowledge of Linux commands
- Permission to create files in your home directory
ALSO READ:
- Secure Password Management in PowerShell Using Encrypted Credentials 2026
- Linux Server Health Checks Dashboard: Build a Powerful Monitoring Tool 2026
- AWS S3 Backups with This Efficient Shell Script
- Bash Brackets Explained in Simple Words (With 8 Examples)
Click here to go to the GitHub repos link
Create and Protect a Secret Key
First, we store a secret key in a hidden file and restrict its permissions so only the owner can read or write it:
┌──(krishna㉿kali)-[~]
└─$ openssl rand -base64 32 > ~/.key
┌──(krishna㉿kali)-[~]
└─$ chmod 600 ~/.keyThe chmod 600 command ensures only the file owner has read and write access. Group members and other users have no access at all.
Important Security Notes
- If the .key file is lost, the encrypted data cannot be recovered.
- If the .key file is exposed, your encryption becomes useless.
- Always store the key securely (e.g., restricted access, backups).
Create the Password File
Create a plain text file containing the password you want to protect.
echo "123456" > pass.txtEncrypt the Password File
openssl enc -aes-256-cbc -salt -pbkdf2 -in pass.txt -out pass.txt.enc -pass file:/home/krishna/.keyOutput
The encrypted file will look like unreadable binary data:
┌──(krishna㉿kali)-[~]
└─$ ls -ltr
total 8
-rw-rw-r-- 1 krishna krishna 7 Mar 28 11:47 pass.txt
-rw-rw-r-- 1 krishna krishna 32 Mar 28 11:56 pass.txt.enc
┌──(krishna㉿kali)-[~]
└─$ cat pass.txt.enc
Salted__▒q▒/▒▒<A,▒▒
7▒ۤb▒▒6Let’s break down each flag:
- aes-256-cbc – Encryption algorithm
- salt – Adds randomness
- pbkdf2 – Strengthens password-based key
- in – Input file
- out – Output file
- pass file: – Reads key from file
Remove the Plain Text Password File (Important)
After encryption, it’s a good practice to delete the original unencrypted file:
rm pass.txtThis ensures:
- No plain-text password remains on the system.
- Reduces the risk of unauthorized access to the machine.
- Only the encrypted file (pass.txt.enc) is kept.
Decrypt the Password File
To retrieve the original password, decrypt using the key file:
apps_password=$(openssl enc -aes-256-cbc -d -pbkdf2 -in pass.txt.enc -pass file:/home/krishna/.key)
echo $apps_passwordThe -d flag tells decrypt. The -pass file: option reads the decryption password from the key file instead of prompting the user
Output
┌──(krishna㉿kali)-[~]
└─$ echo $apps_password
123456Key Concepts Summary
- AES-256-CBC – Industry-standard symmetric encryption algorithm
- chmod 600 – Restricts file access to the owner only (read + write)
- -pbkdf2 – Strengthens the key derivation, not a decryption flag
- -d – The actual flag used to decrypt in OpenSSL