I use OpenSSL to encrypt passwords. For that the parameters - $S $ salt, $K$ key, $IV$ initialization vector are used.
Although the command produces the results, I am not sure if the salt is really used or ignored.
I use OpenSSL to encrypt passwords. For that the parameters - $S $ salt, $K$ key, $IV$ initialization vector are used.
Although the command produces the results, I am not sure if the salt is really used or ignored.
The salt is used to derive an encryption key from the input key specified with -k
in case the input key is a low entropy key such as a password. If the input key is high entropy then instead specify it with -K
and avoid the extra key derivation with salt. The salt is also used to derive an IV if one is not specified. If you already have a strong key and IV then you should deactivate the salting with the -nosalt
option. Read more here: https://wiki.openssl.org/index.php/Enc
But for password storage in particular you should also be hashing them with a hash function designed for password hashing, such as Argon2, Scrypt or Bcrypt. Encryption is not secure enough on its own.
-k
and salting is for weaker keys like passwords, they need a stronger KDF to be made secure. OpenSSL uses PBKDF2 which is nowadays not considered as secure anymore, so you probably want to use one of the other password hashing functions I mentioned instead. Do that outside of OpenSSL and then pipe the result into OpenSSL and use as a strong key -K
without any salt or additional key derivation. If you already have a strong randomly generated key then just use that as your -K
without any salt.
$\endgroup$