How to decrypt PHP Openssl encryption with BASH command

Question

I am encrypting a password in PHP, and want to decrypt it on a different box. I am having no luck and I would prefer to be able to decrypt it right from bash and echo it. Below is a snippet of a test in PHP.

$textToEncrypt    = "My super secret information.";
$encryptionMethod = "AES-256-CBC";  
$secretHash       = "Testkey";

//To encrypt
$encryptedMessage = openssl_encrypt($textToEncrypt, $encryptionMethod, $secretHash);

//To Decrypt
$decryptedMessage = openssl_decrypt($encryptedMessage, $encryptionMethod, $secretHash);

//Result
echo "Encrypted: $encryptedMessage <br>Decrypted: $decryptedMessage";

I have tried numerous methods to decrypt it on Ubuntu, even storing the data to a file and outputting it to a file. Command tried was:

openssl aes-256-cbc -a -d -k Testkey -in foo.txt -out secrets.txt

Where foo.txt is the value returned from the PHP encryption, and secrets.txt is the output. How can I do this?

Answer 1

It bears repeating, as in the comments, that encryption without an IV is dangerous. In fact, the current version of PHP will issue a warning about it. IVs can be randomly generated using the openssl_random_pseudo_bytes() function, and transmitted in the clear along with the encrypted text. They don't have to be secret, the important thing is not to reuse the same key and IV combination, and have a random IV.

So, with that out of the way, if you take a look at the source for the function, it's not passing the password argument as a passphrase, but rather as the key. So for using openssl on the command line, it needs to be in hex and passed to the -K option, not the -k option. But then, you'll get an error back saying "iv undefined" so your PHP needs to be adjusted to include one:

<?php
$textToEncrypt    = "My super secret information.\n";
$encryptionMethod = "AES-256-CBC";  
$key              = "Testkey";
$iv               = openssl_random_pseudo_bytes(
                        openssl_cipher_iv_length($encryptionMethod)
                    );

$keyHex           = bin2hex($key);
$ivHex            = bin2hex($iv);

//To encrypt
$encryptedMessage = openssl_encrypt($textToEncrypt, $encryptionMethod, $key, 0, $iv);

//To Decrypt
$decryptedMessage = openssl_decrypt($encryptedMessage, $encryptionMethod, $key, 0, $iv);

//Result
printf(
    "Decrypted message: %s\n\nkeyHex=%s\nivHex=%s\nencryptedMessage=%s\n",
    $decryptedMessage,
    escapeshellarg($keyHex),
    escapeshellarg($ivHex),
    escapeshellarg($encryptedMessage)
);

Once you have these details, you can decrypt from command line (re-using PHP variable names here):

echo -n "$encryptedMessage" | openssl aes-256-cbc -d -a -A -K "$keyHex" -iv "$ivHex"