Encrypting multiple files with AES256 using tar command

Here is one approach in the Terminal.

Encrypt a compressed tar file from a folder SVG on the Desktop:

tar --exclude='.DS_Store' -cvzp SVG/ | openssl enc -aes-256-cbc -md md5 -pass pass:foobar > a.bin

file a.bin

a.bin: openssl enc'd data with salted password

Decrypt and expand a.bin in different folder on Desktop as tar contents
cd tar_expanded
openssl enc -d -aes-256-cbc -md md5 -pass pass:foobar -in ../a.bin | tar -xvf -
x SVG/
x SVG/scanwo_ocr.pdf
x SVG/foo_ocr_stripped.pdf
x SVG/foo.pdf

Tested: macOS Sequoia v15.3, M4 Mac Mini Pro

If you don't want to have the tar archive to be compressed, then just omit the "z" option for the tar command @VikingOSX provided.

If you don't want to include the parent folder containing the files, then you can add "-C SVG . " in place of where @VikingOSX has " SVG/" so that the resulting "tar" archive does not contain the parent "SVG" folder and will just include the three files listed in @VikingOSX's example.

tar --exclude='.DS_Store' -cvp -C SVG  .  | openssl enc -aes-256-cbc -md md5 -pass pass:foobar > a.bin

Or leave use @VikingOSX's original command to include the "SVG" parent folder within the encrypted archive and just extract the contents of the parent folder included in the tar archive by adding the following option immediately after the "tar" command, but before the other options " -xvf - "......" --strip-components 1":

openssl enc -d -aes-256-cbc -md md5 -pass pass:foobar -in ../a.bin | tar --strip-components  1  -xvf -

I tested both of these modified commands (macOS 13.7.1 Ventura) and either one of these modified commands will give you the following output (notice the "SVG" parent folder is not in the output):

x scanwo_ocr.pdf
x foo_ocr_stripped.pdf
x foo.pdf

Of course we are assuming you are dealing with files within a single folder, otherwise things get a lot more complicated.

Otherwise you need to provide more details since you seem to go from wanting to use "tar" and have an encrypted "tar" archive file, but now you just want to encrypt lots of individual files? You need to pick one goal for us to focus on. And are the files you want to encrypt within a single folder or scattered around different locations?

You’re less likely to have issues with the built-in DMG tools or with encrypted removable storage, as Apple goes to some effort to ensure compatibility.

If the Apple tooling is somehow not working reliably in your environment, I’d wonder about and might expect that using command-line scripting is going to be equally problematic.

As for your current path: The openssl command is still around on macOS, but OpenSSL was deprecated and replaced with LibreSSL. This as OpenSSL itself has a history of making breaking changes. This in addition to the pitfalls.

The previously-linked age tool (available vis Homebrew) avoids most of the common pitfalls of OpenSSL (or the LibreSSL version of OpenSSL) and provides robust capabilities.

If your security threat is not advanced, zip encryption with a robust passphrase can be entirely serviceable.

More secure:

zip --encrypt filearchive.zip inputfile otherfile anotherfile

Less secure, as the password is in the shell history:

zip --password your-password-here filearchive.zip inputfile otherfile anotherfile

Okay, given your seeming unfamiliarity with UNIX (a folder is a directory is a folder), and given your hesitance around posting commands and errors, and given the sometimes subtle pitfalls with OpenSSL, I’d suggest using an encrypted disk image, or an encrypted removable storage device. That works, that can use AES-128 or AES-256, and that also avoids needing to use the command shell. And if you pick an encrypted sparse disk image, the encrypted disk image file can grow as needed,

• Create a disk image using Disk Utility on Mac - Apple Support
• Encrypt and protect a storage device with a password in Disk Utility on Mac - Apple Support
• Protect your Mac information with encryption - Apple Support

If you really want to use the command line for whatever reason including scripting, hdiutil is available and can create encrypted sparse disk images.

garage4996 wrote:

.dmg files I used before and I failed to open it after sometimes ,it simply refused to open . That File Vault is ok ,I use that too . But I may need to know some other ways to encrypt files too .

Encrypted DMG files can and do work, and are widely used. What command and what errors are you encountering?

Encrypted sparse bundles will usually be the easiest (and most portable across Macs) way, potentially scripted with hdiutil and ilk where appropriate.

(a folder is a directory is a folder), how to understand this ? A folder is a directory in a folder ? Or a folder is also a directory?

Synonym.

I could not find anything on internet how to encrypt , in terminal , with openssl several files at one command ,that is why I cannot post anything useful here ,it is only a waste of time ,it is only a guessing - that it maybe so or not.

That seems a vastly different starting point from “I tried to encrypt some files at once with AES256 ,but it failed.”

Over the years I learned ,not to waste my time on stuffs which is not clear to me ,or which I cannot in any way understand .

That means increasing your familiarity with UNIX and zsh as a starting point, and then later some more experience around cryptography, as too many of the OpenSSL examples around are old or otherwise insecure.

There are books and documents and videos on these topics, depending on how you best learn.

Or maybe you have an idea how to use the terminal to encrypt several files at once with openssl ? That would be a great help.

Okay. Please post your code, and please post the errors. We’ll start from there. It’s usually easier to start from a non-working example than to start anew, particularly as some context can usually be acquired from the failing code, after all.

As for alternatives to OpenSSL, I’ve suggested using hdiutil and encrypted sparse images earlier, and have also suggested age. age avoids various of the pitfalls that can arise with other tools.

Some background on the subtleties of “encrypting a file”, this in the context of age:

https://words.filippo.io/dispatches/age-authentication/

Some docs:

https://htmlpreview.github.io/?https://github.com/FiloSottile/age/blob/main/doc/age.1.html

Exceedingly quick intro to zip:

zip -r filename.zip /path/to/directory

Prompting for a passphrase encryption and decryption:

$ age --passphrase filearchive.zip > filearchive.zip.age
$ age —-decrypt filearchive.zip > filearchivedecrypted.zip

Your unfamiliarity with UNIX and your familiarity with MD5 is an interesting juxtaposition here, too. Someone unfamiliar with files and folders and directories can get into trouble with tools such as OpenSSL or pgp (and from various cryptographic attacks), while someone familiar with he issues of MD5 undoubtedly already knows this.

Some light reading on pitfalls and considerations: https://research.checkpoint.com/2024/modern-cryptographic-attacks-a-guide-for-the-perplexed/

garage4996 wrote:

I tried to encrypt some files at once with AES256 ,but it failed.

I could encrypt only 1 file at a time,wery bothersome .There are this tar command which can create a single file from several files - but I failed at this - something wrong with the command line .

Is there any clearcut command line how to create a single file from many files ? Then after that I can encrypt all those data with AES256 .

[Re-Titled by Moderator]

you do not say what is your reference here...(?) nor what exact "command line"...

you can read from the Terminal.app reference the manual:

man tar | more

What were the tar and encryption commands used, and what were the resulting error messages shown?

I’m guessing OpenSSL was involved. That tends to be complex, and can get cryptic, and some of the defaults (particularly around md5) can be quite bad. And re-using the salt can get you in deep trouble, too. (Do not use md5!)

(This is why I’d asked for the commands used snd errors produced.)

Use of tar or zip is a means to separate the file management, packaging, and compression from the encryption and decryption.

Alternatives to OpenSSL with some better esse-of-use and default security include age, which is available via Homebrew.

garage4996 wrote:

MrHoffman wrote:

Encrypted DMG files can and do work, and are widely used. What command and what errors are you encountering?

I typed the passwords in and it did not opened - it is a right password as Bitwarden newer fails in this respect . Or it simply not opening ,it does not asking for a password at all. But I like .dmg files - wery easy to create them in minute - but how to ensure that they will always open ? What to do ,so that I can keep them always in good condition? Or those keys goes out of validity ? Maybe I most change passwords 1 a year ? Why is so that I cannot open a .dmg file on a new Mac ? I have the same Apple ID ,so I cannot understand what is the fault .

Most likely the DMG archive was unlocked, but would not mount. Think of the DMG as an "external" drive you are connecting when you double-click on the DMG file. You will encounter the same issues with them as you would any external drive since the DMG contains a file system like any drive. I've had the same thing happen with Filevaulted APFS volumes as well.

Thing is you must make sure to have good backups of that archive and the data contained within it. Keep in mind that if anything happens to an encrypted file/image, then it may be impossible to access it. So it is best to keep a copy of the data outside of a DMG archive as well.

From everything you have posted here, I agree with @MrHoffman and think you need to either utilize a Filevaulted external drive, or look at using some third party software, otherwise you have a lot of research & experimentation to do. One thing which could help you use just the built-in macOS tools & utilities would be to create an Apple Script and/or Automator action (probably will still need to use one of the command line options as well) in order to scan a folder to encrypt any files that are not encrypted.....again it will take some research & experimentation.

FYI, I have had trouble creating ZIP archives at times for reasons I could never pinpoint exactly (never looked too deeply...it happened with the macOS Compress option and even the command line tools & using 7-zip even on Linux), so I have resorted to utilizing TAR because it just works.

Also with 2018+ Macs, the data on the internal SSD is always hardware encrypted. If you enable Filevault on the internal boot SSD, then the data is protected & requires that password to unlock the data no matter how you try to access the system (at least as good as the password you use, but the same goes for any other option). And Time Machine can encrypt your backups as well.

I just thought of something that may be the easiest all native macOS solution:

Create a new APFS volume next to your macOS installation within the same APFS Container. You can mount & unmount this new APFS volume anytime you want, plus you can enable Filevault on it as well I believe. Even if you cannot, then just unmount the volume when you don't need access to that data as that will give you a bit of protection for it. If the APFS volume is not encrypted with Filevault, then you can configure macOS to automatically prevent that volume from mounting, but you can always use Disk Utility to mount it at any time you wish. Here is an Apple article with details about creating a new APFS volume within the same Container as your macOS installation:

Add, delete, or erase APFS volumes in Disk Utility on Mac - Apple Support

FYI..... When doing the actual encryption & decryption, then you should remove the "-pass pass:foobar" section from both commands since you don't want your passwords exposed & stored on the system. Removing that from both commands will have the command prompt you to enter the password securely.