Get a Pentest and security assessment of your IT network.

Request a quote
Cyber Security

OpenSSL AES-GCM: Quick Start Guide

January 3, 2026

TL;DR

This guide shows you how to encrypt and decrypt data using OpenSSL with the AES-GCM cipher. It covers generating a key, creating an IV (initialization vector), encryption, and decryption.

Generating an AES Key

  1. Create a secure random key: Use OpenSSL to generate a 256-bit AES key. This is essential for security. 
    openssl rand -base64 32

    This command outputs a 32-byte (256-bit) random key in base64 encoding. Save this key securely – you’ll need it for decryption!

Creating an Initialization Vector (IV)

  1. Generate a unique IV: The IV must be different for each encryption operation, even with the same key. A 12-byte IV is typical for AES-GCM. 
    openssl rand -hex 12

    This command generates a 12-byte (96-bit) random IV in hexadecimal encoding.

Encrypting Data

  1. Encrypt the data: Use OpenSSL to encrypt your data using AES-GCM. 
    openssl enc -aes-256-gcm -salt -pbkdf2 -in input.txt -out output.enc -pass pass:'your_password' -iv 'your_iv' -keyfile key.pem

    Replace:

    • input.txt with the name of your file to encrypt
    • output.enc with the desired output filename
    • pass:'your_password' with a strong password (for key derivation)
    • your_iv with the IV you generated earlier
    • key.pem with the path to your AES key file. You can create this from the base64 output of step 1 using 
      echo 'base64_key' > key.pem

    The -salt option adds a random salt for extra security, and -pbkdf2 uses Password-Based Key Derivation Function 2 to derive the encryption key from your password.

Decrypting Data

  1. Decrypt the data: Use OpenSSL to decrypt the encrypted file. 
    openssl enc -aes-256-gcm -d -salt -pbkdf2 -in output.enc -out decrypted.txt -pass pass:'your_password' -iv 'your_iv' -keyfile key.pem

    Replace the values as in step 1, ensuring you use the same password and IV used for encryption.

Important Considerations

  • Key Security: Protect your AES key! If someone gains access to it, they can decrypt your data.
  • IV Uniqueness: Never reuse an IV with the same key. This compromises security.
  • Password Strength: Use a strong, unique password if using password-based encryption.
  • Authentication Tag: AES-GCM includes an authentication tag to verify data integrity. OpenSSL handles this automatically.
5
Share:
Related posts
Cyber Security

Zip Codes & PII: Are They Personal Data?

January 3, 2026
Cyber Security

Zero-Day Vulnerabilities: User Defence Guide

January 3, 2026
Cyber Security

Zero Knowledge Voting with Trusted Server

January 3, 2026
Cyber Security

ZeroNet: 51% Attack Risks & Mitigation

January 3, 2026