---
title: "AP Cybersecurity Cryptography Commands Guide: OpenSSL, RSA, Hashing"
description: "Practice CED cryptography commands for AP Cybersecurity: symmetric and asymmetric encryption, RSA key generation, and file hash verification with worked examples."
canonical: "https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/cryptography-commands-guide/study-guide/iuvaN4Myhc410muNkePq"
type: "study-guide"
subject: "AP Cybersecurity"
unit: "Cybersecurity Technical Skills"
lastUpdated: "2026-06-16"
---

# AP Cybersecurity Cryptography Commands Guide: OpenSSL, RSA, Hashing

## Summary

Practice CED cryptography commands for AP Cybersecurity: symmetric and asymmetric encryption, RSA key generation, and file hash verification with worked examples.

## Guide

This guide teaches you the [cryptography](/ap-cybersecurity/key-terms/cryptography "fv-autolink") command patterns the CED expects you to apply in [AP Cybersecurity](/ap-cybersecurity "fv-autolink"). You will learn how to encrypt and decrypt files with symmetric keys, generate and use asymmetric (RSA) key pairs, and verify file integrity using hashes. The focus is on what each command does, what input and output to expect, and when each is the right tool.

These skills come from [Unit 5](/ap-cybersecurity/unit-5 "fv-autolink"), Securing Applications and Data, specifically topics 5.3 ([symmetric encryption](/ap-cybersecurity/key-terms/symmetric-encryption "fv-autolink")), 5.4 (asymmetric cryptography), and 5.6.D (verifying a file hash). Concepts like how AES works internally or what RSA key length means are covered elsewhere. Here you build the command fluency to actually apply those concepts.

## Where This Shows Up

The `Write` task verb on the free-response section asks you to express a proper command that has an indicated effect. That means you may need to produce a working [OpenSSL](/ap-cybersecurity/unit-5/protecting-stored-data-with-cryptography/study-guide/pVI6SOT7HBVhSMIqKTXG "fv-autolink") or hashing command, not just describe it. The unit scenarios reinforce this: Scenario 5B has you generate an asymmetric key pair, share a [public key](/ap-cybersecurity/key-terms/public-key "fv-autolink"), and encrypt and decrypt messages.

Skill Categories 2 ([Mitigate Risk](/ap-cybersecurity/cybersecurity-skills/mitigate-risk/study-guide/1e2jm2Ks2uN8D3sepFx5 "fv-autolink")) and 3 (Detect Attacks) are the ones tied to these commands. [Encryption](/ap-cybersecurity/key-terms/encryption "fv-autolink") is a protective control under 2.A and 2.D, while hash verification supports detecting whether a file was altered under 3.D and 5.6.D.

## Symmetric Encryption with OpenSSL

Symmetric encryption uses one shared secret to both encrypt and decrypt. It is appropriate when you control both ends, such as protecting a stored file with a [passphrase](/ap-cybersecurity/key-terms/passphrase "fv-autolink") you already hold.

Use `openssl enc` for file encryption. A typical pattern looks like this:

```
openssl enc -aes-256-cbc -salt -in secret.txt -out secret.enc
openssl enc -d -aes-256-cbc -in secret.enc -out secret_decrypted.txt
```

The first command encrypts `secret.txt` into `secret.enc` using AES-256 in CBC mode. The `-salt` flag adds randomness so identical files do not produce identical [ciphertext](/ap-cybersecurity/key-terms/ciphertext "fv-autolink"). You will be prompted for a passphrase, which becomes the basis for the key.

The second command adds `-d` to decrypt. You must supply the same passphrase, the same algorithm, and point `-in` at the [encrypted](/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP "fv-autolink") file. If any of those differ, [decryption](/ap-cybersecurity/key-terms/decryption "fv-autolink") fails or produces garbage.

| Flag | Purpose |
|:--|:--|
| `-aes-256-cbc` | Specifies the cipher and mode |
| `-salt` | Adds random salt to strengthen the output |
| `-in` | Input file to read |
| `-out` | Output file to write |
| `-d` | Switches the command to decrypt mode |

When to use it: protecting [data at rest](/ap-cybersecurity/key-terms/data-at-rest "fv-autolink") where the same party (or a pre-shared key) handles both encryption and decryption. The weakness is key distribution. If you need to send the key over an untrusted channel, symmetric encryption alone is not enough.

## Asymmetric Encryption and RSA Key Generation

[Asymmetric encryption](/ap-cybersecurity/key-terms/asymmetric-encryption "fv-autolink") uses a key pair: a public key that anyone can hold and a [private key](/ap-cybersecurity/key-terms/private-key "fv-autolink") you keep secret. This solves the key distribution problem because you can share your public key openly. This is the model behind Scenario 5B and PGP-style secure messaging.

Generate an RSA private key, then extract the matching public key:

```
openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem -pubout -out public_key.pem
```

The first command creates a 2048-bit RSA private key in `private_key.pem`. The number sets key length, and longer keys are harder to break. The second command reads that private key and writes out only the public portion to `public_key.pem`, which is the file you would share with a partner.

To encrypt a small message for someone, use their public key. To decrypt a message sent to you, use your private key:

```
openssl pkeyutl -encrypt -pubin -inkey partner_public.pem -in message.txt -out message.enc
openssl pkeyutl -decrypt -inkey private_key.pem -in message.enc -out message.txt
```

Notice the direction: the sender encrypts with the recipient's public key, and the recipient decrypts with their own private key. That is the core rule for objective 5.4.A about choosing the correct key.

When to use it: establishing secure communication with someone you have not shared a secret with, or letting many senders encrypt to one recipient. Asymmetric encryption is slower and limited in message size, which is why real systems often use it to exchange a symmetric key and then switch to symmetric encryption for bulk data.

## File Hashing and Integrity Verification

A hash is a fixed-length fingerprint of a file. Hashing does not hide data and is not encryption, so do not confuse the two. Its job is integrity: confirming a file has not been altered, which is exactly objective 5.6.D.

Compute a [SHA-256](/ap-cybersecurity/key-terms/sha-256 "fv-autolink") hash:

```
sha256sum important.iso
openssl dgst -sha256 important.iso
```

Both produce a hash value plus the filename. To verify a download or a file you suspect was tampered with, compare the computed hash to a known-good reference value. If even one byte changed, the hash changes completely.

A practical verification workflow:

1. Obtain the trusted hash from the vendor or original source.
2. Run `sha256sum yourfile` on the file you have.
3. Compare the two strings character by character, or pipe a [checksum](/ap-cybersecurity/key-terms/checksum "fv-autolink") file through `sha256sum -c`.
4. If they match, the file is intact. If they differ, treat the file as altered or corrupted.

```
sha256sum -c checksums.txt
```

This reads expected hashes from `checksums.txt` and reports `OK` or `FAILED` for each listed file. A `FAILED` result is an [indicator of compromise](/ap-cybersecurity/key-terms/indicator-of-compromise "fv-autolink") worth reporting.

## Common Mistakes to Avoid

Mixing up which key to use is the classic asymmetric error. Remember: encrypt with the recipient's public key, decrypt with your own private key. Never share or transmit your private key.

Forgetting to match the algorithm and passphrase on symmetric decryption causes silent failures. The decrypt command must mirror the encrypt command's cipher and mode exactly.

Treating hashing as encryption is a conceptual trap. Hashing is one-way and produces no recoverable [plaintext](/ap-cybersecurity/key-terms/plaintext "fv-autolink"), so you cannot "decrypt" a hash. Use it only to verify integrity.

Confusing `-in` and `-out` will overwrite or fail to read the file you meant to protect. Read the flags carefully before running a command that writes output.

Using weak [key lengths](/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2 "fv-autolink") invites attack. The CED ties key length to security in 5.4.B, so default to at least 2048-bit RSA in your examples.

## Quick Reference

| Goal | Command pattern |
|:--|:--|
| Encrypt a file symmetrically | `openssl enc -aes-256-cbc -salt -in file -out file.enc` |
| Decrypt a symmetric file | `openssl enc -d -aes-256-cbc -in file.enc -out file` |
| Generate RSA private key | `openssl genrsa -out private_key.pem 2048` |
| Extract public key | `openssl rsa -in private_key.pem -pubout -out public_key.pem` |
| Encrypt with public key | `openssl pkeyutl -encrypt -pubin -inkey pub.pem -in msg -out msg.enc` |
| Decrypt with private key | `openssl pkeyutl -decrypt -inkey private_key.pem -in msg.enc -out msg` |
| Hash a file | `sha256sum file` or `openssl dgst -sha256 file` |
| Verify against checksums | `sha256sum -c checksums.txt` |

Practice writing these from memory, since the `Write` task verb expects a syntactically correct command. Pay attention to flag order and the encrypt versus decrypt direction, because those small details are where points are won or lost.

## FAQs

### Which key do I use to encrypt a message in asymmetric cryptography?

You encrypt with the recipient's public key and the recipient decrypts with their own private key. So if you are sending a message to a partner, use their public key with a command like openssl pkeyutl -encrypt -pubin -inkey partner_public.pem -in message.txt -out message.enc. Never use your own private key to encrypt a message meant for someone else.

### How do I verify that a file has not been altered using a hash?

Compute the file's hash with sha256sum file or openssl dgst -sha256 file, then compare it to a trusted reference hash from the original source. If the values match exactly, the file is intact; if they differ, the file was altered or corrupted. You can also use sha256sum -c checksums.txt to check files automatically and get an OK or FAILED result.

### What is the difference between hashing and encryption in AP Cybersecurity?

Encryption is reversible: with the correct key you can recover the original plaintext, which protects confidentiality. Hashing is one-way and produces a fixed-length fingerprint that cannot be reversed, so it is used for integrity verification rather than hiding data. You cannot decrypt a hash, so do not treat the two as interchangeable.

### How do I generate an RSA key pair with OpenSSL?

Run openssl genrsa -out private_key.pem 2048 to create a 2048-bit private key, then run openssl rsa -in private_key.pem -pubout -out public_key.pem to extract the matching public key. Share the public key file and keep the private key secret. Longer key lengths increase security, so use at least 2048 bits.

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/cryptography-commands-guide/study-guide/iuvaN4Myhc410muNkePq#which-key-do-i-use-to-encrypt-a-message-in-asymmetric-cryptography","name":"Which key do I use to encrypt a message in asymmetric cryptography?","acceptedAnswer":{"@type":"Answer","text":"You encrypt with the recipient's public key and the recipient decrypts with their own private key. So if you are sending a message to a partner, use their public key with a command like openssl pkeyutl -encrypt -pubin -inkey partner_public.pem -in message.txt -out message.enc. Never use your own private key to encrypt a message meant for someone else."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/cryptography-commands-guide/study-guide/iuvaN4Myhc410muNkePq#how-do-i-verify-that-a-file-has-not-been-altered-using-a-hash","name":"How do I verify that a file has not been altered using a hash?","acceptedAnswer":{"@type":"Answer","text":"Compute the file's hash with sha256sum file or openssl dgst -sha256 file, then compare it to a trusted reference hash from the original source. If the values match exactly, the file is intact; if they differ, the file was altered or corrupted. You can also use sha256sum -c checksums.txt to check files automatically and get an OK or FAILED result."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/cryptography-commands-guide/study-guide/iuvaN4Myhc410muNkePq#what-is-the-difference-between-hashing-and-encryption-in-ap-cybersecurity","name":"What is the difference between hashing and encryption in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"Encryption is reversible: with the correct key you can recover the original plaintext, which protects confidentiality. Hashing is one-way and produces a fixed-length fingerprint that cannot be reversed, so it is used for integrity verification rather than hiding data. You cannot decrypt a hash, so do not treat the two as interchangeable."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/cryptography-commands-guide/study-guide/iuvaN4Myhc410muNkePq#how-do-i-generate-an-rsa-key-pair-with-openssl","name":"How do I generate an RSA key pair with OpenSSL?","acceptedAnswer":{"@type":"Answer","text":"Run openssl genrsa -out private_key.pem 2048 to create a 2048-bit private key, then run openssl rsa -in private_key.pem -pubout -out public_key.pem to extract the matching public key. Share the public key file and keep the private key secret. Longer key lengths increase security, so use at least 2048 bits."}}]}
```
