How is the following possible without saving and reusing the salt from PBKDF2?
Here's what I'm doing to encrypt a file:
openssl aes-256-cbc -pbkdf2 -in secret.txt -out secret.enc -a -kfile kfile.file
Where secret.txt = "secret message", and kfile.file = "password"
I then run the following to decrypt the just encrypted file:
openssl aes-256-cbc -pbkdf2 -d -in secret.enc -out secret.decrypted -a -kfile kfile.file
The decrypted file results secret.decrypted = "secret message"
As far as I know, I would have needed the initial salt used for the PBKDF2 to derive the same key for decryption, why is this clearly not the case here?
When running openssl aes-256-cbc -help it states that a salt is used in the KDF by default.
The (implicitly generated) random 8 bytes salt and the ciphertext are automatically concatenated. In addition, the ASCII encoding of Salted__ is prepended:
<ASCII encoding of Salted__>|<8 bytes salt>|<ciphertext>
The -a option causes the result to be Base64 encoded. Because of the fixed prefix Salted__ the data therefore always starts with U2FsdGVkX1.