June 9, 2009 at 11:10OpenSSL: Simple Public Key Encryption
It is full of situations when you need to encrypt a specific file or folder. For example, if data is transmitted over open channels or stored on an external medium. Many (including myself) use truecrypt, however, the main purpose of this program is to work with encrypted partitions, so it is not very good in this case.
For such tasks, OpenSSL , a reliable cross-platform solution, is quite suitable . OpenSSL supports various encryption algorithms, plus it is installed by default on many operating systems, and installing on the rest is easy.
Under habrakat - the basics of using symmetric and asymmetric encryption in OpenSSL, as well as a couple of scripts that simplify asymmetric encryption with a one-time key.
The simplest way to protect data with OpenSSL is symmetric encryption. The following commands encrypt and decrypt the documents.zip file using the AES algorithm with a 256-bit key length: The problem with these commands may be that they require a password. There are situations when this is undesirable. For example, automatic backup / encryption of data on a schedule, or if the data is encrypted by one person and decrypted by another. Just for such cases, public key encryption was invented . In general, you will need to create public and private keys. The first command will generate the private.pem private key, the second will create the public.pem public key:
As a result, you get a pair of RSA keys with a length of 2048 bits. Unfortunately, in the RSA system, the size of the encrypted data is limited by the key size, so encrypting more than 2Kb of data will fail. There is a way around this - the information is first encrypted with a symmetric algorithm (like the one used above) using a one-time key. This one-time key is then encrypted with the public key. When decrypting, the one-time key is decrypted as private. More about this was already very well written in an article on Habré .
The following script will help automate encryption, at the output of which you will receive a one-time key and data (encrypt.sh) in encrypted form:
The following command uses the public.pem public key to encrypt the documents.zip file. It will generate the encrypted one-time key session.key and the encrypted data documents.enc:
Script to decrypt (decrypt.sh): The decryption command uses the private key private.pem and the one-time key session.key to decrypt the documents.enc file. It will generate the documents.zip file: As you can see, public key encryption can be almost as simple as symmetric. But there is an even simpler way. SbF₅ blog prompted me to write this post . Its author (undoubtedly more sophisticated in bash than me) wrote a script
, which archives the folder, encrypts it with the public key and generates another script that contains everything you need: a one-time key, data and the actual commands for decryption. In addition, the script can generate a pair of RSA keys for you: In this example, we first generated a key pair. After that, the folder folder was encrypted into the decrypt-folder.sh script and then decrypted into the folder.tar archive. A possible minus of this method is that the data in decrypt-folder.sh is stored in the BASE64 format, and therefore their size increases. That, in fact, is what I wanted to share. If someone has comments or questions - write in the comments, I will try to answer. UPD Moved to Information Security Blog.
For such tasks, OpenSSL , a reliable cross-platform solution, is quite suitable . OpenSSL supports various encryption algorithms, plus it is installed by default on many operating systems, and installing on the rest is easy.
Under habrakat - the basics of using symmetric and asymmetric encryption in OpenSSL, as well as a couple of scripts that simplify asymmetric encryption with a one-time key.
The simplest way to protect data with OpenSSL is symmetric encryption. The following commands encrypt and decrypt the documents.zip file using the AES algorithm with a 256-bit key length: The problem with these commands may be that they require a password. There are situations when this is undesirable. For example, automatic backup / encryption of data on a schedule, or if the data is encrypted by one person and decrypted by another. Just for such cases, public key encryption was invented . In general, you will need to create public and private keys. The first command will generate the private.pem private key, the second will create the public.pem public key:
openssl enc -aes-256-cbc -salt -in documents.zip -out documents.enc
openssl enc -d -aes-256-cbc -in documents.enc -out documents.zipopenssl genrsa -out private.pem -aes256 2048
openssl rsa -in private.pem -pubout -out public.pemAs a result, you get a pair of RSA keys with a length of 2048 bits. Unfortunately, in the RSA system, the size of the encrypted data is limited by the key size, so encrypting more than 2Kb of data will fail. There is a way around this - the information is first encrypted with a symmetric algorithm (like the one used above) using a one-time key. This one-time key is then encrypted with the public key. When decrypting, the one-time key is decrypted as private. More about this was already very well written in an article on Habré .
The following script will help automate encryption, at the output of which you will receive a one-time key and data (encrypt.sh) in encrypted form:
# !/bin/bash
FILENAME="$1"
PUBLICKEY="$2"
SESSIONKEY="$3"
RESULT="$4"
# Generate the random symmetric-key
PASSIZE=30
if [ -c /dev/urandom ] ; then
KEY=`head -c 30 /dev/urandom | openssl enc -base64`
else
KEY=`openssl rand -base64 30`
fi
export KEY
# Encrypt the symmetric key using the public key
openssl rsautl -encrypt -inkey "$PUBLICKEY" -out "$SESSIONKEY" -pubin <
$KEY
EOF
# Encrypt the file
openssl enc -aes-256-cbc -pass env:KEY -in "$FILENAME" -out "$RESULT" The following command uses the public.pem public key to encrypt the documents.zip file. It will generate the encrypted one-time key session.key and the encrypted data documents.enc:
./encrypt.sh documents.zip public.pem session.key documents.encScript to decrypt (decrypt.sh): The decryption command uses the private key private.pem and the one-time key session.key to decrypt the documents.enc file. It will generate the documents.zip file: As you can see, public key encryption can be almost as simple as symmetric. But there is an even simpler way. SbF₅ blog prompted me to write this post . Its author (undoubtedly more sophisticated in bash than me) wrote a script
# !/bin/bash
PRIVATEKEY="$1"
SESSIONKEY="$2"
ENCRYPTED="$3"
DECRYPTED="$4"
# Decrypt the symmetric key using the private key
KEY=` openssl rsautl -decrypt -inkey "$PRIVATEKEY" -in "$SESSIONKEY" `
export KEY
# Decrypt the file
openssl enc -aes-256-cbc -d -pass env:KEY -in "$ENCRYPTED" -out "$DECRYPTED"./decrypt.sh private.pem session.key documents.enc documents.zip, which archives the folder, encrypts it with the public key and generates another script that contains everything you need: a one-time key, data and the actual commands for decryption. In addition, the script can generate a pair of RSA keys for you: In this example, we first generated a key pair. After that, the folder folder was encrypted into the decrypt-folder.sh script and then decrypted into the folder.tar archive. A possible minus of this method is that the data in decrypt-folder.sh is stored in the BASE64 format, and therefore their size increases. That, in fact, is what I wanted to share. If someone has comments or questions - write in the comments, I will try to answer. UPD Moved to Information Security Blog.
./encrypt-file.sh -keys public.pem private.pem
./encrypt-file.sh folder public.pem > decrypt-folder.sh
chmod +x decrypt-folder.sh
./decrypt-folder.sh private.pem > folder.tar