Skip to content

Instantly share code, notes, and snippets.

@dreikanter
Forked from crazybyte/encrypt_openssl.txt
Last active November 6, 2024 13:46
Show Gist options
  • Save dreikanter/c7e85598664901afae03fedff308736b to your computer and use it in GitHub Desktop.
Save dreikanter/c7e85598664901afae03fedff308736b to your computer and use it in GitHub Desktop.
File encryption using OpenSSL

Symmetic encryption

For symmetic encryption, you can use the following:

To encrypt:

openssl aes-256-cbc -salt -a -e -in plaintext.txt -out encrypted.txt

To decrypt:

openssl aes-256-cbc -salt -a -d -in encrypted.txt -out plaintext.txt

Asymmetric encryption

For Asymmetric encryption you must first generate your private key and extract the public key.

openssl genrsa -aes256 -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

To encrypt:

openssl pkeyutl -encrypt -pubin -inkey public.key -in plaintext.txt -out encrypted.txt

To decrypt:

openssl pkeyutl -decrypt -inkey private.key -in encrypted.txt -out plaintext.txt

Encrypting files

You can't directly encrypt a large file using pkeyutl. Instead, do the following:

  • Generate a key using openssl rand, e.g. openssl rand -out keyfile 32.
  • Encrypt the key file using openssl pkeyutl.
  • Encrypt the data using openssl enc, using the generated key from step 1.
  • Package the encrypted key file with the encrypted data. The recipient will need to decrypt the key with their private key, then decrypt the data with the resulting key.

Ultimate solution for safe and high secured encode anyone file in OpenSSL and command-line:

Private key generation (encrypted private key):

openssl genrsa -aes256 -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

With unecrypted private key:

openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem

With encrypted private key:

openssl req -x509 -days 100000 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem

With existing encrypted (unecrypted) private key:

openssl req -x509 -new -days 100000 -key private_key.pem -out certificate.pem

Encrypt a file

Encrypt binary file:

openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem

Encrypt text file:

openssl smime -encrypt -aes-256-cbc -in input.txt -out output.txt -outform DER yourSslCertificate.pem

What is what:

  • smime — ssl command for S/MIME utility (smime(1)).
  • -encrypt — chosen method for file process.
  • -binary — use safe file process. Normally the input message is converted to "canonical" format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives).
  • -aes-256-cbc — chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers).
  • -in plainfile.zip — input file name.
  • -out encrypted.zip.enc — output file name.
  • -outform DER — encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%.
  • yourSslCertificate.pem — file name of your certificate's. That should be in PEM format.

That command can very effectively a strongly encrypt any file regardless of its size or format.

Decrypt a file

Decrypt binary file:

openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password

For text files:

openssl smime -decrypt -in encrypted_input.txt -inform DER -out decrypted_input.zip -inkey private.key -passin pass:your_password

What is what:

  • -inform DER — same as -outform above.
  • -inkey private.key — file name of your private key. That should be in PEM format and can be encrypted by password.
  • -passin pass:your_password — (optional) your password for private key encrypt.

Verification

Creating a signed digest of a file:

openssl dgst -sha512 -sign private_key.pem -out digest.sha512 file.txt

Verify a signed digest:

openssl dgst -sha512 -verify public_key.pem -signature digest.sha512 file.txt

Source

@bmoser05
Copy link

bmoser05 commented Sep 6, 2020

^-^ i tried it but it did not work

@FilBot3
Copy link

FilBot3 commented Jan 25, 2021

Could you go into the Encrypting Files part a bit more? I'm not following what you mean by send your keys. I understand sending your public key for people to use for you, but since rsautl doesn't do large files well, can you explain that more?

@Chetan-Goyal
Copy link

@antofthy
Copy link

Nice summery of using public keys for file encryption.

However for the very first part Symmetic encryption the information above is actually quite old. Things have changed using openssl for file encryption in the last few years.

Specifically the PBKDF2 password iterative hashing has been made standard (openssl warns if you do not use it) from the command line. This has been something that has been missing for a LONG time, even though it was available in the openssl API libraries. So much so that many people (including myself) created encryption scripts (which used openssl API) to implement PBKDF2.

Example (now obsolete) is my "encrypt" perl script: https://antofthy.gitlab.io/software/#encrypt

I suggest instead of the above you look at my own 'plain text' notes on using openssl file encryption. Which is up-to-date with "openssl" changes. https://antofthy.gitlab.io/info/crypto/openssl.txt

Now that PBKDF2 is standard from CLI. And default options have changed. A different problem emerged. Remembering what options were used to encrypt a file. For example the hashing digest used, or the number of password hashing iterations (the default of 10000 is VERY low). So there is a wrapper around "openssl" that saves this information with the encrypted file.

See "keepout" shell script wrapper: https://antofthy.gitlab.io/software/#keepout

@dreikanter
Copy link
Author

@antofthy Thank you for the info!

Yes, this write-up is from 2016, and now obsolete. I've been using this method to encrypt some secrets during deployment, but now there are out-of-the-box solutions, like Rails Credentials and Ansible Vault. So I've stopped doing "manual" encryption a while ago.

@drankinatty
Copy link

drankinatty commented Oct 19, 2024

Examples of Asymmetric and File encryption should be updated to use pkeyutl instead of rsautl (rsautl was deprecated in version 3.0)

@dreikanter
Copy link
Author

@drankinatty I've done an update.

@MaxLap
Copy link

MaxLap commented Oct 24, 2024

openssl rand 32 -out keyfile doesn't work for me. Says "rand: Use -help for summary.".

Moving the 32 to the end of the command works: openssl rand -out keyfile 32

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment