Skip to content

Instantly share code, notes, and snippets.

@neuroticnerd

neuroticnerd/openssl-file-encryption.rst

Last active August 29, 2015 14:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save neuroticnerd/db8b0d877ea3d0ab6cb8 to your computer and use it in GitHub Desktop.
Save neuroticnerd/db8b0d877ea3d0ab6cb8 to your computer and use it in GitHub Desktop.
Download ZIP
File encryption with OpenSSL
Raw
openssl-file-encryption.rst

File Encryption Using OpenSSL RSA Key

Because of the way that the algorithm used works, you cannot encrypt an amount of information greater than the size of the key being used. That is, a key of size 2048 would allow you to encrypt 2048 bytes of information. This means that just using the key by itself, it cannot be used on arbitrarily large pieces of data such as files.

The solution is to generate a random key which can be used for symmetric encryption of arbitrarily large blocks of data such as files. This key can then be encrypted asymmetrically and sent along with the symmetrically encrypted data, keeping all of it secured.

Process

Preparation

You will need to obtain the public key of the recipient in PEM format, and place it in a file (which is referenced below as recipient-public-key.pem).

If the recipient does not have their public key in PEM format, they can easily obtain it:

$ openssl rsa -pubout -outform pem -in recipient-private-key.pem

The above command will print the public key as simple text which can then be copied and pasted into an email or message; since it is just the public key, it is safe to send over unsecured forms of communication. Alternatively, the output of the above command can be redirected into a file which may be more optimal for attaching to an email or sending to multiple people:

$ openssl rsa -pubout -outform pem -in recipient-private-key.pem > recipient-public-key.pem

While you can certainly just use the 'encrypt the private data' step multiple times in the encryption process for each file you wish to encrypt, it is probably a better idea to simply bundle all of the files you wish to encrypt into a single .zip or .tar archive file which can then be encrypted.

Encryption

# generate random symmetric key
$ openssl rand -base64 32 > key.bin

# encrypt the key (where the .pem file has the below public key)
$ openssl rsautl -encrypt -inkey recipient-public-key.pem -pubin -in key.bin -out key.bin.enc

# encrypt the private data
$ openssl enc -aes-256-cbc -salt -in PRIVATE_FILE.dat -out PRIVATE_FILE.dat.enc -pass file:./key.bin

Transmission

Once the encryption process above is complete, those encrypted files will be safe for sending via unsecured communication methods, such as email, IM services (most do not encrypt messages), etc. You will need to send the recipient any PRIVATE_FILE.dat.enc files you have created. It is important to note that you must also send the key.bin.enc file since it contains the encrypted symmetric key! Without that file the recipient will not be able to obtain the key and decrypt the private data file(s).

Decryption

If you are the recipient of files encrypted using the above method, you must have access to the private key associated with the public key used in the encryption, or you will not be able to access the secured contents!

# decrypt the random key
$ openssl rsautl -decrypt -inkey recipient-private-key.pem -in key.bin.enc -out key.bin

# use the symmetric key to decrypt the private data
$ openssl enc -d -aes-256-cbc -in PRIVATE_FILE.dat.enc -out PRIVATE_FILE.dat -pass file:./key.bin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment