Difference between revisions of "Linux openssl"

From John Freier
Jump to: navigation, search
Line 30: Line 30:
  
 
   cat cipher.txt | openssl rsautl -decrypt -inkey ~/id_rsa.private.pem
 
   cat cipher.txt | openssl rsautl -decrypt -inkey ~/id_rsa.private.pem
 +
 +
== Encrypt a file with a password ==
 +
 +
The -salt option should ALWAYS be used if the key is being derived from a password.
 +
 +
Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key.
 +
 +
When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
 +
 +
This way will prompt you for a password
 +
 +
  openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc
 +
 +
This way will not
 +
 +
  openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc
 +
 +
== Decrypt a file with a password ==
 +
 +
This way will prompt you for a password
 +
 +
  openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt
 +
 +
This way will not
 +
 +
  openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -k PASS
 +
 +
 +
== Base 64 Encode and Decode ==
 +
 +
Base64 encoding will converting 8-bit binary information into a ASCII characters.
 +
 +
This is nice for sending something by email, IRC, etc. you have to save encrypted file in Base64-encode.
 +
 +
To encrypt file in Base64-encode, you should add -a option :
 +
 +
Encode:
 +
  openssl enc -aes-256-cbc -salt -a -in file.txt -out file.txt.enc
 +
 +
Decode
 +
  openssl enc -aes-256-cbc -d -a -in file.txt.enc -out file.txt

Revision as of 09:15, 17 March 2016

Description

The way public/private keys work, is a public key is used to encrypt data and only a private key is capable of decrypting it.

Public Key -> Encrypt.

Private Key -> Decrypt.

Example

This is a real example of public private key.

Create a public & private key.

Create a private key. 

 openssl genrsa -out mykey.pem 1024


Create a public key. 

 openssl rsa -in key.pem -pubout -out pubkey.pem

or 

 openssl rsa -in mykey.pem -pubout > mykey.pub

This will calculate the public key from the private key.

Encrypt a file with a public key

 cat plain.txt | openssl rsautl -encrypt -pubin -inkey ./is_rsa.pub.pem > cipher.txt

Decrypt a file with a private key

 cat cipher.txt | openssl rsautl -decrypt -inkey ~/id_rsa.private.pem

Encrypt a file with a password

The -salt option should ALWAYS be used if the key is being derived from a password.

Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key.

When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.

This way will prompt you for a password 

 openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc

This way will not 

 openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc

Decrypt a file with a password

This way will prompt you for a password 

 openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt

This way will not 

 openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -k PASS


Base 64 Encode and Decode

Base64 encoding will converting 8-bit binary information into a ASCII characters.

This is nice for sending something by email, IRC, etc. you have to save encrypted file in Base64-encode.

To encrypt file in Base64-encode, you should add -a option :

Encode: 

 openssl enc -aes-256-cbc -salt -a -in file.txt -out file.txt.enc

Decode 

 openssl enc -aes-256-cbc -d -a -in file.txt.enc -out file.txt
Retrieved from "http://wiki.johnfreier.com/index.php?title=Linux_openssl&oldid=723"