Lewati ke isi

Encrypting and decrypting files with OpenSSL

Encryption is a way to encode a message so that its contents are protected from prying eyes. There are two general types:

  1. Secret-key or symmetric encryption
  2. Public-key or asymmetric encryption

Secret-key encryption uses the same key for encryption and decryption, while public-key encryption uses different keys for encryption and decryption. There are pros and cons to each method. Secret-key encryption is faster, and public-key encryption is more secure since it addresses concerns around securely sharing the keys. Using them together makes optimal use of each type's strengths.

How to encrypt files with OpenSSL

OpenSSL is an amazing tool that does a variety of tasks, including encrypting files. This demo uses a Fedora machine with OpenSSL installed. The tool is usually installed by default by most Linux distributions; if not, you can use your package manager to install it:

Step 1: Generate key pairs

Before you can encrypt files, you need to generate a pair of keys. You will also need a passphrase, which you must use whenever you use OpenSSL, so make sure to remember it.

agungsurya generates her set of key pairs with:

sudo openssl genrsa -aes256 -out agungsurya_private.pem 4096

This command uses OpenSSL's genrsa command to generate a 1024-bit public/private key pair. This is possible because the RSA algorithm is asymmetric. It also uses aes128, a symmetric key algorithm, to encrypt the private key that agungsurya generates using genrsa.

After entering the command, OpenSSL prompts agungsurya for a passphrase, which she must enter each time she wants to use the keys:

agungsurya $ openssl genrsa -aes128 -out agungsurya_private.pem 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..........+++++
..................................+++++
e is 65537 (0x010001)
Enter pass phrase for agungsurya_private.pem:
Verifying - Enter pass phrase for agungsurya_private.pem:
agungsurya $
agungsurya $
agungsurya $ ls -l agungsurya_private.pem
-rw-------. 1 agungsurya agungsurya 966 Mar 22 17:44 agungsurya_private.pem
agungsurya $
agungsurya $ file agungsurya_private.pem
agungsurya_private.pem: PEM RSA private key
agungsurya $

Bob follows the same procedure to create his key pair:

bob $ openssl genrsa -aes128 -out bob_private.pem 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..................+++++
............................+++++
e is 65537 (0x010001)
Enter pass phrase for bob_private.pem:
Verifying - Enter pass phrase for bob_private.pem:
bob $
bob $ ls -l bob_private.pem
-rw-------. 1 bob bob 986 Mar 22 13:48 bob_private.pem
bob $
bob $ file bob_private.pem
bob_private.pem: PEM RSA private key
bob $

Step 2: Extract the public keys

Remember, the public key is the one you can freely share with others, whereas you must keep your private key secret. So, agungsurya must extract her public key and save it to a file using the following command:

agungsurya $ openssl rsa -in agungsurya_private.pem  -pubout > agungsurya_public.pem
Enter pass phrase for agungsurya_private.pem:
writing RSA key
agungsurya $
agungsurya $ ls -l *.pem
-rw-------. 1 agungsurya agungsurya 966 Mar 22 17:44 agungsurya_private.pem
-rw-rw-r--. 1 agungsurya agungsurya 272 Mar 22 17:47 agungsurya_public.pem
agungsurya $

Bob can follow the same process to extract his public key and save it to a file:

bob $ openssl rsa -in bob_private.pem -pubout > bob_public.pem
Enter pass phrase for bob_private.pem:
writing RSA key
bob $
bob $ ls -l *.pem
-rw-------. 1 bob bob 986 Mar 22 13:48 bob_private.pem
-rw-r--r--. 1 bob bob 272 Mar 22 13:51 bob_public.pem
bob $

Step 3: Exchange public keys

These public keys are not much use to agungsurya and Bob until they exchange them with each other. Several methods are available for sharing public keys, including copying the keys to each other's workstations using the scp command.

To send agungsurya's public key to Bob's workstation:

agungsurya $ scp agungsurya_public.pem bob@bob-machine-or-ip:/path/

To send Bob's public key to agungsurya's workstation:

bob $ scp bob_public.pem agungsurya@agungsurya-machine-or-ip:/path/

Now, agungsurya has Bob's public key and vice versa:

agungsurya $ ls -l bob_public.pem
-rw-r--r--. 1 agungsurya agungsurya 272 Mar 22 17:51 bob_public.pem
agungsurya $

bob $ ls -l agungsurya_public.pem
-rw-r--r--. 1 bob bob 272 Mar 22 13:54 agungsurya_public.pem
bob $

Step 4: Exchange one way encrypted messages with a public key

Say agungsurya needs to communicate secretly with Bob. She writes her secret message in a file and saves it to top_secret.txt. Since this is a regular file, anybody can open it and see its contents. There isn't much protection here:

agungsurya $
agungsurya $ echo "vim or emacs ?" > top_secret.txt
agungsurya $
agungsurya $ cat top_secret.txt
vim or emacs ?
agungsurya $

To encrypt this secret message, agungsurya needs to use the openssls -encrypt command. She needs to provide three inputs to the tool:

  1. The name of the file that contains the secret message
  2. Bob's public key (file)
  3. The name of a file where the encrypted message will be stored
agungsurya $ openssl rsautl -encrypt -inkey bob_public.pem -pubin -in top_secret.txt -out top_secret.enc
agungsurya $
agungsurya $ ls -l top_secret.*
-rw-rw-r--. 1 agungsurya agungsurya 128 Mar 22 17:54 top_secret.enc
-rw-rw-r--. 1 agungsurya agungsurya  15 Mar 22 17:53 top_secret.txt
agungsurya $
agungsurya $

After encryption, the original file is still viewable, whereas the newly created encrypted file looks like gibberish on the screen. You can be assured that the secret message has been encrypted:

agungsurya $ cat top_secret.txt
vim or emacs ?
agungsurya $
agungsurya $ cat top_secret.enc
�s��uM)M&>��N��}dmCy92#1X�q?��v���M��@��E�~��1�k~&PU�VhHL�@^P��(��zi�M�4p�e��g+R�1�Ԁ���s�������q_8�lr����C�I-��agungsurya $
agungsurya $
agungsurya $
agungsurya $ hexdump -C ./top_secret.enc
00000000  9e 73 12 8f e3 75 4d 29  4d 26 3e bf 80 4e a0 c5  |.s...uM)M&>..N..|
00000010  7d 64 6d 43 79 39 32 23  31 58 ce 71 f3 ba 95 a6  |}dmCy92#1X.q....|
00000020  c0 c0 76 17 fb f7 bf 4d  ce fc 40 e6 f4 45 7f db  |[email protected]..|
00000030  7e ae c0 31 f8 6b 10 06  7e 26 50 55 b5 05 56 68  |~..1.k..~&PU..Vh|
00000040  48 4c eb 40 5e 50 fe 19  ea 28 a8 b8 7a 13 69 d7  |HL.@^P...(..z.i.|
00000050  4d b0 34 70 d8 65 d5 07  95 67 2b 52 ea 31 aa d4  |M.4p.e...g+R.1..|
00000060  80 b3 a8 ec a1 73 ed a7  f9 17 c3 13 d4 fa c1 71  |.....s.........q|
00000070  5f 38 b9 6c 07 72 81 a6  fe af 43 a6 49 2d c4 ee  |_8.l.r....C.I-..|
00000080
agungsurya $
agungsurya $ file top_secret.enc
top_secret.enc: data
agungsurya $

Now agungsurya needs to send this encrypted file to Bob over a network, once again, using the scp command to copy the file to Bob's workstation. Remember, even if the file is intercepted, its contents are encrypted, so the contents can't be revealed:

agungsurya $  scp top_secret.enc bob@bob-machine-or-ip:/path/

Step 5: Decrypt the file using a private key

Bob needs to do his part by decrypting the message using OpenSSL, but this time using the -decrypt command-line argument. He needs to provide the following information to the utility:

  1. The encrypted file (which he got from agungsurya)
  2. Bob's own private key (for decryption, since it was encrypted using Bob's public key)
  3. A file name to save the decrypted output to via redirection
bob $ openssl rsautl -decrypt -inkey bob_private.pem -in top_secret.enc > top_secret.txt
Enter pass phrase for bob_private.pem:
bob $

Bob can now read the secret message that agungsurya sent him:

bob $ ls -l top_secret.txt
-rw-r--r--. 1 bob bob 15 Mar 22 14:02 top_secret.txt
bob $
bob $ cat top_secret.txt
vim or emacs ?
bob $

command

sudo openssl genrsa -aes256 -out agungsurya_private.pem 4096

openssl rsa -in agungsurya_private.pem  -pubout > agungsurya_public.pem

Enter pass phrase for agungsurya_private.pem:
writing RSA key

echo "vim or emacs ?" > top_secret.txt

openssl rsautl -encrypt -inkey agungsurya_public.pem -pubin -in top_secret.txt -out top_secret.e
nc

openssl rsautl -decrypt -inkey agungsurya_private.pem -in top_secret.enc > top_secret-dcrypt.txt

Enter pass phrase for agungsurya_private.pem:

cat top_secret-dcrypt.txt