OpenSSL: Simple Public Key Encryption
Full of situations when you need to encrypt a specific file or folder. For example, if data is transmitted over open channels or stored on external media. Many (including me) use truecrypt, but the main purpose of this program is to work with encrypted partitions, so it is not very good in this case.
For such tasks, OpenSSL is quite suitable - a reliable cross-platform solution. OpenSSL supports various encryption algorithms, plus it is installed by default on many operating systems, and installing on the rest is easy.
Under habrakat - the basics of using symmetric and asymmetric encryption in OpenSSL, and also a couple of scripts that simplify asymmetric encryption with a one-time key.
The simplest way to protect data with OpenSSL is symmetric encryption. The following commands encrypt and decrypt the documents.zip file using the AES algorithm with a key length of 256 bits:
')
The problem with these commands may be that they require a password. There are situations when it is undesirable. For example, automatic backup / encryption of data on a schedule, or if the data is encrypted by one person and decrypted by another.
For such cases, public key encryption was invented. In general, you will need to create public and private keys. The first command will generate the private key private.pem, the second will create the public key public.pem:
As a result, you get a pair of RSA keys with a length of 2048 bits. Unfortunately, in the RSA system, the size of the encrypted data is limited by the key size, therefore, it is impossible to encrypt more than 2K of data. There is a way around this — information is first encrypted with a symmetric algorithm (like that used above) using a one-time key. Then this one-time key is encrypted with the public key. When decrypting a one-time key is decrypted closed. More about this was already very well written in an article on Habré .
Automate encryption will help the following script, the output of which you will receive a one-time key and data (encrypt.sh) in encrypted form:
The following command uses the public key public.pem to encrypt the documents.zip file. It will generate an encrypted one-time session.key key and the encrypted data of documents.enc:
Script to decrypt (decrypt.sh):
The command to decrypt uses the private key private.pem and one-time key session.key to decrypt the documents.enc file. It will generate the documents.zip file:
As you can see, public key encryption can be almost as simple as symmetric. But there is an even simpler way. SbF S blog prompted me to write this post. Its author (undoubtedly more sophisticated in bash than I) wrote a script that archives a folder, encrypts it with a public key, and generates another script that contains everything you need: a one-time key, data, and the actual commands to decrypt. In addition, the script can generate for you a pair of RSA keys:
In this example, we first generated a pair of keys. After that, the folder folder was encrypted in the decrypt-folder.sh script and then decrypted into the folder.tar archive. A possible disadvantage of this method is that the data in decrypt-folder.sh are stored in BASE64 format, and therefore their size increases.
That is, in fact, what I wanted to share. If someone has comments or questions - write in the comments, I will try to answer.
UPD Moved to blog Information Security.
For such tasks, OpenSSL is quite suitable - a reliable cross-platform solution. OpenSSL supports various encryption algorithms, plus it is installed by default on many operating systems, and installing on the rest is easy.
Under habrakat - the basics of using symmetric and asymmetric encryption in OpenSSL, and also a couple of scripts that simplify asymmetric encryption with a one-time key.
The simplest way to protect data with OpenSSL is symmetric encryption. The following commands encrypt and decrypt the documents.zip file using the AES algorithm with a key length of 256 bits:
')
openssl enc -aes-256-cbc -salt -in documents.zip -out documents.enc
openssl enc -d -aes-256-cbc -in documents.enc -out documents.zipThe problem with these commands may be that they require a password. There are situations when it is undesirable. For example, automatic backup / encryption of data on a schedule, or if the data is encrypted by one person and decrypted by another.
For such cases, public key encryption was invented. In general, you will need to create public and private keys. The first command will generate the private key private.pem, the second will create the public key public.pem:
openssl genrsa -out private.pem -aes256 2048
openssl rsa -in private.pem -pubout -out public.pemAs a result, you get a pair of RSA keys with a length of 2048 bits. Unfortunately, in the RSA system, the size of the encrypted data is limited by the key size, therefore, it is impossible to encrypt more than 2K of data. There is a way around this — information is first encrypted with a symmetric algorithm (like that used above) using a one-time key. Then this one-time key is encrypted with the public key. When decrypting a one-time key is decrypted closed. More about this was already very well written in an article on Habré .
Automate encryption will help the following script, the output of which you will receive a one-time key and data (encrypt.sh) in encrypted form:
# !/bin/bash
FILENAME="$1"
PUBLICKEY="$2"
SESSIONKEY="$3"
RESULT="$4"
# Generate the random symmetric-key
PASSIZE=30
if [ -c /dev/urandom ] ; then
KEY=`head -c 30 /dev/urandom | openssl enc -base64`
else
KEY=`openssl rand -base64 30`
fi
export KEY
# Encrypt the symmetric key using the public key
openssl rsautl -encrypt -inkey "$PUBLICKEY" -out "$SESSIONKEY" -pubin <<EOF
$KEY
EOF
# Encrypt the file
openssl enc -aes-256-cbc -pass env:KEY -in "$FILENAME" -out "$RESULT"The following command uses the public key public.pem to encrypt the documents.zip file. It will generate an encrypted one-time session.key key and the encrypted data of documents.enc:
./encrypt.sh documents.zip public.pem session.key documents.encScript to decrypt (decrypt.sh):
# !/bin/bash
PRIVATEKEY="$1"
SESSIONKEY="$2"
ENCRYPTED="$3"
DECRYPTED="$4"
# Decrypt the symmetric key using the private key
KEY=` openssl rsautl -decrypt -inkey "$PRIVATEKEY" -in "$SESSIONKEY" `
export KEY
# Decrypt the file
openssl enc -aes-256-cbc -d -pass env:KEY -in "$ENCRYPTED" -out "$DECRYPTED"The command to decrypt uses the private key private.pem and one-time key session.key to decrypt the documents.enc file. It will generate the documents.zip file:
./decrypt.sh private.pem session.key documents.enc documents.zipAs you can see, public key encryption can be almost as simple as symmetric. But there is an even simpler way. SbF S blog prompted me to write this post. Its author (undoubtedly more sophisticated in bash than I) wrote a script that archives a folder, encrypts it with a public key, and generates another script that contains everything you need: a one-time key, data, and the actual commands to decrypt. In addition, the script can generate for you a pair of RSA keys:
./encrypt-file.sh -keys public.pem private.pem
./encrypt-file.sh folder public.pem > decrypt-folder.sh
chmod +x decrypt-folder.sh
./decrypt-folder.sh private.pem > folder.tarIn this example, we first generated a pair of keys. After that, the folder folder was encrypted in the decrypt-folder.sh script and then decrypted into the folder.tar archive. A possible disadvantage of this method is that the data in decrypt-folder.sh are stored in BASE64 format, and therefore their size increases.
That is, in fact, what I wanted to share. If someone has comments or questions - write in the comments, I will try to answer.
UPD Moved to blog Information Security.
Source: https://habr.com/ru/post/61670/
All Articles