Best IT Recipes

How to encrypt a large file in openssl using a public key

How can I encrypt a large file with a public key so that no one but the private key can decrypt it?

I can make RSA public and private keys, but when it comes to encrypting a large file with this command:

openssl rsautl -encrypt -pubin -inkey public.pem -in myLargeFile.xml -out myLargeFile_encrypted.xml

and how can I perform decryption also ....

i create my private and public key using the following commands

 openssl genrsa -out private.pem 1024 openssl rsa -in private.pem -out public.pem -outform PEM -pubout

I get this error:

 RSA operation error 3020:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:.\crypto\rsa\rsa_pk1.c:151:

I tried to make keys ranging in size from 1024 to 1200 bits, no luck, same error

+54
linux openssl
Aug 22 2018-11-11T00:
source share
7 answers

The public key script is not intended to encrypt arbitrarily long files. One uses a symmetric cipher (e.g. AES) for normal encryption. Each time a new random symmetric key is generated, it is used and then encrypted using RSA encryption (public key). The encrypted text along with the encrypted symmetric key is transmitted to the recipient. The receiver decrypts the symmetric key using its private key, and then uses the symmetric key to decrypt the message.

The private key is never shared; only the public key is used to encrypt a random symmetric cipher.

+64
Aug 22 '11 at 10:59
source share
β€” -

Solution for safe and highly secure encoding of any file in OpenSSL and command line:

You must have an X.509 certificate ready to encrypt PEM files.

Encrypt file:

 openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem

What is what:

  • smime - ssl command for the S / MIME utility (smime (1) )
  • -encrypt - the selected method for the file process
  • -binary - use a safe file process. Usually the input message is converted to the "canonical" format, as required by the S / MIME specification, this switch disables it. This is necessary for all binary files (for example, images, sounds, ZIP archives).
  • -aes-256-cbc - the selected 256-bit AES cipher for encryption (strong). If 40 bits of RC2 are not specified (very weak). ( Supported Ciphers )
  • -in plainfile.zip - input file name
  • -out encrypted.zip.enc - output file name
  • -outform DER - encode the output file as binary. If not specified, the file is base64 encoded and the file size will be increased by 30%.
  • yourSslCertificate.pem is the name of your certificate file. This should be in PEM format.

This command can very effectively encrypt large files regardless of their format.
Known Issue: Something goes wrong when you try to encrypt a huge file (> 600 MB). The error has been reset, but the encrypted file will be corrupted. Always check every file! (or use PGP, which has great support for encrypting public key files)

Decrypt file:

 openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password

What is what:

  • -inform DER - the same as above,
  • -inkey private.key is the name of your private key file. It must be in PEM format and can be encrypted with a password.
  • -passin pass: your_password - your password for encrypting the private key. ( passphrase arguments )
+65
Sep 02
source share

You cannot directly encrypt a large file with rsautl . instead, do the following:

  • Create a key using openssl rand , for example. openssl rand 32 -out keyfile
  • Encrypt the key file with openssl rsautl
  • Encrypt the data with openssl enc using the generated key from step 1.
  • An encrypted key file package with encrypted data. the recipient will need to decrypt the key using his private key, and then decrypt the data using the received key.
+27
Aug 22 '11 at 12:14
source share

Encryption of a very large file with smime is not recommended, since you can encrypt large files using the -stream option, but do not decrypt the resulting file due to hardware limitations, see the problem of decrypting large files

As mentioned above, public key cryptocurrencies are not designed to encrypt arbitrarily long files. Therefore, the following commands will generate a missing phrase, encrypt the file using symmetric encryption, and then encrypt the missing phrase using an asymmetric (public key). Note: smime includes using the primary public key and the backup key to encrypt the phrase. A backup public / private key pair would be reasonable.

Random Password Generation

Set the RANDFILE value to a file accessible to the current user, generate the passwd.txt file and clear the settings

 export OLD_RANDFILE=$RANDFILE RANDFILE=~/rand1 openssl rand -base64 2048 > passwd.txt rm ~/rand1 export RANDFILE=$OLD_RANDFILE

Encryption

Use the commands below to encrypt the file, using passwd.txt as the password and AES256 for the base64 (-a) file. Encrypt passwd.txt using asymmetric encryption in the XXLarge.crypt.pass file using the primary public key and the backup key.

 openssl enc -aes-256-cbc -a -salt -in XXLarge.data -out XXLarge.crypt -pass file:passwd.txt openssl smime -encrypt -binary -in passwd.txt -out XXLarge.crypt.pass -aes256 PublicKey1.pem PublicBackupKey.pem rm passwd.txt

decryption

The decryption simply decrypts XXLarge.crypt.pass for passwd.tmp, decrypts XXLarge.crypt to XXLarge2.data, and deletes the passwd.tmp file.

 openssl smime -decrypt -binary -in XXLarge.crypt.pass -out passwd.tmp -aes256 -recip PublicKey1.pem -inkey PublicKey1.key openssl enc -d -aes-256-cbc -a -in XXLarge.crypt -out XXLarge2.data -pass file:passwd.tmp rm passwd.tmp

This has been tested against files> 5 GB.

 5365295400 Nov 17 10:07 XXLarge.data 7265504220 Nov 17 10:03 XXLarge.crypt 5673 Nov 17 10:03 XXLarge.crypt.pass 5365295400 Nov 17 10:07 XXLarge2.data
+20
Nov 17 '13 at 12:07 on
source share

To safely encrypt large files (> 600 MB) with openssl smime , you will have to split each file into small fragments:

 # Splits large file into 500MB pieces split -b 500M -d -a 4 INPUT_FILE_NAME input.part. # Encrypts each piece find -maxdepth 1 -type f -name 'input.part.*' | sort | xargs -I % openssl smime -encrypt -binary -aes-256-cbc -in % -out %.enc -outform DER PUBLIC_PEM_FILE

For information, here's how to decrypt and connect all the parts:

 # Decrypts each piece find -maxdepth 1 -type f -name 'input.part.*.enc' | sort | xargs -I % openssl smime -decrypt -in % -binary -inform DEM -inkey PRIVATE_PEM_FILE -out %.dec # Puts all together again find -maxdepth 1 -type f -name 'input.part.*.dec' | sort | xargs cat > RESTORED_FILE_NAME
+3
Nov 19 '15 at 11:01
source share

Maybe you should check the accepted answer to this question ( How to encrypt data in php using public / private keys? ).

Instead of manual operation with a message size limit (or possibly a sign) of RSA, it shows how to use the S / mime OpenSSL function to perform the same action and does not need to manually manipulate the symmetric key.

+2
Aug 17 '12 at 1:20
source share

I found the instructions at http://www.czeskis.com/random/openssl-encrypt-file.html useful.

To rephrase the linked site with the file names from your example:

Create a symmetric key, because you can encrypt large files with it

 openssl rand -base64 32 > key.bin

Encrypt a large file with a symmetric key

 openssl enc -aes-256-cbc -salt -in myLargeFile.xml \ -out myLargeFile.xml.enc -pass file:./key.bin

Encrypt a symmetric key so that you can safely send it to another person

 openssl rsautl -encrypt -inkey public.pem -pubin -in key.bin -out key.bin.enc

Destroy the unencrypted symmetric key so that no one finds it

 shred -u key.bin

At this point, you send the encrypted symmetric key ( key.bin.enc ) and the encrypted large file ( myLargeFile.xml.enc ) to another person

Another person can then decrypt the symmetric key using his personal using

 openssl rsautl -decrypt -inkey private.pem -in key.bin.enc -out key.bin

Now they can use the symmetric key to decrypt the file.

 openssl enc -d -aes-256-cbc -in myLargeFile.xml.enc \ -out myLargeFile.xml -pass file:./key.bin

And you're done. The other person has the decrypted file and it was sent securely.

0
Nov 27 '17 at 5:26
source share


More articles:


All Articles