Main » 2011 » Март » 16 » Openssl a simple publickey encryption
13:07
Openssl a simple publickey encryption
Full of situations where you want to encrypt a file or folder. For example, if data is transmitted over open channels, or stored on external media. Many (including myself) use truecrypt, but the main purpose of this program - work with encrypted sections, so it is not very good in this case.

For such problems is well suited OpenSSL - a reliable cross-platform solution. OpenSSL supports various encryption algorithms, plus it is the default in many operating systems, and installation of the rest is a breeze.

Under habrakatom - the basics of using symmetric and asymmetric encryption OpenSSL, and TAKE a couple of scripts simplify the asymmetric encryption with a one-time key.

The easiest way to protect data using OpenSSL - symmetric encryption. The following commands encrypt and decrypt files documents.zip, using AES algorithm with key length 256 bits:

openssl enc-aes-256-cbc-salt-in documents.zip-out documents.enc
openssl enc - d-aes-256-cbc-in documents.enc-out documents.zip

The problem with these teams could be that they require a password. There are situations when this is undesirable. For example, the automatic backup / encryption of data on a schedule, or if data is encrypted and decrypted by one person by another.

Just for these cases was invented public-key encryption. In general, you need to create public and private keys. The first command generates a private key private.pem, the second will create a public key public.pem:

openssl genrsa-out private.pem-aes256 2048
openssl rsa-in private.pem-pubout-out public.pem

The result is a pair of RSA keys of length 2048 bits. Unfortunately, in the size of the RSA encrypted data is limited to key size, and therefore encode more than 2KB of data will not work. There is a way around it - the information is first encrypted with a symmetric algorithm (similar to that used above) using a single key. Then this one-time key is encrypted with the public key. When interpreting a one-time key is decrypted private. More on this already very well written article on the Habre.

Automate encryption will the following script, the output of which you will receive a one-time key and data (encrypt.sh) in encrypted form:

#! / Bin / bash

FILENAME = "$ 1"
PUBLICKEY = "$ 2"
SESSIONKEY = "$ 3"
RESULT = "$ 4"

# Generate the random symmetric-key
PASSIZE = 30
if [-c / dev / urandom]; then
KEY = `head-c 30 / dev / urandom | openssl enc-base64`
else
KEY = `openssl rand-base64 30`
fi
export KEY

# Encrypt the symmetric key using the public key
openssl rsautl-encrypt-inkey "$ PUBLICKEY"-out "$ SESSIONKEY"-pubin <<EOF
$ KEY
EOF

# Encrypt the file
openssl enc-aes-256-cbc-pass env: KEY-in "$ FILENAME"-out "$ RESULT"

Next command uses the public key to encrypt a file public.pem documents.zip. It will generate an encrypted one-time key and the encrypted data session.key documents.enc:

./ encrypt.sh documents.zip public.pem session.key documents.enc

script to decrypt (decrypt.sh):

#! / bin / bash

PRIVATEKEY = "$ 1"
SESSIONKEY = "$ 2"
ENCRYPTED = "$ 3"
DECRYPTED = "$ 4"

# Decrypt the symmetric key using the private key
KEY = `openssl rsautl-decrypt-inkey" $ PRIVATEKEY "-in" $ SESSIONKEY "`
export KEY

# Decrypt the file
openssl enc-aes-256-cbc-d-pass env: KEY-in "$ ENCRYPTED"-out "$ DECRYPTED"

command to decrypt using the private key and one-time private.pem session.key key to decrypt the file documents. enc. It generates a file documents.zip:

./ decrypt.sh private.pem session.key documents.enc documents.zip

As you can see, public-key encryption can be almost as simple as symmetrical. But there is an even easier way. At the writing of this post prompted me to blog SbF?. Its author (certainly more sophisticated than I am in bash) wrote a script that backs up the folder, it encrypts the public key and generates another script, which contains everything you need: a one-time key data and the actual command to decrypt. In addition, the script can generate for you a couple of RSA keys:

./ encrypt-file.sh-keys public.pem private.pem
./ encrypt-file.sh folder public.pem> decrypt-folder. sh
chmod + x decrypt-folder.sh
./ decrypt-folder.sh private.pem> folder.tar

In this example, we first generated the key pair. After this folder folder was encrypted in the script decrypt-folder.sh and then decrypt the archive folder.tar. Possible negative this way - what data to decrypt-folder.sh are stored in BASE64, and hence their size increases.

That's what I wanted to share. If anyone has any comments or questions - please write in the comments, try to answer.

UPD Moved to the blog Information Security.
Views: 711 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: