如何使用公钥加密openssl中的大文件
[英]How to encrypt a large file in openssl using public key
问题描述
How can I encrypt a large file with a public key so that no one other than who has the private key be able to decrypt it?
如何使用公钥加密大文件,以便只有拥有私钥的人才能解密它?
I can make RSA public and private keys but when it comes to encrypting a large file using this command:我可以制作 RSA 公钥和私钥,但是在使用此命令加密大文件时:
openssl rsautl -encrypt -pubin -inkey public.pem -in myLargeFile.xml -out myLargeFile_encrypted.xml
and how can i perform the decryption also....以及我如何执行解密也....
i create my private and public key by the following commands我通过以下命令创建我的私钥和公钥
openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -out public.pem -outform PEM -pubout
I get this error:我收到此错误:
RSA operation error
3020:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:.\crypto\rsa\rsa_pk1.c:151:
I tried to make keys with sizes from 1024 to 1200 bits, no luck, same error我试图制作大小从 1024 到 1200 位的密钥,没有运气,同样的错误
8 个解决方案
解决方案1
84 已采纳 2011-08-22 10:59:22
Public-key crypto is not for encrypting arbitrarily long files.公钥加密不用于加密任意长的文件。 One uses a symmetric cipher (say AES) to do the normal encryption.一种使用对称密码(比如 AES)来进行普通加密。 Each time a new random symmetric key is generated, used, and then encrypted with the RSA cipher (public key).每次生成、使用新的随机对称密钥,然后使用 RSA 密码(公钥)加密。 The ciphertext together with the encrypted symmetric key is transferred to the recipient.密文与加密的对称密钥一起传送给接收者。 The recipient decrypts the symmetric key using his private key, and then uses the symmetric key to decrypt the message.接收者使用他的私钥解密对称密钥,然后使用对称密钥解密消息。
The private key is never shared, only the public key is used to encrypt the random symmetric cipher.私钥永远不会共享,只有公钥用于加密随机对称密码。
解决方案2
76 2012-09-02 05:38:06
Solution for safe and high secured encode anyone file in OpenSSL and command-line:在 OpenSSL 和命令行中安全和高度安全地编码任何文件的解决方案:
You should have ready some X.509 certificate for encrypt files in PEM format.您应该准备好一些用于加密 PEM 格式文件的 X.509 证书。
Encrypt file:加密文件:
openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem
What is what:什么是什么:
- smime - ssl command for S/MIME utility ( smime(1) ) smime - S/MIME 实用程序的 ssl 命令 ( smime(1) )
- -encrypt - chosen method for file process -encrypt - 选择的文件处理方法
- -binary - use safe file process. -binary - 使用安全文件进程。 Normally the input message is converted to "canonical" format as required by the S/MIME specification, this switch disable it.通常,输入消息会根据 S/MIME 规范的要求转换为“规范”格式,此开关禁用它。 It is necessary for all binary files (like a images, sounds, ZIP archives).所有二进制文件(如图像、声音、ZIP 档案)都需要它。
- -aes-256-cbc - chosen cipher AES in 256 bit for encryption (strong). -aes-256-cbc - 选择 256 位密码 AES 进行加密(强)。 If not specified 40 bit RC2 is used (very weak).如果未指定,则使用 40 位 RC2(非常弱)。 ( Supported ciphers ) (支持的密码)
- -in plainfile.zip - input file name -in plainfile.zip - 输入文件名
- -out encrypted.zip.enc - output file name -out encrypted.zip.enc - 输出文件名
- -outform DER - encode output file as binary. -outform DER - 将输出文件编码为二进制文件。 If is not specified, file is encoded by base64 and file size will be increased by 30%.如果不指定,文件采用 base64 编码,文件大小将增加 30%。
- yourSslCertificate.pem - file name of your certificate's. yourSslCertificate.pem - 证书的文件名。 That should be in PEM format.那应该是 PEM 格式。
That command can very effectively a strongly encrypt big files regardless of its format.该命令可以非常有效地对大文件进行强力加密,无论其格式如何。
Known issue: Something wrong happens when you try encrypt huge file (>600MB).已知问题:当您尝试加密大文件 (>600MB) 时会发生错误。 No error thrown, but encrypted file will be corrupted.不会抛出错误,但加密文件会被破坏。 Always verify each file!始终验证每个文件! (or use PGP - that has bigger support for files encryption with public key) (或使用 PGP - 它对使用公钥的文件加密有更大的支持)
Decrypt file:解密文件:
openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password
What is what:什么是什么:
- -inform DER - same as -outform above -inform DER - 与上面的-outform相同
- -inkey private.key - file name of your private key. -inkey private.key - 私钥的文件名。 That should be in PEM format and can be encrypted by password.那应该是 PEM 格式,并且可以通过密码加密。
- -passin pass:your_password - your password for private key encrypt. -passin pass:your_password - 您的私钥加密密码。 ( passphrase arguments ) ( 密码参数)
解决方案3
33 2017-11-27 05:26:51
I found the instructions at http://www.czeskis.com/random/openssl-encrypt-file.html useful.我发现http://www.czeskis.com/random/openssl-encrypt-file.html 上的说明很有用。
To paraphrase the linked site with filenames from your example:用您的示例中的文件名来解释链接的站点:
Generate a symmetric key because you can encrypt large files with it
openssl rand -base64 32 > key.binEncrypt the large file using the symmetric key
openssl enc -aes-256-cbc -salt -in myLargeFile.xml \\ -out myLargeFile.xml.enc -pass file:./key.binEncrypt the symmetric key so you can safely send it to the other person
openssl rsautl -encrypt -inkey public.pem -pubin -in key.bin -out key.bin.encDestroy the un-encrypted symmetric key so nobody finds it
shred -u key.binAt this point, you send the encrypted symmetric key (
key.bin.enc) and the encrypted large file (myLargeFile.xml.enc) to the other personkey.bin.enc)和加密的大文件(myLargeFile.xml.enc)发送给对方The other person can then decrypt the symmetric key with their private key using
openssl rsautl -decrypt -inkey private.pem -in key.bin.enc -out key.binNow they can use the symmetric key to decrypt the file
openssl enc -d -aes-256-cbc -in myLargeFile.xml.enc \\ -out myLargeFile.xml -pass file:./key.bin
And you're done.你已经完成了。 The other person has the decrypted file and it was safely sent.另一个人拥有解密的文件,并已安全发送。
解决方案4
31 2011-08-22 12:14:19
You can't directly encrypt a large file using rsautl .您不能使用rsautl直接加密大文件。 instead, do something like the following:相反,请执行以下操作:
- Generate a key using
openssl rand, eg.使用openssl rand生成密钥,例如。openssl rand 32 -out keyfile - Encrypt the key file using
openssl rsautl使用openssl rsautl加密密钥文件 - Encrypt the data using
openssl enc, using the generated key from step 1.使用openssl enc加密数据,使用步骤 1 中生成的密钥。 - Package the encrypted key file with the encrypted data.将加密的密钥文件与加密的数据打包在一起。 the recipient will need to decrypt the key with their private key, then decrypt the data with the resulting key.接收者需要用他们的私钥解密密钥,然后用得到的密钥解密数据。
解决方案5
24 2013-11-17 12:07:12
Encrypting a very large file using smime is not advised since you might be able to encrypt large files using the -stream option, but not decrypt the resulting file due to hardware limitations see: problem decrypting big files不建议使用 smime 加密非常大的文件,因为您可能能够使用 -stream 选项加密大文件,但由于硬件限制无法解密生成的文件, 请参阅:problem encrypted big files
As mentioned above Public-key crypto is not for encrypting arbitrarily long files.如上所述,公钥加密不是用于加密任意长的文件。 Therefore the following commands will generate a pass phrase, encrypt the file using symmetric encryption and then encrypt the pass phrase using the asymmetric (public key).因此,以下命令将生成密码短语,使用对称加密对文件进行加密,然后使用非对称(公钥)加密密码短语。 Note: the smime includes the use of a primary public key and a backup key to encrypt the pass phrase.注意:smime 包括使用主公钥和备份密钥来加密密码短语。 A backup public/private key pair would be prudent.备份公钥/私钥对是谨慎的。
Random Password Generation随机密码生成
Set up the RANDFILE value to a file accessible by the current user, generate the passwd.txt file and clean up the settings将 RANDFILE 值设置为当前用户可访问的文件,生成 passwd.txt 文件并清理设置
export OLD_RANDFILE=$RANDFILE
RANDFILE=~/rand1
openssl rand -base64 2048 > passwd.txt
rm ~/rand1
export RANDFILE=$OLD_RANDFILE
Encryption加密
Use the commands below to encrypt the file using the passwd.txt contents as the password and AES256 to a base64 (-a option) file.使用以下命令加密文件,使用 passwd.txt 内容作为密码,将 AES256 加密为 base64(-a 选项)文件。 Encrypt the passwd.txt using asymetric encryption into the file XXLarge.crypt.pass using a primary public key and a backup key.使用主公钥和备份密钥使用非对称加密将 passwd.txt 加密到文件 XXLarge.crypt.pass 中。
openssl enc -aes-256-cbc -a -salt -in XXLarge.data -out XXLarge.crypt -pass file:passwd.txt
openssl smime -encrypt -binary -in passwd.txt -out XXLarge.crypt.pass -aes256 PublicKey1.pem PublicBackupKey.pem
rm passwd.txt
Decryption解密
Decryption simply decrypts the XXLarge.crypt.pass to passwd.tmp, decrypts the XXLarge.crypt to XXLarge2.data, and deletes the passwd.tmp file.解密只是将XXLarge.crypt.pass解密为passwd.tmp,将XXLarge.crypt解密为XXLarge2.data,并删除passwd.tmp文件。
openssl smime -decrypt -binary -in XXLarge.crypt.pass -out passwd.tmp -aes256 -recip PublicKey1.pem -inkey PublicKey1.key
openssl enc -d -aes-256-cbc -a -in XXLarge.crypt -out XXLarge2.data -pass file:passwd.tmp
rm passwd.tmp
This has been tested against >5GB files..这已经针对 > 5GB 的文件进行了测试。
5365295400 Nov 17 10:07 XXLarge.data
7265504220 Nov 17 10:03 XXLarge.crypt
5673 Nov 17 10:03 XXLarge.crypt.pass
5365295400 Nov 17 10:07 XXLarge2.data
解决方案6
6 2020-02-23 14:24:45
In more explanation for n. 'pronouns' m.在对n. 'pronouns' m.更多解释中n. 'pronouns' m. n. 'pronouns' m. 's answer,的回答,
Public-key crypto is not for encrypting arbitrarily long files.
There is the flow of Encryption :有加密流程:
+---------------------+ +--------------------+
| | | |
| generate random key | | the large file |
| (R) | | (F) |
| | | |
+--------+--------+---+ +----------+---------+
| | |
| +------------------+ |
| | |
v v v
+--------+------------+ +--------+--+------------+
| | | |
| encrypt (R) with | | encrypt (F) |
| your RSA public key | | with symmetric key (R) |
| | | |
| ASym(PublicKey, R) | | EF = Sym(F, R) |
| | | |
+----------+----------+ +------------+-----------+
| |
+------------+ +--------------+
| |
v v
+--------------+-+---------------+
| |
| send this files to the peer |
| |
| ASym(PublicKey, R) + EF |
| |
+--------------------------------+
And the flow of Decryption :以及解密流程:
+----------------+ +--------------------+
| | | |
| EF = Sym(F, R) | | ASym(PublicKey, R) |
| | | |
+-----+----------+ +---------+----------+
| |
| |
| v
| +-------------------------+-----------------+
| | |
| | restore key (R) |
| | |
| | R <= ASym(PrivateKey, ASym(PublicKey, R)) |
| | |
| +---------------------+---------------------+
| |
v v
+---+-------------------------+---+
| |
| restore the file (F) |
| |
| F <= Sym(Sym(F, R), R) |
| |
+---------------------------------+
Besides, you can use this commands:此外,您可以使用以下命令:
# generate random symmetric key
openssl rand -base64 32 > /config/key.bin
# encryption
openssl rsautl -encrypt -pubin -inkey /config/public_key.pem -in /config/key.bin -out /config/key.bin.enc
openssl aes-256-cbc -a -pbkdf2 -salt -in $file_name -out $file_name.enc -kfile /config/key.bin
# now you can send these files: $file_name.enc + /config/key.bin.enc
# decryption
openssl rsautl -decrypt -inkey /config/private_key.pem -in /config/key.bin.enc -out /config/key.bin
openssl aes-256-cbc -d -a -pbkdf2 -in $file_name.enc -out $file_name -kfile /config/key.bin
解决方案7
3 2015-11-19 11:01:56
To safely encrypt large files (>600MB) with openssl smime you'll have to split each file into small chunks:要使用openssl smime安全地加密大文件(> 600MB),您必须将每个文件分成小块:
# Splits large file into 500MB pieces
split -b 500M -d -a 4 INPUT_FILE_NAME input.part.
# Encrypts each piece
find -maxdepth 1 -type f -name 'input.part.*' | sort | xargs -I % openssl smime -encrypt -binary -aes-256-cbc -in % -out %.enc -outform DER PUBLIC_PEM_FILE
For the sake of information, here is how to decrypt and put all pieces together:为了提供信息,以下是解密并将所有部分放在一起的方法:
# Decrypts each piece
find -maxdepth 1 -type f -name 'input.part.*.enc' | sort | xargs -I % openssl smime -decrypt -in % -binary -inform DEM -inkey PRIVATE_PEM_FILE -out %.dec
# Puts all together again
find -maxdepth 1 -type f -name 'input.part.*.dec' | sort | xargs cat > RESTORED_FILE_NAME
解决方案8
2 2012-08-17 01:20:43
Maybe you should check out the accepted answer to this ( How to encrypt data in php using Public/Private keys? ) question.也许您应该查看此问题的已接受答案( 如何使用公钥/私钥在 php 中加密数据? )问题。
Instead of manually working around the message size limitation (or perhaps a trait) of RSA, it shows how to use the S/mime feature of OpenSSL to do the same thing and not needing to juggle with the symmetric key manually.它没有手动解决 RSA 的消息大小限制(或者可能是一个特征),而是展示了如何使用 OpenSSL 的 S/mime 功能来做同样的事情,而不需要手动处理对称密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.