[英]How to encrypt a large file in openssl using public key
How can I encrypt a large file with a public key so that no one other than who has the private key be able to decrypt it?如何使用公钥加密大文件,以便只有拥有私钥的人才能解密它?
I can make RSA public and private keys but when it comes to encrypting a large file using this command:我可以制作 RSA 公钥和私钥,但是在使用此命令加密大文件时:
openssl rsautl -encrypt -pubin -inkey public.pem -in myLargeFile.xml -out myLargeFile_encrypted.xml
and how can i perform the decryption also....以及我如何执行解密也....
i create my private and public key by the following commands我通过以下命令创建我的私钥和公钥
openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -out public.pem -outform PEM -pubout
I get this error:我收到此错误:
RSA operation error
3020:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:.\crypto\rsa\rsa_pk1.c:151:
I tried to make keys with sizes from 1024 to 1200 bits, no luck, same error我试图制作大小从 1024 到 1200 位的密钥,没有运气,同样的错误
Public-key crypto is not for encrypting arbitrarily long files.公钥加密不用于加密任意长的文件。 One uses a symmetric cipher (say AES) to do the normal encryption.一种使用对称密码(比如 AES)来进行普通加密。 Each time a new random symmetric key is generated, used, and then encrypted with the RSA cipher (public key).每次生成、使用新的随机对称密钥,然后使用 RSA 密码(公钥)加密。 The ciphertext together with the encrypted symmetric key is transferred to the recipient.密文与加密的对称密钥一起传送给接收者。 The recipient decrypts the symmetric key using his private key, and then uses the symmetric key to decrypt the message.接收者使用他的私钥解密对称密钥,然后使用对称密钥解密消息。
The private key is never shared, only the public key is used to encrypt the random symmetric cipher.私钥永远不会共享,只有公钥用于加密随机对称密码。
Solution for safe and high secured encode anyone file in OpenSSL and command-line:在 OpenSSL 和命令行中安全和高度安全地编码任何文件的解决方案:
You should have ready some X.509 certificate for encrypt files in PEM format.您应该准备好一些用于加密 PEM 格式文件的 X.509 证书。
Encrypt file:加密文件:
openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem
What is what:什么是什么:
That command can very effectively a strongly encrypt big files regardless of its format.该命令可以非常有效地对大文件进行强力加密,无论其格式如何。
Known issue: Something wrong happens when you try encrypt huge file (>600MB).已知问题:当您尝试加密大文件 (>600MB) 时会发生错误。 No error thrown, but encrypted file will be corrupted.不会抛出错误,但加密文件会被破坏。 Always verify each file!始终验证每个文件! (or use PGP - that has bigger support for files encryption with public key) (或使用 PGP - 它对使用公钥的文件加密有更大的支持)
Decrypt file:解密文件:
openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password
What is what:什么是什么:
I found the instructions at http://www.czeskis.com/random/openssl-encrypt-file.html useful.我发现http://www.czeskis.com/random/openssl-encrypt-file.html 上的说明很有用。
To paraphrase the linked site with filenames from your example:用您的示例中的文件名来解释链接的站点:
Generate a symmetric key because you can encrypt large files with it生成对称密钥,因为您可以用它加密大文件
openssl rand -base64 32 > key.bin
Encrypt the large file using the symmetric key使用对称密钥加密大文件
openssl enc -aes-256-cbc -salt -in myLargeFile.xml \\ -out myLargeFile.xml.enc -pass file:./key.bin
Encrypt the symmetric key so you can safely send it to the other person加密对称密钥,以便您可以安全地将其发送给其他人
openssl rsautl -encrypt -inkey public.pem -pubin -in key.bin -out key.bin.enc
Destroy the un-encrypted symmetric key so nobody finds it销毁未加密的对称密钥,以便没有人找到它
shred -u key.bin
At this point, you send the encrypted symmetric key (
key.bin.enc
) and the encrypted large file (myLargeFile.xml.enc
) to the other person此时,您将加密的对称密钥(key.bin.enc
)和加密的大文件(myLargeFile.xml.enc
)发送给对方The other person can then decrypt the symmetric key with their private key using然后另一个人可以使用他们的私钥解密对称密钥
openssl rsautl -decrypt -inkey private.pem -in key.bin.enc -out key.bin
Now they can use the symmetric key to decrypt the file现在他们可以使用对称密钥来解密文件
openssl enc -d -aes-256-cbc -in myLargeFile.xml.enc \\ -out myLargeFile.xml -pass file:./key.bin
And you're done.你已经完成了。 The other person has the decrypted file and it was safely sent.另一个人拥有解密的文件,并已安全发送。
You can't directly encrypt a large file using rsautl
.您不能使用rsautl
直接加密大文件。 instead, do something like the following:相反,请执行以下操作:
openssl rand
, eg.使用openssl rand
生成密钥,例如。 openssl rand 32 -out keyfile
openssl rsautl
使用openssl rsautl
加密密钥文件openssl enc
, using the generated key from step 1.使用openssl enc
加密数据,使用步骤 1 中生成的密钥。Encrypting a very large file using smime is not advised since you might be able to encrypt large files using the -stream option, but not decrypt the resulting file due to hardware limitations see: problem decrypting big files不建议使用 smime 加密非常大的文件,因为您可能能够使用 -stream 选项加密大文件,但由于硬件限制无法解密生成的文件, 请参阅:problem encrypted big files
As mentioned above Public-key crypto is not for encrypting arbitrarily long files.如上所述,公钥加密不是用于加密任意长的文件。 Therefore the following commands will generate a pass phrase, encrypt the file using symmetric encryption and then encrypt the pass phrase using the asymmetric (public key).因此,以下命令将生成密码短语,使用对称加密对文件进行加密,然后使用非对称(公钥)加密密码短语。 Note: the smime includes the use of a primary public key and a backup key to encrypt the pass phrase.注意:smime 包括使用主公钥和备份密钥来加密密码短语。 A backup public/private key pair would be prudent.备份公钥/私钥对是谨慎的。
Set up the RANDFILE value to a file accessible by the current user, generate the passwd.txt file and clean up the settings将 RANDFILE 值设置为当前用户可访问的文件,生成 passwd.txt 文件并清理设置
export OLD_RANDFILE=$RANDFILE
RANDFILE=~/rand1
openssl rand -base64 2048 > passwd.txt
rm ~/rand1
export RANDFILE=$OLD_RANDFILE
Use the commands below to encrypt the file using the passwd.txt contents as the password and AES256 to a base64 (-a option) file.使用以下命令加密文件,使用 passwd.txt 内容作为密码,将 AES256 加密为 base64(-a 选项)文件。 Encrypt the passwd.txt using asymetric encryption into the file XXLarge.crypt.pass using a primary public key and a backup key.使用主公钥和备份密钥使用非对称加密将 passwd.txt 加密到文件 XXLarge.crypt.pass 中。
openssl enc -aes-256-cbc -a -salt -in XXLarge.data -out XXLarge.crypt -pass file:passwd.txt
openssl smime -encrypt -binary -in passwd.txt -out XXLarge.crypt.pass -aes256 PublicKey1.pem PublicBackupKey.pem
rm passwd.txt
Decryption simply decrypts the XXLarge.crypt.pass to passwd.tmp, decrypts the XXLarge.crypt to XXLarge2.data, and deletes the passwd.tmp file.解密只是将XXLarge.crypt.pass解密为passwd.tmp,将XXLarge.crypt解密为XXLarge2.data,并删除passwd.tmp文件。
openssl smime -decrypt -binary -in XXLarge.crypt.pass -out passwd.tmp -aes256 -recip PublicKey1.pem -inkey PublicKey1.key
openssl enc -d -aes-256-cbc -a -in XXLarge.crypt -out XXLarge2.data -pass file:passwd.tmp
rm passwd.tmp
This has been tested against >5GB files..这已经针对 > 5GB 的文件进行了测试。
5365295400 Nov 17 10:07 XXLarge.data
7265504220 Nov 17 10:03 XXLarge.crypt
5673 Nov 17 10:03 XXLarge.crypt.pass
5365295400 Nov 17 10:07 XXLarge2.data
In more explanation for n. 'pronouns' m.
在对n. 'pronouns' m.
更多解释中n. 'pronouns' m.
n. 'pronouns' m.
's answer,的回答,
Public-key crypto is not for encrypting arbitrarily long files.公钥加密不用于加密任意长的文件。 One uses a symmetric cipher (say AES) to do the normal encryption.一种使用对称密码(比如 AES)来进行普通加密。 Each time a new random symmetric key is generated, used, and then encrypted with the RSA cipher (public key).每次生成、使用新的随机对称密钥,然后使用 RSA 密码(公钥)加密。 The ciphertext together with the encrypted symmetric key is transferred to the recipient.密文与加密的对称密钥一起传送给接收者。 The recipient decrypts the symmetric key using his private key, and then uses the symmetric key to decrypt the message.接收者使用他的私钥解密对称密钥,然后使用对称密钥解密消息。
There is the flow of Encryption :有加密流程:
+---------------------+ +--------------------+
| | | |
| generate random key | | the large file |
| (R) | | (F) |
| | | |
+--------+--------+---+ +----------+---------+
| | |
| +------------------+ |
| | |
v v v
+--------+------------+ +--------+--+------------+
| | | |
| encrypt (R) with | | encrypt (F) |
| your RSA public key | | with symmetric key (R) |
| | | |
| ASym(PublicKey, R) | | EF = Sym(F, R) |
| | | |
+----------+----------+ +------------+-----------+
| |
+------------+ +--------------+
| |
v v
+--------------+-+---------------+
| |
| send this files to the peer |
| |
| ASym(PublicKey, R) + EF |
| |
+--------------------------------+
And the flow of Decryption :以及解密流程:
+----------------+ +--------------------+
| | | |
| EF = Sym(F, R) | | ASym(PublicKey, R) |
| | | |
+-----+----------+ +---------+----------+
| |
| |
| v
| +-------------------------+-----------------+
| | |
| | restore key (R) |
| | |
| | R <= ASym(PrivateKey, ASym(PublicKey, R)) |
| | |
| +---------------------+---------------------+
| |
v v
+---+-------------------------+---+
| |
| restore the file (F) |
| |
| F <= Sym(Sym(F, R), R) |
| |
+---------------------------------+
Besides, you can use this commands:此外,您可以使用以下命令:
# generate random symmetric key
openssl rand -base64 32 > /config/key.bin
# encryption
openssl rsautl -encrypt -pubin -inkey /config/public_key.pem -in /config/key.bin -out /config/key.bin.enc
openssl aes-256-cbc -a -pbkdf2 -salt -in $file_name -out $file_name.enc -kfile /config/key.bin
# now you can send these files: $file_name.enc + /config/key.bin.enc
# decryption
openssl rsautl -decrypt -inkey /config/private_key.pem -in /config/key.bin.enc -out /config/key.bin
openssl aes-256-cbc -d -a -pbkdf2 -in $file_name.enc -out $file_name -kfile /config/key.bin
To safely encrypt large files (>600MB) with openssl smime
you'll have to split each file into small chunks:要使用openssl smime
安全地加密大文件(> 600MB),您必须将每个文件分成小块:
# Splits large file into 500MB pieces
split -b 500M -d -a 4 INPUT_FILE_NAME input.part.
# Encrypts each piece
find -maxdepth 1 -type f -name 'input.part.*' | sort | xargs -I % openssl smime -encrypt -binary -aes-256-cbc -in % -out %.enc -outform DER PUBLIC_PEM_FILE
For the sake of information, here is how to decrypt and put all pieces together:为了提供信息,以下是解密并将所有部分放在一起的方法:
# Decrypts each piece
find -maxdepth 1 -type f -name 'input.part.*.enc' | sort | xargs -I % openssl smime -decrypt -in % -binary -inform DEM -inkey PRIVATE_PEM_FILE -out %.dec
# Puts all together again
find -maxdepth 1 -type f -name 'input.part.*.dec' | sort | xargs cat > RESTORED_FILE_NAME
Maybe you should check out the accepted answer to this ( How to encrypt data in php using Public/Private keys? ) question.也许您应该查看此问题的已接受答案( 如何使用公钥/私钥在 php 中加密数据? )问题。
Instead of manually working around the message size limitation (or perhaps a trait) of RSA, it shows how to use the S/mime feature of OpenSSL to do the same thing and not needing to juggle with the symmetric key manually.它没有手动解决 RSA 的消息大小限制(或者可能是一个特征),而是展示了如何使用 OpenSSL 的 S/mime 功能来做同样的事情,而不需要手动处理对称密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.