Simple SSL-based encryption

Oct 21, 2021

Send me a “secret message” with my ssl key:

Encrypt a short secret

openssl rsautl -encrypt -inkey <(curl --silent https://dwood.io/key) -pubin -in <(echo "secret message")

Encrypt a long secret

You can’t directly encrypt a large file using rsautl.

RSA operation error
4454280704:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:crypto/rsa/rsa_pk1.c:125:

Instead, do the following:

  1. Generate a key using openssl rand, e.g. openssl rand 32 -out keyfile.
  2. Encrypt the key file using openssl rsautl.
  3. Encrypt the data using openssl enc, using the generated key from step 1.
  4. Package the encrypted key file with the encrypted data.
  5. I’ll decrypt the key with my private key, then decrypt the data with the resulting key.

On a mac, you can use the following shell function to encode input_file:

function encode() {
local in="${1:-input_file}";
  local psw=$(openssl rand -hex 32);
echo "secret_key=$psw\n";
  local password=$(openssl rsautl -encrypt -inkey <(curl --silent https://dwood.io/key) -pubin -in <(echo $psw) | base64 | tr -d '\n');
  local plain=$(openssl aes-256-cbc -pbkdf2 -nosalt -base64 -in $in -pass pass:$psw | tr -d '\n');
echo "$password\n\n$plain"
local cmd="openssl aes-256-cbc -d -pbkdf2 -nosalt -in <(echo $plain | base64 --decode) -pass file:<(openssl rsautl -decrypt -in <(echo "$password" | base64 --decode) -inkey dwood.io.key)"
echo $cmd | pbcopy
}

Example 1.

This is an identity operation and gives you back the original message.

openssl rsautl -decrypt -inkey dwood.io.key -in <(openssl rsautl -encrypt \
-inkey <(curl --silent https://dwood.io/key) -pubin -in <(openssl rand -hex 32))

Example 2.

This encrypts input_file and displays secret key, encrypted key (ASCII armored) and encrypted message using the secret key.

encode input_file

secret_key=fd6489fdb92e199a8aa61b426d23e3f3172a4e499ed1b37abf4128d9f42f026b
(Do not share secret key over internet.)

fRZn9M4/kPtSWkV87qipCyhE+FCy2xsTYS+RJqpvhUIFIenIDnJ+FYCFgYZ8Es+RzkWpc1a7oq5
EGjAmIdalK8YvKFDtWKvE3cUpZx8USMlJN/RIDGtDIqp2Mq++0CbtS/eH/CWsF7lcFgdhfGpa8q
N52gL1rcKrpmWUAWFp2EFUgWJyrPeq6PRRgRO17NCB/Kwot7SFynC1TF4T6wKr/1gz/HIpOntuJ
4KXUeYHkmqVmNJXKMvZ9MxZoCb3OC/9fM67x/+4e4wdHxBc9qwr2LAkKWfJbBWIvev+3pmaWpXk
OE6Pw7HJwHQGjsZFh3Cv9PEnr3G3b/mBBIZ3a6MX6A==

This also copies the following command line into clipboard, which you can share with me:

openssl aes-256-cbc -d -pbkdf2 -nosalt -in <(echo HeTGyZyw0vmDrfht2/ve0A== \
| base64 --decode) -pass file:<(openssl rsautl -decrypt -in <(echo \
fRZn9M4/kPtSWkV87qipCyhE+FCy2xsTYS+RJqpvhUIFIenIDnJ+FYCFgYZ8Es+RzkWpc1a7oq5
EGjAmIdalK8YvKFDtWKvE3cUpZx8USMlJN/RIDGtDIqp2Mq++0CbtS/eH/CWsF7lcFgdhfGpa8q
N52gL1rcKrpmWUAWFp2EFUgWJyrPeq6PRRgRO17NCB/Kwot7SFynC1TF4T6wKr/1gz/HIpOntuJ
4KXUeYHkmqVmNJXKMvZ9MxZoCb3OC/9fM67x/+4e4wdHxBc9qwr2LAkKWfJbBWIvev+3pmaWpXk
OE6Pw7HJwHQGjsZFh3Cv9PEnr3G3b/mBBIZ3a6MX6A== | base64 --decode) -inkey dwood.io.key)

This is the secret message.

← Back to all posts

© 2024 David Sargent Wood Disclaimer