Simple SSL-based encryption
Oct 21, 2021
Send me a “secret message” with my ssl key:
Encrypt a short secret
openssl rsautl -encrypt -inkey <(curl --silent https://dwood.io/key) -pubin -in <(echo "secret message")
Encrypt a long secret
You can’t directly encrypt a large file using rsautl
.
RSA operation error
4454280704:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:crypto/rsa/rsa_pk1.c:125:
Instead, do the following:
- Generate a key using openssl rand, e.g.
openssl rand 32 -out keyfile
. - Encrypt the key file using
openssl rsautl
. - Encrypt the data using
openssl enc
, using the generated key from step 1. - Package the encrypted key file with the encrypted data.
- I’ll decrypt the key with my private key, then decrypt the data with the resulting key.
On a mac, you can use the following shell function to encode input_file
:
function encode() {
local in="${1:-input_file}";
local psw=$(openssl rand -hex 32);
echo "secret_key=$psw\n";
local password=$(openssl rsautl -encrypt -inkey <(curl --silent https://dwood.io/key) -pubin -in <(echo $psw) | base64 | tr -d '\n');
local plain=$(openssl aes-256-cbc -pbkdf2 -nosalt -base64 -in $in -pass pass:$psw | tr -d '\n');
echo "$password\n\n$plain"
local cmd="openssl aes-256-cbc -d -pbkdf2 -nosalt -in <(echo $plain | base64 --decode) -pass file:<(openssl rsautl -decrypt -in <(echo "$password" | base64 --decode) -inkey dwood.io.key)"
echo $cmd | pbcopy
}
Example 1.
This is an identity operation and gives you back the original message.
openssl rsautl -decrypt -inkey dwood.io.key -in <(openssl rsautl -encrypt \
-inkey <(curl --silent https://dwood.io/key) -pubin -in <(openssl rand -hex 32))
Example 2.
This encrypts input_file and displays secret key, encrypted key (ASCII armored) and encrypted message using the secret key.
encode input_file
secret_key=fd6489fdb92e199a8aa61b426d23e3f3172a4e499ed1b37abf4128d9f42f026b
(Do not share secret key over internet.)
fRZn9M4/kPtSWkV87qipCyhE+FCy2xsTYS+RJqpvhUIFIenIDnJ+FYCFgYZ8Es+RzkWpc1a7oq5
EGjAmIdalK8YvKFDtWKvE3cUpZx8USMlJN/RIDGtDIqp2Mq++0CbtS/eH/CWsF7lcFgdhfGpa8q
N52gL1rcKrpmWUAWFp2EFUgWJyrPeq6PRRgRO17NCB/Kwot7SFynC1TF4T6wKr/1gz/HIpOntuJ
4KXUeYHkmqVmNJXKMvZ9MxZoCb3OC/9fM67x/+4e4wdHxBc9qwr2LAkKWfJbBWIvev+3pmaWpXk
OE6Pw7HJwHQGjsZFh3Cv9PEnr3G3b/mBBIZ3a6MX6A==
This also copies the following command line into clipboard, which you can share with me:
openssl aes-256-cbc -d -pbkdf2 -nosalt -in <(echo HeTGyZyw0vmDrfht2/ve0A== \
| base64 --decode) -pass file:<(openssl rsautl -decrypt -in <(echo \
fRZn9M4/kPtSWkV87qipCyhE+FCy2xsTYS+RJqpvhUIFIenIDnJ+FYCFgYZ8Es+RzkWpc1a7oq5
EGjAmIdalK8YvKFDtWKvE3cUpZx8USMlJN/RIDGtDIqp2Mq++0CbtS/eH/CWsF7lcFgdhfGpa8q
N52gL1rcKrpmWUAWFp2EFUgWJyrPeq6PRRgRO17NCB/Kwot7SFynC1TF4T6wKr/1gz/HIpOntuJ
4KXUeYHkmqVmNJXKMvZ9MxZoCb3OC/9fM67x/+4e4wdHxBc9qwr2LAkKWfJbBWIvev+3pmaWpXk
OE6Pw7HJwHQGjsZFh3Cv9PEnr3G3b/mBBIZ3a6MX6A== | base64 --decode) -inkey dwood.io.key)
This is the secret message.