I want to encrypt a parameter with openssl using public.key and decrypt with private.key using linux command line. But the requirement is that the output after encryption should be just in one line so that I can transfer it or send it over to other server. File creation as output is not required.
I have seen rsautl but it gives output in a file or hex dump, which is not possible in my case as I require the output in one line. Please provide the necessary help.
pkeyutl sends its output to a file only if you ask for it. If you do not specify an output file (with the -out option) it sends its output to the standard output. But as it is binary, you cannot easily manipulate it and, moreover, it could be that there are end-of-lines in the output stream.
In order to solve this you can pipe the output of pkeyutl to base64. If your version of base64 wraps its output you'll have to concatenate to get the result on one line only. Some versions (e.g. GNU coreutils 8.10) have a -w0 option that prevents wrapping and produces a single line output (without end-of-line). Example with openssl version 1.0.2a:
echo "foo" | openssl pkeyutl -encrypt -pubin -inkey bob_id_rsa.pub | base64 -w0
where bob_id_rsa.pub is bob's public key in openssl format. You can decrypt with:
base64 -d | openssl pkeyutl -decrypt -inkey bob_id_rsa
where bob_id_rsa is bob's private key. Complete example with encryption followed by decryption:
bar=$( echo foo | openssl pkeyutl -encrypt -pubin -inkey bob_id_rsa.pub | base64 -w0 )
cue=$( echo $bar | base64 -d | openssl pkeyutl -decrypt -inkey bob_id_rsa )
echo $cue
foo
Related
I have a bash file and I want execute it by encrypted mode.
by using this command I encrypted my file.
now I want to run it. How could I do this?
openssl des3 -salt -in file.txt -out file.txt.enc -pass pass:password
use shc script compiler to encrypt it (Blowfish), see this http://www.thegeekstuff.com/2012/05/encrypt-bash-shell-script/?utm_source=tuicool
http://www.linuxsecurity.com/content/view/117920/171
http://www.datsi.fi.upm.es/~frosal/
If you want to use DES3 you can try the answer of soFan in this:
https://unix.stackexchange.com/questions/90178/how-can-i-either-encrypt-or-render-my-shell-script-unreadable
write the wrapper #!/bin/sh openssl enc -d -DES3 ... -a -in script-enc | sh -
I signed an encrypted file (org-enc-file.txt) with the following command:
# openssl dgst -sha1 -sign priv.pem org-enc-file.txt > file.txt.sig
The signed file was sent to a System B that has all(public key) elements to verify and decrypt the file(file.txt.sig).
in the external system I used this command :
openssl dgst -sha1 -verify public.pem -signature file.txt.sig org-enc-file.txt
It says that verification OK only when the original encrypted file (org-enc-file.txt) is used as the last parameter of the command.
why the command openssl dgst -sha1 -verify needs the original file , is it always mandatory to send the original file with the signed file ?
The signature you create with the command
# openssl dgst -sha1 -sign priv.pem org-enc-file.txt > file.txt.sig
only contains the signature, not the content of the original file you signed with. So when verifying the signature, you need the original file as well.
When using openssl to encrypt/decrypt data and the AES cipher, my command will look something like this:
openssl enc -aes-256-cbc -in message_file -K 42AB7FCE7BFEEE03E16719044916CBD475F6D000F230D213FF0F4775EF8D46F5 -iv D5C21AC249B26A1FBA376E8CFCDC4E1A -S 2C6A1B8EAACA302D -e -out message_file.enc
This places the key, iv, and salt in my process title that is visible in top/ps. Is there a way to AES encrypt a file with openssl (or even another alternative if not) without revealing this information? I did not see an option to grab these strings from files.
RSA encryption:
http://bsdsupport.org/q-how-do-i-use-openssl-to-encrypt-files/
openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out encrypted.txt
AES encryption:
Based on the results of openssl enc -h
openssl enc -aes-128-cbc -in foo -out foo.enc -kfile passwordfile
And here's the result of openssl enc -h. Note the description of -kfile
root#bt:/tmp# openssl enc -h
unknown option '-h'
options are
-in <file> input file
-out <file> output file
-pass <arg> pass phrase source
-e encrypt
-d decrypt
-a/-base64 base64 encode/decode, depending on encryption flag
-k passphrase is the next argument
-kfile passphrase is the first line of the file argument
-md the next argument is the md to use to create a key
from a passphrase. One of md2, md5, sha or sha1
-K/-iv key/iv in hex is the next argument
-[pP] print the iv/key (then exit if -P)
-bufsize <n> buffer size
-engine e use engine e, possibly a hardware device.
Cipher Types
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ecb -aes-128-ofb
-aes-192-cbc -aes-192-cfb -aes-192-cfb1
-aes-192-cfb8 -aes-192-ecb -aes-192-ofb
-aes-256-cbc -aes-256-cfb -aes-256-cfb1
-aes-256-cfb8 -aes-256-ecb -aes-256-ofb
-aes128 -aes192 -aes256
-bf -bf-cbc -bf-cfb
-bf-ecb -bf-ofb -blowfish
-cast -cast-cbc -cast5-cbc
-cast5-cfb -cast5-ecb -cast5-ofb
-des -des-cbc -des-cfb
-des-cfb1 -des-cfb8 -des-ecb
-des-ede -des-ede-cbc -des-ede-cfb
-des-ede-ofb -des-ede3 -des-ede3-cbc
-des-ede3-cfb -des-ede3-ofb -des-ofb
-des3 -desx -desx-cbc
-rc2 -rc2-40-cbc -rc2-64-cbc
-rc2-cbc -rc2-cfb -rc2-ecb
-rc2-ofb -rc4 -rc4-40
openssl can take commands from stdin
For example if onetime_keyfile specifies the key and IV with the following contents
-K 42AB7FCE7BFEEE03E16719044916CBD475F6D000F230D213FF0F4775EF8D46F5 -iv D5C21AC249B26A1FBA376E8CFCDC4E1A
Then the following commands will encrypt a file using that information
umask 077
echo -n "enc -aes-256-cbc -in message_file -out message_file.enc " > encrypt_command_file
cat onetime_keyfile >> encrypt_command_file
openssl < encrypt_command_file
Note that in your question you specify both key, initialization vector and salt. The salt argument is ignored in that case; salt is only used to derive key and iv from a pass phrase. If you specify key and iv explicitly, then you should use your own salt algorithm to generate a unique key and iv for each file that you encrypt. So in practical use, the file onetime_keyfile in the example above should be generated as output from another program.
Refer to https://www.openssl.org/docs/crypto/EVP_BytesToKey.html for details of the standard algorithm for generating key and IV from pass phrase and salt.
If you are not doing your own salting, you are probably better to use the -kfile or -pass option to read a pass phrase from a file.
Would I have to make any changes to these linux commands to make it work on windows? Do all the pipes and redirects work as they do on linux?
openssl genrsa -out key.pem
openssl rsa -in key.pem -pubout > key.pub
openssl rsa -pubin -modulus -noout < key.pub
#
# to decrypt mess.enc (message encrypted via javascript)
cat mess.enc | openssl base64 -d | openssl rsautl -inkey key.pem -decrypt
I expect I must swap cat for type, and I am hoping the rest will work as it is. Can anyone confirm this?
Equivalent of cat on Windows will be of great help. Rest of the commands are same and should work fine on Windows.
Equivalent of cat on Windows
openssl
cat key.pem
type key.pem
cat=type
I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string.
This encrypted string ( in human readable format ) then needs to be supplied to a user who would use it, and the string would be decrypted to its original 16-byte form for comparison and authentication. Could anyone please tell me how this would be possible with openssl commandline.
Here's one way to encrypt a string with openssl on the command line (must enter password twice):
echo -n "aaaabbbbccccdddd" | openssl enc -e -aes-256-cbc -a -salt
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
Here's what the output looks like:
U2FsdGVkX1/6LATntslD80T2HEIn3A0BqxarNfwbg31D2kI00dYbmBo8Mqt42PIm
Edit: To my knowledge, you can't control the number of bytes out. You can b64 or hex encode it, but that's about it. Also, if you want to save that string to a file rather than stdout, use the -out option.
Try this:
echo 'foo' | openssl aes-256-cbc -a -salt
echo 'U2FsdGVkX1/QGdl4syQE8bLFSr2HzoAlcG299U/T/Xk=' | openssl aes-256-cbc -a -d -salt
Run
openssl list-cipher-commands
to list all available ciphers.
I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string [in human readable format]
I believe you are looking for Format Preserving Encryption. I think the caveat is you have to start with a 16-byte human readable string. Phillip Rogaway has a paper on the technologies: Synopsis of
Format-Preserving Encryption. There's a lot to the paper, and it can't fit into a single paragraph on Stack Overflow.
If you can start with a shorter string and use a streaming mode like OCB, OFB or CTR, then you can Base64 encode the final string so that the result is 16-bytes and human readable. Base64 expands at a rate of 3 → 4 (3 un-encoded expands to 4 encoded), so you'd need a shorter string of length 12 characters to achieve 16 human readable characters.
As far as I know, there are no command line tools that do it natively. You may be able to use OpenSSL on the command line with AES/CTR and pipe it through base64 command. The following gets close, but it starts with 11 characters (and not 12):
$ echo 12345678901 | openssl enc -e -base64 -aes-128-ctr -nopad -nosalt -k secret_password
cSTzU8+UPQQwpRAq
Also, you really need to understand te -k option (and -K for that matter), and how it derives a key so you can do it outside of the OpenSSL command (if needed).
try this
$ echo "a_byte_character" | openssl enc -base64
and you have 100+ Cipher Types
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ctr -aes-128-ecb
-aes-128-gcm -aes-128-ofb -aes-128-xts
-aes-192-cbc -aes-192-cfb -aes-192-cfb1
-aes-192-cfb8 -aes-192-ctr -aes-192-ecb
-aes-192-gcm -aes-192-ofb -aes-256-cbc
-aes-256-cfb -aes-256-cfb1 -aes-256-cfb8
-aes-256-ctr -aes-256-ecb -aes-256-gcm
-aes-256-ofb -aes-256-xts -aes128
-aes192 -aes256 -bf
-bf-cbc -bf-cfb -bf-ecb
-bf-ofb -blowfish -camellia-128-cbc
-camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8
-camellia-128-ecb -camellia-128-ofb -camellia-192-cbc
-camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8
-camellia-192-ecb -camellia-192-ofb -camellia-256-cbc
-camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8
-camellia-256-ecb -camellia-256-ofb -camellia128
-camellia192 -camellia256 -cast
-cast-cbc -cast5-cbc -cast5-cfb
-cast5-ecb -cast5-ofb -des
-des-cbc -des-cfb -des-cfb1
-des-cfb8 -des-ecb -des-ede
-des-ede-cbc -des-ede-cfb -des-ede-ofb
-des-ede3 -des-ede3-cbc -des-ede3-cfb
-des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ofb
-des-ofb -des3 -desx
-desx-cbc -id-aes128-GCM -id-aes192-GCM
-id-aes256-GCM -rc2 -rc2-40-cbc
-rc2-64-cbc -rc2-cbc -rc2-cfb
-rc2-ecb -rc2-ofb -rc4
-rc4-40 -rc4-hmac-md5 -seed
-seed-cbc -seed-cfb -seed-ecb
-seed-ofb
I had trouble getting it working using echo with -n. This worked for me:
To encrypt:
echo "PLAINTEXT_STRING" | openssl enc -aes256 -pbkdf2 -base64
you'll be prompted to provide a decryption password.
To decrypt:
echo "ENCRYPTED_STRING" | openssl aes-256-cbc -d -pbkdf2 -a
enter the decryption password to decrypt.