I have the following command but it doesn't work for me...
cd /etc/postfix/ssl/ && openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
password
PASS
UPDATE:
The output is:
109 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...............................++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase for smtpd.key:
It should auto answer the question and put password automaticaly.
I always use HEREDOC for automating my Q&A on bash and work fine...
What is the problem here?
OpenSSL (and OpenSSH) takes measures to read the password directly from the terminal, rather than from stdin, as a security measure.
However there are a load of ways to supply passwords to OpenSSL. Check man openssl for the section PASS PHRASE ARGUMENTS.
So you could do:
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout "pass:mypassword"
... but per the manpage: "Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important"
Or you could do:
printf '%s\n' "$PASS" | {
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout fd:3
} 3<&0
... which is supposedly more secure than other options because the password won't show up in ps.
As #Graeme said HERE
I can do with heredoc like so:
I have to add -passout stdin for openssl to read from stdin.
cd /etc/postfix/ssl/ && openssl genrsa -passout stdin -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
PASSW
Related
I use the following command line to generate the ECDSA signature in Linux. In Linux, you can use the command line to verify the signature. This is no problem
In Windows, the same command line can also be signed and verified successfully
openssl ecparam -name secp192k1 -genkey -out ec.key
openssl ec -in ec.key -pubout -out ec.pubkey
openssl dgst -sha1 -sign ec.key -out ec.sig content.txt
openssl dgst -sha1 -verify ec.pubkey -signature ec.sig content.txt
But here's the thing.
I put all files generated in Linux into Windows, and then use the command line to verify the signature, the result is an error, why?
content.txt, Linux generates content that ends in a byte 0x0a, but Windows creates content that doesn't end in a byte 0x0A. So, in fact, Linux and Windows sign different content, so Windows verifies that Linux doesn't sign it correctly
Which programme or command do you use to extract the public key from a p12 protected with a password? I am trying with the command hydrabut i think it only works along networks
You can use openssl to check, convert etc. a p12 file.
E.g.:
openssl pkcs12 -info -in example.p12
or
openssl pkcs12 -in example.p12 -out example.pem -nodes
etc.
You can make openssl read the password from a file or stdin. E.g.:
openssl [...] -pass stdin
See man page for openssl for more ideas.
I have a bash file and I want execute it by encrypted mode.
by using this command I encrypted my file.
now I want to run it. How could I do this?
openssl des3 -salt -in file.txt -out file.txt.enc -pass pass:password
use shc script compiler to encrypt it (Blowfish), see this http://www.thegeekstuff.com/2012/05/encrypt-bash-shell-script/?utm_source=tuicool
http://www.linuxsecurity.com/content/view/117920/171
http://www.datsi.fi.upm.es/~frosal/
If you want to use DES3 you can try the answer of soFan in this:
https://unix.stackexchange.com/questions/90178/how-can-i-either-encrypt-or-render-my-shell-script-unreadable
write the wrapper #!/bin/sh openssl enc -d -DES3 ... -a -in script-enc | sh -
When using openssl to encrypt/decrypt data and the AES cipher, my command will look something like this:
openssl enc -aes-256-cbc -in message_file -K 42AB7FCE7BFEEE03E16719044916CBD475F6D000F230D213FF0F4775EF8D46F5 -iv D5C21AC249B26A1FBA376E8CFCDC4E1A -S 2C6A1B8EAACA302D -e -out message_file.enc
This places the key, iv, and salt in my process title that is visible in top/ps. Is there a way to AES encrypt a file with openssl (or even another alternative if not) without revealing this information? I did not see an option to grab these strings from files.
RSA encryption:
http://bsdsupport.org/q-how-do-i-use-openssl-to-encrypt-files/
openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out encrypted.txt
AES encryption:
Based on the results of openssl enc -h
openssl enc -aes-128-cbc -in foo -out foo.enc -kfile passwordfile
And here's the result of openssl enc -h. Note the description of -kfile
root#bt:/tmp# openssl enc -h
unknown option '-h'
options are
-in <file> input file
-out <file> output file
-pass <arg> pass phrase source
-e encrypt
-d decrypt
-a/-base64 base64 encode/decode, depending on encryption flag
-k passphrase is the next argument
-kfile passphrase is the first line of the file argument
-md the next argument is the md to use to create a key
from a passphrase. One of md2, md5, sha or sha1
-K/-iv key/iv in hex is the next argument
-[pP] print the iv/key (then exit if -P)
-bufsize <n> buffer size
-engine e use engine e, possibly a hardware device.
Cipher Types
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ecb -aes-128-ofb
-aes-192-cbc -aes-192-cfb -aes-192-cfb1
-aes-192-cfb8 -aes-192-ecb -aes-192-ofb
-aes-256-cbc -aes-256-cfb -aes-256-cfb1
-aes-256-cfb8 -aes-256-ecb -aes-256-ofb
-aes128 -aes192 -aes256
-bf -bf-cbc -bf-cfb
-bf-ecb -bf-ofb -blowfish
-cast -cast-cbc -cast5-cbc
-cast5-cfb -cast5-ecb -cast5-ofb
-des -des-cbc -des-cfb
-des-cfb1 -des-cfb8 -des-ecb
-des-ede -des-ede-cbc -des-ede-cfb
-des-ede-ofb -des-ede3 -des-ede3-cbc
-des-ede3-cfb -des-ede3-ofb -des-ofb
-des3 -desx -desx-cbc
-rc2 -rc2-40-cbc -rc2-64-cbc
-rc2-cbc -rc2-cfb -rc2-ecb
-rc2-ofb -rc4 -rc4-40
openssl can take commands from stdin
For example if onetime_keyfile specifies the key and IV with the following contents
-K 42AB7FCE7BFEEE03E16719044916CBD475F6D000F230D213FF0F4775EF8D46F5 -iv D5C21AC249B26A1FBA376E8CFCDC4E1A
Then the following commands will encrypt a file using that information
umask 077
echo -n "enc -aes-256-cbc -in message_file -out message_file.enc " > encrypt_command_file
cat onetime_keyfile >> encrypt_command_file
openssl < encrypt_command_file
Note that in your question you specify both key, initialization vector and salt. The salt argument is ignored in that case; salt is only used to derive key and iv from a pass phrase. If you specify key and iv explicitly, then you should use your own salt algorithm to generate a unique key and iv for each file that you encrypt. So in practical use, the file onetime_keyfile in the example above should be generated as output from another program.
Refer to https://www.openssl.org/docs/crypto/EVP_BytesToKey.html for details of the standard algorithm for generating key and IV from pass phrase and salt.
If you are not doing your own salting, you are probably better to use the -kfile or -pass option to read a pass phrase from a file.
Would I have to make any changes to these linux commands to make it work on windows? Do all the pipes and redirects work as they do on linux?
openssl genrsa -out key.pem
openssl rsa -in key.pem -pubout > key.pub
openssl rsa -pubin -modulus -noout < key.pub
#
# to decrypt mess.enc (message encrypted via javascript)
cat mess.enc | openssl base64 -d | openssl rsautl -inkey key.pem -decrypt
I expect I must swap cat for type, and I am hoping the rest will work as it is. Can anyone confirm this?
Equivalent of cat on Windows will be of great help. Rest of the commands are same and should work fine on Windows.
Equivalent of cat on Windows
openssl
cat key.pem
type key.pem
cat=type