Linux 如何使用公钥加密openssl中的大文件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7143514/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to encrypt a large file in openssl using public key
提问by yamuna mathew
How can I encrypt a large file with a public key so that no one other than who has the private key be able to decrypt it?
如何使用公钥加密大文件,以便只有拥有私钥的人才能解密它?
I can make RSA public and private keys but when it comes to encrypting a large file using this command:
我可以制作 RSA 公钥和私钥,但是在使用此命令加密大文件时:
openssl rsautl -encrypt -pubin -inkey public.pem -in myLargeFile.xml -out myLargeFile_encrypted.xml
and how can i perform the decryption also....
以及我如何执行解密也....
i create my private and public key by the following commands
我通过以下命令创建我的私钥和公钥
openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -out public.pem -outform PEM -pubout
I get this error:
我收到此错误:
RSA operation error
3020:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:.\crypto\rsa\rsa_pk1.c:151:
I tried to make keys with sizes from 1024 to 1200 bits, no luck, same error
我试图制作大小从 1024 到 1200 位的密钥,没有运气,同样的错误
采纳答案by n. 'pronouns' m.
Public-key crypto is not for encrypting arbitrarily long files. One uses a symmetric cipher (say AES) to do the normal encryption. Each time a new random symmetric key is generated, used, and then encrypted with the RSA cipher (public key). The ciphertext together with the encrypted symmetric key is transferred to the recipient. The recipient decrypts the symmetric key using his private key, and then uses the symmetric key to decrypt the message.
公钥加密不用于加密任意长的文件。一种使用对称密码(比如 AES)来进行普通加密。每次生成、使用新的随机对称密钥,然后使用 RSA 密码(公钥)加密。密文与加密的对称密钥一起传送给接收者。接收者使用他的私钥解密对称密钥,然后使用对称密钥解密消息。
The private key is never shared, only the public key is used to encrypt the random symmetric cipher.
私钥永远不会共享,只有公钥用于加密随机对称密码。
回答by Hasturkun
You can't directly encrypt a large file using rsautl. instead, do something like the following:
您不能直接使用rsautl. 相反,请执行以下操作:
- Generate a key using
openssl rand, eg.openssl rand 32 -out keyfile - Encrypt the key file using
openssl rsautl - Encrypt the data using
openssl enc, using the generated key from step 1. - Package the encrypted key file with the encrypted data. the recipient will need to decrypt the key with their private key, then decrypt the data with the resulting key.
- 使用
openssl rand例如生成密钥。openssl rand 32 -out keyfile - 使用加密密钥文件
openssl rsautl - 使用
openssl enc从步骤 1 中生成的密钥加密数据。 - 将加密的密钥文件与加密的数据打包在一起。接收者需要用他们的私钥解密密钥,然后用得到的密钥解密数据。
回答by Cray
Maybe you should check out the accepted answer to this (How to encrypt data in php using Public/Private keys?) question.
也许您应该查看此问题的已接受答案(如何使用公钥/私钥在 php 中加密数据?)。
Instead of manually working around the message size limitation (or perhaps a trait) of RSA, it shows how to use the S/mime feature of OpenSSL to do the same thing and not needing to juggle with the symmetric key manually.
它没有手动解决 RSA 的消息大小限制(或者可能是一个特征),而是展示了如何使用 OpenSSL 的 S/mime 功能来做同样的事情,而不需要手动处理对称密钥。
回答by JakubBoucek
Solution for safe and high secured encode anyone file in OpenSSL and command-line:
在 OpenSSL 和命令行中安全和高度安全地编码任何文件的解决方案:
You should have ready some X.509 certificate for encrypt files in PEM format.
您应该准备好一些用于加密 PEM 格式文件的 X.509 证书。
Encrypt file:
加密文件:
openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem
What is what:
什么是什么:
- smime- ssl command for S/MIME utility (smime(1))
- -encrypt- chosen method for file process
- -binary- use safe file process. Normally the input message is converted to "canonical" format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives).
- -aes-256-cbc- chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers)
- -in plainfile.zip- input file name
- -out encrypted.zip.enc- output file name
- -outform DER- encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%.
- yourSslCertificate.pem- file name of your certificate's. That should be in PEM format.
- smime- S/MIME 实用程序的 ssl 命令 ( smime(1))
- -encrypt- 选择的文件处理方法
- -binary- 使用安全文件进程。通常,输入消息会根据 S/MIME 规范的要求转换为“规范”格式,此开关禁用它。所有二进制文件(如图像、声音、ZIP 档案)都需要它。
- -aes-256-cbc- 选择 256 位密码 AES 进行加密(强)。如果未指定,则使用 40 位 RC2(非常弱)。(支持的密码)
- -in plainfile.zip- 输入文件名
- -out encrypted.zip.enc- 输出文件名
- -outform DER- 将输出文件编码为二进制文件。如果不指定,文件采用 base64 编码,文件大小将增加 30%。
- yourSslCertificate.pem- 证书的文件名。那应该是 PEM 格式。
That command can very effectively a strongly encrypt big files regardless of its format.
Known issue:Something wrong happens when you try encrypt huge file (>600MB). No error thrown, but encrypted file will be corrupted. Always verify each file! (or use PGP - that has bigger support for files encryption with public key)
该命令可以非常有效地对大文件进行强力加密,无论其格式如何。
已知问题:当您尝试加密大文件 (>600MB) 时会发生错误。不会抛出错误,但加密文件会被破坏。始终验证每个文件!(或使用 PGP - 它对使用公钥的文件加密有更大的支持)
Decrypt file:
解密文件:
openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password
What is what:
什么是什么:
- -inform DER- same as -outform above
- -inkey private.key- file name of your private key. That should be in PEM format and can be encrypted by password.
- -passin pass:your_password- your password for private key encrypt. (passphrase arguments)
- -inform DER- 与上面的-outform相同
- -inkey private.key- 私钥的文件名。那应该是 PEM 格式,可以通过密码加密。
- -passin pass:your_password- 您的私钥加密密码。(密码参数)
回答by Ipswitch
Encrypting a very large file using smime is not advised since you might be able to encrypt large files using the -stream option, but not decrypt the resulting file due to hardware limitations see: problem decrypting big files
不建议使用 smime 加密非常大的文件,因为您可能能够使用 -stream 选项加密大文件,但由于硬件限制而无法解密生成的文件, 请参阅:problem encrypted big files
As mentioned above Public-key crypto is not for encrypting arbitrarily long files. Therefore the following commands will generate a pass phrase, encrypt the file using symmetric encryption and then encrypt the pass phrase using the asymmetric (public key). Note: the smime includes the use of a primary public key and a backup key to encrypt the pass phrase. A backup public/private key pair would be prudent.
如上所述,公钥加密不是用于加密任意长的文件。因此,以下命令将生成密码短语,使用对称加密对文件进行加密,然后使用非对称(公钥)加密密码短语。注意:smime 包括使用主公钥和备份密钥来加密密码短语。备份公钥/私钥对是谨慎的。
Random Password Generation
随机密码生成
Set up the RANDFILE value to a file accessible by the current user, generate the passwd.txt file and clean up the settings
将 RANDFILE 值设置为当前用户可访问的文件,生成 passwd.txt 文件并清理设置
export OLD_RANDFILE=$RANDFILE
RANDFILE=~/rand1
openssl rand -base64 2048 > passwd.txt
rm ~/rand1
export RANDFILE=$OLD_RANDFILE
Encryption
加密
Use the commands below to encrypt the file using the passwd.txt contents as the password and AES256 to a base64 (-a option) file. Encrypt the passwd.txt using asymetric encryption into the file XXLarge.crypt.pass using a primary public key and a backup key.
使用以下命令加密文件,使用 passwd.txt 内容作为密码,将 AES256 加密为 base64(-a 选项)文件。使用主公钥和备份密钥使用非对称加密将 passwd.txt 加密到文件 XXLarge.crypt.pass 中。
openssl enc -aes-256-cbc -a -salt -in XXLarge.data -out XXLarge.crypt -pass file:passwd.txt
openssl smime -encrypt -binary -in passwd.txt -out XXLarge.crypt.pass -aes256 PublicKey1.pem PublicBackupKey.pem
rm passwd.txt
Decryption
解密
Decryption simply decrypts the XXLarge.crypt.pass to passwd.tmp, decrypts the XXLarge.crypt to XXLarge2.data, and deletes the passwd.tmp file.
解密只是将XXLarge.crypt.pass解密为passwd.tmp,将XXLarge.crypt解密为XXLarge2.data,并删除passwd.tmp文件。
openssl smime -decrypt -binary -in XXLarge.crypt.pass -out passwd.tmp -aes256 -recip PublicKey1.pem -inkey PublicKey1.key
openssl enc -d -aes-256-cbc -a -in XXLarge.crypt -out XXLarge2.data -pass file:passwd.tmp
rm passwd.tmp
This has been tested against >5GB files..
这已经针对 > 5GB 的文件进行了测试。
5365295400 Nov 17 10:07 XXLarge.data
7265504220 Nov 17 10:03 XXLarge.crypt
5673 Nov 17 10:03 XXLarge.crypt.pass
5365295400 Nov 17 10:07 XXLarge2.data
回答by Phellipe K Ribeiro
To safely encrypt large files (>600MB) with openssl smimeyou'll have to split each file into small chunks:
要安全地加密大文件(> 600MB),openssl smime您必须将每个文件分成小块:
# Splits large file into 500MB pieces
split -b 500M -d -a 4 INPUT_FILE_NAME input.part.
# Encrypts each piece
find -maxdepth 1 -type f -name 'input.part.*' | sort | xargs -I % openssl smime -encrypt -binary -aes-256-cbc -in % -out %.enc -outform DER PUBLIC_PEM_FILE
For the sake of information, here is how to decrypt and put all pieces together:
为了提供信息,以下是解密并将所有部分放在一起的方法:
# Decrypts each piece
find -maxdepth 1 -type f -name 'input.part.*.enc' | sort | xargs -I % openssl smime -decrypt -in % -binary -inform DEM -inkey PRIVATE_PEM_FILE -out %.dec
# Puts all together again
find -maxdepth 1 -type f -name 'input.part.*.dec' | sort | xargs cat > RESTORED_FILE_NAME
回答by Tom Saleeba
I found the instructions at http://www.czeskis.com/random/openssl-encrypt-file.htmluseful.
我发现http://www.czeskis.com/random/openssl-encrypt-file.html 上的说明很有用。
To paraphrase the linked site with filenames from your example:
用您的示例中的文件名来解释链接的站点:
Generate a symmetric key because you can encrypt large files with it
openssl rand -base64 32 > key.binEncrypt the large file using the symmetric key
openssl enc -aes-256-cbc -salt -in myLargeFile.xml \ -out myLargeFile.xml.enc -pass file:./key.binEncrypt the symmetric key so you can safely send it to the other person
openssl rsautl -encrypt -inkey public.pem -pubin -in key.bin -out key.bin.encDestroy the un-encrypted symmetric key so nobody finds it
shred -u key.binAt this point, you send the encrypted symmetric key (
key.bin.enc) and the encrypted large file (myLargeFile.xml.enc) to the other personThe other person can then decrypt the symmetric key with their private key using
openssl rsautl -decrypt -inkey private.pem -in key.bin.enc -out key.binNow they can use the symmetric key to decrypt the file
openssl enc -d -aes-256-cbc -in myLargeFile.xml.enc \ -out myLargeFile.xml -pass file:./key.bin
生成对称密钥,因为您可以用它加密大文件
openssl rand -base64 32 > key.bin使用对称密钥加密大文件
openssl enc -aes-256-cbc -salt -in myLargeFile.xml \ -out myLargeFile.xml.enc -pass file:./key.bin加密对称密钥,以便您可以安全地将其发送给其他人
openssl rsautl -encrypt -inkey public.pem -pubin -in key.bin -out key.bin.enc销毁未加密的对称密钥,以便没有人找到它
shred -u key.bin此时,您将加密的对称密钥 (
key.bin.enc) 和加密的大文件 (myLargeFile.xml.enc) 发送给对方然后另一个人可以使用他们的私钥解密对称密钥
openssl rsautl -decrypt -inkey private.pem -in key.bin.enc -out key.bin现在他们可以使用对称密钥来解密文件
openssl enc -d -aes-256-cbc -in myLargeFile.xml.enc \ -out myLargeFile.xml -pass file:./key.bin
And you're done. The other person has the decrypted file and it was safely sent.
你已经完成了。另一个人拥有解密的文件,并且已安全发送。
回答by Mohsenasm
In more explanation for n. 'pronouns' m.'s answer,
在对n. 'pronouns' m.的回答的更多解释中,
Public-key crypto is not for encrypting arbitrarily long files. One uses a symmetric cipher (say AES) to do the normal encryption. Each time a new random symmetric key is generated, used, and then encrypted with the RSA cipher (public key). The ciphertext together with the encrypted symmetric key is transferred to the recipient. The recipient decrypts the symmetric key using his private key, and then uses the symmetric key to decrypt the message.
公钥加密不用于加密任意长的文件。一种使用对称密码(比如 AES)来进行普通加密。每次生成、使用新的随机对称密钥,然后使用 RSA 密码(公钥)加密。密文与加密的对称密钥一起传送给接收者。接收者使用他的私钥解密对称密钥,然后使用对称密钥解密消息。
There is the flow of Encryption:
有加密流程:
+---------------------+ +--------------------+
| | | |
| generate random key | | the large file |
| (R) | | (F) |
| | | |
+--------+--------+---+ +----------+---------+
| | |
| +------------------+ |
| | |
v v v
+--------+------------+ +--------+--+------------+
| | | |
| encrypt (R) with | | encrypt (F) |
| your RSA public key | | with symmetric key (R) |
| | | |
| ASym(PublicKey, R) | | EF = Sym(F, R) |
| | | |
+----------+----------+ +------------+-----------+
| |
+------------+ +--------------+
| |
v v
+--------------+-+---------------+
| |
| send this files to the peer |
| |
| ASym(PublicKey, R) + EF |
| |
+--------------------------------+
And the flow of Decryption:
以及解密流程:
+----------------+ +--------------------+
| | | |
| EF = Sym(F, R) | | ASym(PublicKey, R) |
| | | |
+-----+----------+ +---------+----------+
| |
| |
| v
| +-------------------------+-----------------+
| | |
| | restore key (R) |
| | |
| | R <= ASym(PrivateKey, ASym(PublicKey, R)) |
| | |
| +---------------------+---------------------+
| |
v v
+---+-------------------------+---+
| |
| restore the file (F) |
| |
| F <= Sym(Sym(F, R), R) |
| |
+---------------------------------+
Besides, you can use this commands:
此外,您可以使用以下命令:
# generate random symmetric key
openssl rand -base64 32 > /config/key.bin
# encryption
openssl rsautl -encrypt -pubin -inkey /config/public_key.pem -in /config/key.bin -out /config/key.bin.enc
openssl aes-256-cbc -a -pbkdf2 -salt -in $file_name -out $file_name.enc -k $(cat /config/key.bin)
# now you can send this files: $file_name.enc + /config/key.bin.enc
# decryption
openssl rsautl -decrypt -inkey /config/private_key.pem -in /config/key.bin.enc -out /config/key.bin
openssl aes-256-cbc -d -a -in $file_name.enc -out $file_name -k $(cat /config/key.bin)
