Generate Symmetric Key Openssl Using Rand
OpenSSL is great library and tool set used in security related work. While talking security we can not deny that passwords and random numbers are important subjects. In this tutorial we will learn how to generate random numbers and passwords with OpenSSL.
Base64 is an encoding format used in applications and different systems which can be transferred and used without problem. Base64 do not provides control characters. We can generate Base64 compatible random numbers with openssl rand . Here we set the character count 10 which is the last parameter.
Generate Symmetric Key Openssl Using Rand Tool
An AES key, and an IV for symmetric encryption, are just bunchs of random bytes. So any cryptographically strong random number generator will do the trick. OpenSSL provides such a random number generator (which itself feeds on whatever the operating system provides, e.g. CryptGenRandom on Windows or /dev/random and /dev/urandom on Linux).
- Any random source that you add using -rand file:file. is used as additional seed data - in other words, the output will always be random, even if you supply the same seed. As the pseudo random generator provided by OpenSSL generally runs in the application space on the main thread, it may be faster than asking a lot of data from /dev/urandom.
- OpenSSL is well known for its ability to generate certificates but it can also be used to generate random data. Generates 32 random bytes (256bits) in a base64 encoded output: openssl rand -base64 32 Plaintext. Generates 32 random characters (256bits): openssl rand 32.
- Instead, we can use OpenSSL itself to help us generate random symmetric keys. Really, all we want from a symmetric key is that it be the right size and that it be random, so we generate them with OpenSSL’s rand command:% openssl rand -base64 16 symmkey This will generate a 16 byte (128 bit) random value in base 64 encoding.
- The num argument for openssl rand is interpreted as number of bytes, not number of bits. An AES-128 expects a key of 128 bit, 16 byte. To generate such a key, use OpenSSL as: openssl rand 16 myaes.key AES-256 expects a key of 256 bit, 32 byte.
- Generate a key using openssl rand, e.g. Openssl rand 32 -out keyfile. Encrypt the key file using openssl rsautl. Encrypt the data using openssl enc, using the generated key from step 1. Package the encrypted key file with the encrypted data. The recipient will need to decrypt the key with their private key, then decrypt the data with the resulting key. Ultimate solution for safe and high secured encode anyone file in OpenSSL and command-line: Private key generation (encrypted private key).
- I have a query related to symmetric key decryption. I have generated an symmetric key using the below command. Openssl rand base64 512 sym.key. Using this key (sym.key) I have encrypted a file with below command. Openssl enc -aes-256-cbc -in temp.txt -out temp.enc -kfile sym.key. It has generated an encrypted file temp.enc.
Hexadecimal is a numbering system based 16 . We can generate Hexadecimal numbers with -hex option. In this example we will generate 20 character random hexadecimal numbers.
Generate Certificate Private Key Openssl
Crypto key generate rsa options. The default behaivour of rand is writing generated random numbers to the terminal. If we need a lot of numbers like 256 the terminal will be messed up. We have options to write the generated random numbers. We will use -out option and the file name. In this example we will write a file named myrand.txt
Security experts divide random number generator into two category.
Openssl Generate Rsa Private Key
Truly Random Number Generator (TRNG)where generated umbers are truly random and generally special hardware used.Psedeu Random Number Generator (PRNG)where generated numbers are not truly random but near to the random. This types do not requires special hardware and operating systems like Linux,Windows and OpenSSL uses by default this type.
If we have special cryptographic hardware or TRNG engine we can use it with OpenSSL to make random numbers TRNG . We will use -engine option and the device path . If our device is locate at /dev/crypt0 we can use following command
Generate Symmetric Key Openssl Using Rand 2
| For symmetic encryption, you can use the following: |
| To encrypt: |
| openssl aes-256-cbc -salt -a -e -in plaintext.txt -out encrypted.txt |
| To decrypt: |
| openssl aes-256-cbc -salt -a -d -in encrypted.txt -out plaintext.txt |
| For Asymmetric encryption you must first generate your private key and extract the public key. |
| openssl genrsa -aes256 -out private.key 8912 |
| openssl -in private.key -pubout -out public.key |
| To encrypt: |
| openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out encrypted.txt |
| To decrypt: |
| openssl rsautl -decrypt -inkey private.key -in encrypted.txt -out plaintext.txt |
| Source: http://bsdsupport.org/2007/01/q-how-do-i-use-openssl-to-encrypt-files/ |
| You can't directly encrypt a large file using rsautl. instead, do something like the following: |
| Generate a key using openssl rand, eg. openssl rand 32 -out keyfile |
| Encrypt the key file using openssl rsautl |
| Encrypt the data using openssl enc, using the generated key from step 1. |
| Package the encrypted key file with the encrypted data. the recipient will need to decrypt the key with their private key, then decrypt the data with the resulting key. |
| Ultimate solution for safe and high secured encode anyone file in OpenSSL and command-line: |
| You should have ready some X.509 certificate for encrypt files in PEM format. |
| NOTE: You can generated a X.509 certificate using: |
| Private key generation (encrypted private key): |
| openssl genrsa -aes256 -out private.pem 8912 |
| openssl -in private.pem -pubout -out public.pem |
| With unecrypted private key: |
| openssl req -x509 -nodes -days 100000 -newkey rsa:8912 -keyout private_key.pem -out certificate.pem |
| With encrypted private key: |
| openssl req -x509 -days 100000 -newkey rsa:8912 -keyout private_key.pem -out certificate.pem |
| With existing encrypted (unecrypted) private key: |
| openssl req -x509 -new -days 100000 -key private_key.pem -out certificate.pem |
| To encrypt: |
| openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform PEM yourSslCertificate.pem |
| openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem |
| For text files: |
| openssl smime -encrypt -aes-256-cbc -in input.txt -out output.txt -outform DER yourSslCertificate.pem |
| openssl smime -encrypt -aes-256-cbc -in input.txt -out output.txt -outform PEM yourSslCertificate.pem |
| What is what: |
| smime - ssl command for S/MIME utility (smime(1)) |
| -encrypt - chosen method for file process |
| -binary - use safe file process. Normally the input message is converted to 'canonical' format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives). |
| -aes-256-cbc - chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers) |
| -in plainfile.zip - input file name |
| -out encrypted.zip.enc - output file name |
| -outform DER - encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%. |
| yourSslCertificate.pem - file name of your certificate's. That should be in PEM format. |
| That command can very effectively a strongly encrypt any file regardless of its size or format. |
| To decrypt: |
| openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password |
| openssl smime -decrypt -binary -in encrypted.zip.enc -inform PEM -out decrypted.zip -inkey private.key -passin pass:your_password |
| For text files: |
| openssl smime -decrypt -in encrypted_input.txt -inform DER -out decrypted_input.zip -inkey private.key -passin pass:your_password |
| openssl smime -decrypt -in encrypted_input.txt -inform PEM -out decrypted_input.zip -inkey private.key -passin pass:your_password |
| What is what: |
| -inform DER - same as -outform above |
| -inkey private.key - file name of your private key. That should be in PEM format and can be encrypted by password. |
| -passin pass:your_password - your password for private key encrypt. (http://www.openssl.org/docs/apps/openssl.html#PASS_PHRASE_ARGUMENTS) |
| Source: http://stackoverflow.com/questions/7143514/how-to-encrypt-a-large-file-in-openssl-using-public-key |
Openssl Generate Public Private Key
commented Sep 22, 2015
I guess this: |
Generate Symmetric Key Openssl Using Rand Function
commented Feb 6, 2018
Can we use public key directly with smime commmand for encryption of a large file? |