------------------------------------------------------------------------------- Using Openssl to public key encrypt files Another Set of docs on this is https://gist.github.com/dreikanter/c7e85598664901afae03fedff308736b ------------------------------------------------------------------------------- Basic example... NOTE: This part only ensures receiver can decrypt a message. See the next section for the digital signature, to verify the sender. ---Sender Preparation--- The receiver creates public and private keys Generate openssl genrsa -aes256 -out key.pem 2048 Extract public key openssl rsa -in key.pem -pubout > key.pub The public key is sent to the sender For more information on the key... openssl rsa -in key.pem -text -noout ---Sender--- Sender encrypts a symmetric key using the receivers public key Generate secret key openssl rand 48 -base64 -out enc_key Encrypt it with receivers public key openssl rsautl -pubin -inkey key.pub -encrypt \ -in session_key -out session_key.enc Encrypt message openssl enc -e -aes256 -pass file:session_key \ -in message.tgz -out message.tgz.enc Both encrypted message and public-key encrypted password is sent to receiver ---Receiver--- Receiver recovers message Decrypt the secret key file using private key openssl rsautl -decrypt -inkey key.pem \ -in session_key.enc -out session_key Secret key used to decrypt message openssl enc -d -aes256 -pass file:session_key \ -in message.tgz.enc -out message.tgz ------------------------------------------------------------------------------- Digital signatures.. Sender creates hash of the message openssl dgst -sha256 -out hash message.tgz And turns that hash into a digital signature, using their own private key openssl rsautl -sign -in hash -inkey senders_key.pem -out signature This is sent to the receiver who verifies it --- Receive creates a hash of the message received openssl dgst -sha256 -out hash message.tgz Decrypt the received signature openssl rsautl -verify -in signature -pubin -inkey sender.pub -out hash2 Now compare the two hashes to see that the message is unchanged and verifies it originated from the sender (according to his public key) cmp hash hash2 ------------------------------------------------------------------------------- Certificates... # this is not clear as yet! Request a certificate openssl req -new -key key -out request To self-sign a certificate request openssl x509 -req -in request -signkey private-key -out certificate To sign a request for a year openssl x509 -days 356 -CAserial {serial} -CA certificate \ -CAkey key -in request -req -out certificate Visualise a certificate openssl x509 -in certificate -text -noout Verify a certificate openssl verify -CAfile ca-certificate certificate -------------------------------------------------------------------------------