如何使用公钥在openssl中加密大文件

发布于 2024-12-01 03:11:04 字数 615 浏览 1 评论 0原文

如何使用公钥加密一个大文件，以便除了拥有私钥的人之外没有人能够解密它？

我可以制作 RSA 公钥和私钥，但是当涉及到使用此命令加密大文件时：

openssl rsautl -encrypt -pubin -inkey public.pem -in myLargeFile.xml -out myLargeFile_encrypted.xml

以及我如何执行解密......

我通过以下命令创建我的私钥和公钥，

openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -out public.pem -outform PEM -pubout

我收到此错误：

RSA operation error
3020:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:.\crypto\rsa\rsa_pk1.c:151:

I尝试制作大小从 1024 到 1200 位的密钥，没有运气，同样的错误

原文

How can I encrypt a large file with a public key so that no one other than who has the private key be able to decrypt it?

I can make RSA public and private keys but when it comes to encrypting a large file using this command:

openssl rsautl -encrypt -pubin -inkey public.pem -in myLargeFile.xml -out myLargeFile_encrypted.xml

and how can i perform the decryption also....

i create my private and public key by the following commands

openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -out public.pem -outform PEM -pubout

I get this error:

RSA operation error
3020:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:.\crypto\rsa\rsa_pk1.c:151:

I tried to make keys with sizes from 1024 to 1200 bits, no luck, same error

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

苦笑流年记忆 2024-12-08 03:11:04

公钥加密不适用于加密任意长的文件。使用对称密码（例如 AES）进行正常加密。每次生成、使用新的随机对称密钥，然后使用 RSA 密码（公钥）进行加密。密文与加密的对称密钥一起传输给接收者。接收者使用他的私钥解密对称密钥，然后使用对称密钥解密消息。

私钥永远不会共享，只有公钥用于加密随机对称密码。

回复收藏 0 原文

贵在坚持 2024-12-08 03:11:04

在 OpenSSL 和命令行中安全且高度安全地编码任何文件的解决方案：

您应该准备一些 X.509 证书来加密 PEM 格式的文件。

加密文件：

openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem

什么是：

smime - S/MIME 实用程序的 ssl 命令 (smime(1))
-加密 - 选择文件处理方法
-binary - 使用安全文件处理。通常，输入消息会根据 S/MIME 规范的要求转换为“规范”格式，此开关禁用它。它对于所有二进制文件（如图像、声音、ZIP 档案）都是必需的。
-aes-256-cbc - 选择 256 位 AES 密码进行加密（强）。如果未指定，则使用 40 位 RC2（非常弱）。 (支持的密码)
-in plainfile.zip - 输入文件名
-out crypto.zip.enc - 输出文件名
-outform DER - 将输出文件编码为二进制。如果不指定，文件将采用base64编码，文件大小将增加30%。
yourSslCertificate.pem - 您的证书的文件名。那应该是 PEM 格式。

该命令可以非常有效地对大文件进行强加密，无论其格式如何。
已知问题：
当您尝试加密大文件（> 600MB）时，会发生错误。不会引发错误，但加密文件将被损坏。始终验证每个文件！（或使用 PGP - 对使用公钥进行文件加密有更大的支持）

解密文件：

openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password

什么是：

-通知 DER - 与-outform 上面
-inkey private.key - 您的私钥的文件名。它应该是 PEM 格式，并且可以通过密码加密。
-passin pass:your_password - 您的私钥加密密码。（密码参数）

Solution for safe and high secured encode anyone file in OpenSSL and command-line:

You should have ready some X.509 certificate for encrypt files in PEM format.

Encrypt file:

openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem

What is what:

smime - ssl command for S/MIME utility (smime(1))
-encrypt - chosen method for file process
-binary - use safe file process. Normally the input message is converted to "canonical" format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives).
-aes-256-cbc - chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers)
-in plainfile.zip - input file name
-out encrypted.zip.enc - output file name
-outform DER - encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%.
yourSslCertificate.pem - file name of your certificate's. That should be in PEM format.

That command can very effectively a strongly encrypt big files regardless of its format.
Known issue:
Something wrong happens when you try encrypt huge file (>600MB). No error thrown, but encrypted file will be corrupted. Always verify each file! (or use PGP - that has bigger support for files encryption with public key)

Decrypt file:

openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password

What is what:

-inform DER - same as -outform above
-inkey private.key - file name of your private key. That should be in PEM format and can be encrypted by password.
-passin pass:your_password - your password for private key encrypt. (passphrase arguments)

回复收藏 0 原文

影子的影子 2024-12-08 03:11:04

我在 http://www.czeskis.com/random/openssl- 找到了说明encrypt-file.html 很有用。

用示例中的文件名解释链接的站点：

生成对称密钥，因为您可以用它加密大文件
openssl rand -base64 32 > >密钥库
使用对称密钥加密大文件
openssl enc -aes-256-cbc -salt -in myLargeFile.xml \
  -out myLargeFile.xml.enc -pass 文件：./key.bin
加密对称密钥，以便您可以安全地将其发送给对方
人
openssl rsautl -加密 -inkey public.pem -pubin -in key.bin -out key.bin.enc
销毁未加密的对称密钥，这样就没有人能找到它
shred -u key.bin
此时，您发送加密的对称密钥 (key.bin.enc)
以及加密的大文件 (myLargeFile.xml.enc) 到另一个
人
其他人可以用他们的私钥解密对称密钥
密钥使用
openssl rsautl -decrypt -inkey private.pem -in key.bin.enc -out key.bin
现在他们可以使用对称密钥来解密文件
openssl enc -d -aes-256-cbc -in myLargeFile.xml.enc \
  -out myLargeFile.xml -pass 文件：./key.bin

，就完成了。对方拥有解密的文件并且已安全发送。

I found the instructions at http://www.czeskis.com/random/openssl-encrypt-file.html useful.

To paraphrase the linked site with filenames from your example:

Generate a symmetric key because you can encrypt large files with it
openssl rand -base64 32 > key.bin
Encrypt the large file using the symmetric key
openssl enc -aes-256-cbc -salt -in myLargeFile.xml \
  -out myLargeFile.xml.enc -pass file:./key.bin
Encrypt the symmetric key so you can safely send it to the other
person
openssl rsautl -encrypt -inkey public.pem -pubin -in key.bin -out key.bin.enc
Destroy the un-encrypted symmetric key so nobody finds it
shred -u key.bin
At this point, you send the encrypted symmetric key (key.bin.enc)
and the encrypted large file (myLargeFile.xml.enc) to the other
person
The other person can then decrypt the symmetric key with their private
key using
openssl rsautl -decrypt -inkey private.pem -in key.bin.enc -out key.bin
Now they can use the symmetric key to decrypt the file
openssl enc -d -aes-256-cbc -in myLargeFile.xml.enc \
  -out myLargeFile.xml -pass file:./key.bin

And you're done. The other person has the decrypted file and it was safely sent.

回复收藏 0 原文

把人绕傻吧 2024-12-08 03:11:04

您无法使用 rsautl 直接加密大文件。相反，执行如下操作：

使用 openssl rand 生成密钥，例如。 openssl rand 32 -out keyfile
使用 openssl rsautl 加密密钥文件
使用 openssl enc 加密数据，使用步骤 1 中生成的密钥。
打包带有加密数据的加密密钥文件。接收者需要使用其私钥解密密钥，然后使用生成的密钥解密数据。

回复收藏 0 原文

却一份温柔 2024-12-08 03:11:04

不建议使用 smime 加密非常大的文件，因为您可能能够使用 -stream 选项加密大文件，但由于硬件限制而无法解密结果文件请参阅：解密大文件时出现问题

如上所述公钥加密不适用于加密任意长的文件。因此，以下命令将生成密码短语，使用对称加密对文件进行加密，然后使用非对称（公钥）加密密码短语。注意：smime 包括使用主公钥和备份密钥来加密密码短语。备份公钥/私钥对是谨慎的做法。

随机密码生成

将 RANDFILE 值设置为当前用户可访问的文件，生成 passwd.txt 文件并清理设置

export OLD_RANDFILE=$RANDFILE
RANDFILE=~/rand1
openssl rand -base64 2048 > passwd.txt
rm ~/rand1
export RANDFILE=$OLD_RANDFILE

加密

使用以下命令对文件进行加密，使用 passwd.txt 内容作为密码并使用 AES256 加密文件base64（-a 选项）文件。使用主公钥和备份密钥，使用非对称加密将 passwd.txt 加密到文件 XXLarge.crypt.pass 中。

openssl enc -aes-256-cbc -a -salt -in XXLarge.data -out XXLarge.crypt -pass file:passwd.txt
openssl smime -encrypt -binary -in passwd.txt -out XXLarge.crypt.pass -aes256 PublicKey1.pem PublicBackupKey.pem
rm passwd.txt

解密

解密只是将 XXLarge.crypt.pass 解密为 passwd.tmp，将 XXLarge.crypt 解密为 XXLarge2.data，并删除 passwd.tmp 文件。

openssl smime -decrypt -binary -in XXLarge.crypt.pass -out passwd.tmp -aes256 -recip PublicKey1.pem -inkey PublicKey1.key
openssl enc -d -aes-256-cbc -a -in XXLarge.crypt -out XXLarge2.data -pass file:passwd.tmp
rm passwd.tmp

这已经针对 > 5GB 文件进行了测试。

5365295400 Nov 17 10:07 XXLarge.data
7265504220 Nov 17 10:03 XXLarge.crypt
      5673 Nov 17 10:03 XXLarge.crypt.pass
5365295400 Nov 17 10:07 XXLarge2.data

Encrypting a very large file using smime is not advised since you might be able to encrypt large files using the -stream option, but not decrypt the resulting file due to hardware limitations see: problem decrypting big files

As mentioned above Public-key crypto is not for encrypting arbitrarily long files. Therefore the following commands will generate a pass phrase, encrypt the file using symmetric encryption and then encrypt the pass phrase using the asymmetric (public key). Note: the smime includes the use of a primary public key and a backup key to encrypt the pass phrase. A backup public/private key pair would be prudent.

Random Password Generation

Set up the RANDFILE value to a file accessible by the current user, generate the passwd.txt file and clean up the settings

export OLD_RANDFILE=$RANDFILE
RANDFILE=~/rand1
openssl rand -base64 2048 > passwd.txt
rm ~/rand1
export RANDFILE=$OLD_RANDFILE

Encryption

Use the commands below to encrypt the file using the passwd.txt contents as the password and AES256 to a base64 (-a option) file. Encrypt the passwd.txt using asymetric encryption into the file XXLarge.crypt.pass using a primary public key and a backup key.

openssl enc -aes-256-cbc -a -salt -in XXLarge.data -out XXLarge.crypt -pass file:passwd.txt
openssl smime -encrypt -binary -in passwd.txt -out XXLarge.crypt.pass -aes256 PublicKey1.pem PublicBackupKey.pem
rm passwd.txt

Decryption

Decryption simply decrypts the XXLarge.crypt.pass to passwd.tmp, decrypts the XXLarge.crypt to XXLarge2.data, and deletes the passwd.tmp file.

openssl smime -decrypt -binary -in XXLarge.crypt.pass -out passwd.tmp -aes256 -recip PublicKey1.pem -inkey PublicKey1.key
openssl enc -d -aes-256-cbc -a -in XXLarge.crypt -out XXLarge2.data -pass file:passwd.tmp
rm passwd.tmp

This has been tested against >5GB files..

5365295400 Nov 17 10:07 XXLarge.data
7265504220 Nov 17 10:03 XXLarge.crypt
      5673 Nov 17 10:03 XXLarge.crypt.pass
5365295400 Nov 17 10:07 XXLarge2.data

回复收藏 0 原文

月朦胧 2024-12-08 03:11:04

在n的更多解释中。 '代词' m. 的回答，

公钥加密不适用于加密任意长的文件。一
使用对称密码（例如 AES）进行正常加密。每个
生成、使用并加密新的随机对称密钥的时间
使用 RSA 密码（公钥）。密文连同
加密的对称密钥被传送给接收者。收件人
使用他的私钥解密对称密钥，然后使用
用于解密消息的对称密钥。

有加密流程：

+---------------------+      +--------------------+
|                     |      |                    |
| generate random key |      |   the large file   |
|        (R)          |      |        (F)         |
|                     |      |                    |
+--------+--------+---+      +----------+---------+
         |        |                     |
         |        +------------------+  |
         |                           |  |
         v                           v  v
+--------+------------+     +--------+--+------------+
|                     |     |                        |
| encrypt (R) with    |     | encrypt (F)            |
| your RSA public key |     | with symmetric key (R) |
|                     |     |                        |
|  ASym(PublicKey, R) |     |     EF = Sym(F, R)     |
|                     |     |                        |
+----------+----------+     +------------+-----------+
           |                             |
           +------------+ +--------------+
                        | |
                        v v
         +--------------+-+---------------+
         |                                |
         |   send this files to the peer  |
         |                                |
         |     ASym(PublicKey, R) + EF    |
         |                                |
         +--------------------------------+

和解密流程：

   +----------------+        +--------------------+
   |                |        |                    |
   | EF = Sym(F, R) |        | ASym(PublicKey, R) |
   |                |        |                    |
   +-----+----------+        +---------+----------+
         |                             |
         |                             |
         |                             v
         |   +-------------------------+-----------------+
         |   |                                           |
         |   |             restore key (R)               |
         |   |                                           |
         |   | R <= ASym(PrivateKey, ASym(PublicKey, R)) |
         |   |                                           |
         |   +---------------------+---------------------+
         |                         |
         v                         v
     +---+-------------------------+---+
     |                                 |
     |       restore the file (F)      |
     |                                 |
     |      F <= Sym(Sym(F, R), R)     |
     |                                 |
     +---------------------------------+

此外，您可以使用以下命令：

# generate random symmetric key
openssl rand -base64 32 > /config/key.bin

# encryption
openssl rsautl -encrypt -pubin -inkey /config/public_key.pem -in /config/key.bin -out /config/key.bin.enc
openssl aes-256-cbc -a -pbkdf2 -salt -in  $file_name -out $file_name.enc -kfile /config/key.bin

# now you can send these files: $file_name.enc + /config/key.bin.enc

# decryption
openssl rsautl -decrypt -inkey /config/private_key.pem -in /config/key.bin.enc -out /config/key.bin
openssl aes-256-cbc -d -a -pbkdf2 -in $file_name.enc -out $file_name -kfile /config/key.bin

In more explanation for n. 'pronouns' m.'s answer,

Public-key crypto is not for encrypting arbitrarily long files. One
uses a symmetric cipher (say AES) to do the normal encryption. Each
time a new random symmetric key is generated, used, and then encrypted
with the RSA cipher (public key). The ciphertext together with the
encrypted symmetric key is transferred to the recipient. The recipient
decrypts the symmetric key using his private key, and then uses the
symmetric key to decrypt the message.

There is the flow of Encryption:

+---------------------+      +--------------------+
|                     |      |                    |
| generate random key |      |   the large file   |
|        (R)          |      |        (F)         |
|                     |      |                    |
+--------+--------+---+      +----------+---------+
         |        |                     |
         |        +------------------+  |
         |                           |  |
         v                           v  v
+--------+------------+     +--------+--+------------+
|                     |     |                        |
| encrypt (R) with    |     | encrypt (F)            |
| your RSA public key |     | with symmetric key (R) |
|                     |     |                        |
|  ASym(PublicKey, R) |     |     EF = Sym(F, R)     |
|                     |     |                        |
+----------+----------+     +------------+-----------+
           |                             |
           +------------+ +--------------+
                        | |
                        v v
         +--------------+-+---------------+
         |                                |
         |   send this files to the peer  |
         |                                |
         |     ASym(PublicKey, R) + EF    |
         |                                |
         +--------------------------------+

And the flow of Decryption:

   +----------------+        +--------------------+
   |                |        |                    |
   | EF = Sym(F, R) |        | ASym(PublicKey, R) |
   |                |        |                    |
   +-----+----------+        +---------+----------+
         |                             |
         |                             |
         |                             v
         |   +-------------------------+-----------------+
         |   |                                           |
         |   |             restore key (R)               |
         |   |                                           |
         |   | R <= ASym(PrivateKey, ASym(PublicKey, R)) |
         |   |                                           |
         |   +---------------------+---------------------+
         |                         |
         v                         v
     +---+-------------------------+---+
     |                                 |
     |       restore the file (F)      |
     |                                 |
     |      F <= Sym(Sym(F, R), R)     |
     |                                 |
     +---------------------------------+

Besides, you can use this commands:

# generate random symmetric key
openssl rand -base64 32 > /config/key.bin

# encryption
openssl rsautl -encrypt -pubin -inkey /config/public_key.pem -in /config/key.bin -out /config/key.bin.enc
openssl aes-256-cbc -a -pbkdf2 -salt -in  $file_name -out $file_name.enc -kfile /config/key.bin

# now you can send these files: $file_name.enc + /config/key.bin.enc

# decryption
openssl rsautl -decrypt -inkey /config/private_key.pem -in /config/key.bin.enc -out /config/key.bin
openssl aes-256-cbc -d -a -pbkdf2 -in $file_name.enc -out $file_name -kfile /config/key.bin

回复收藏 0 原文

瀟灑尐姊 2024-12-08 03:11:04

要使用 openssl smime 安全地加密大文件（>600MB），您必须将每个文件分成小块：

# Splits large file into 500MB pieces
split -b 500M -d -a 4 INPUT_FILE_NAME input.part.

# Encrypts each piece
find -maxdepth 1 -type f -name 'input.part.*' | sort | xargs -I % openssl smime -encrypt -binary -aes-256-cbc -in % -out %.enc -outform DER PUBLIC_PEM_FILE

为了提供信息，以下是如何解密并将所有部分放在一起的方法：

# Decrypts each piece
find -maxdepth 1 -type f -name 'input.part.*.enc' | sort | xargs -I % openssl smime -decrypt -in % -binary -inform DEM -inkey PRIVATE_PEM_FILE -out %.dec

# Puts all together again
find -maxdepth 1 -type f -name 'input.part.*.dec' | sort | xargs cat > RESTORED_FILE_NAME

To safely encrypt large files (>600MB) with openssl smime you'll have to split each file into small chunks:

# Splits large file into 500MB pieces
split -b 500M -d -a 4 INPUT_FILE_NAME input.part.

# Encrypts each piece
find -maxdepth 1 -type f -name 'input.part.*' | sort | xargs -I % openssl smime -encrypt -binary -aes-256-cbc -in % -out %.enc -outform DER PUBLIC_PEM_FILE

For the sake of information, here is how to decrypt and put all pieces together:

# Decrypts each piece
find -maxdepth 1 -type f -name 'input.part.*.enc' | sort | xargs -I % openssl smime -decrypt -in % -binary -inform DEM -inkey PRIVATE_PEM_FILE -out %.dec

# Puts all together again
find -maxdepth 1 -type f -name 'input.part.*.dec' | sort | xargs cat > RESTORED_FILE_NAME

回复收藏 0 原文