How to encrypt a large file using openssl?

OpenSSL

OpenSSL is a valuable tool for general-purpose cryptography and secure communication, and it does various tasks, including encrypting files. Most Linux distributions install the device by default; if not, you can install it using your package manager.

Before encrypting a file using OpenSSL, let us have a basic understanding of encryption.

Encryption is a method of encoding a message to protect its contents from prying eyes. There are two types in general −

• Symmetric or secret-key encryption

• Asymmetric or public-key encryption

Secret-key encryption uses the same key for encryption and decryption, whereas publickey encryption uses separate keys for encryption and decryption.

Each method has advantages and disadvantages. Public-key encryption is more secure than secret-key encryption because it addresses concerns about securely sharing keys, and secret-key encryption is faster than public-key encryption.

Using them together maximises the benefits of each type's strengths

Public key Encryption

Public key encryption uses two sets of keys, It is called a key pair.

• Public key

• Private key

The public key can be freely shared with anyone you want to communicate secretly with. Private key should be kept private and never shared.

Encryption is performed using public keys. If you want to share sensitive information with someone, you can send them your public key, to encrypt messages or files before sending them to you. Decryption is accomplished through private keys, and you can only decrypt your sender's encrypted message using your private key.

Encrypting file using OpenSSL

Let us assume two users, Sachin and Mohit, who want to communicate with each other by exchanging encrypted files using OpenSSL.

You must first generate a pair of keys before you can encrypt files. You'll also need a passphrase, which you'll need to remember every time you use OpenSSL, so make sure to remember it.

Sachin generates his key pair set using this command

$ openssl genrsa -aes128 -out sachin_private.pem 1024
[root@localhost ~]# openssl genrsa -aes128 -out sachin_private.pem 1024

Generating RSA private key, 1024 bit long modulus
.....................................++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase for sachin_private.pem:
Verifying - Enter pass phrase for sachin_private.pem:
[root@localhost ~]#

This command uses “genrsa” command of OpenSSL to generate 1024 bit public/private key pair.

It also uses aes128, a symmetric key algorithm, to encrypt the private key generated by Sachin using genrsa.

[root@localhost ~]# ls -l sachin_private.pem
-rw-r--r--. 1 root root 986 Sep 23 21:21 sachin_private.pem
[root@localhost ~]# file sachin_private.pem
sachin_private.pem: PEM RSA private key
[root@localhost ~]#

Mohit will follow the same procedure to create his key pair

openssl genrsa -aes128 -out mohit_private.pem 1024

[root@localhost ~]# openssl genrsa -aes128 -out mohit_private.pem 1024
Generating RSA private key, 1024 bit long modulus
........++++++
..............................++++++
e is 65537 (0x10001)
Enter pass phrase for mohit_private.pem:
Verifying - Enter pass phrase for mohit_private.pem:
[root@localhost ~]#

Extracting public key

Sachin must extract his public key and save it to a file using the following command

openssl rsa -in sachin_private.pem -pubout > sachin_public.pem

Enter pass phrase for sachin_private.pem:

writing RSA key

Mohit can follow the same procedure to extract public key.

Exchanging public keys

Public keys will not be of any use to both users until they exchange them with each other. There are many methods available for sharing the public key. Copying public keys to each other’s workstation by using scp command is one of them.

If you want to send Sachin’s public key to Mohit’s workstation, you can execute the following command

scp sachin_public.pem mohit@mohit-machine-or-ip:/path/

To send Mohit’s public key to Sachin’s workstation, execute the following command

scp mohit_public.pem sachin@sachin-machine-or-ip:/path/

Now Sachin has the Mohit’s public key and vice versa.

Exchanging encrypted message with a public key

Sachin needs to use the openssl -encrypt command to encrypt this secret message. He has to supply the tool with three inputs −

• The name of the file that contains the secret message

• Mohit’s public key (file)

The name of a file where the encrypted message will be stored

You can use the following command to encrypt the message.

openssl rsautl -encrypt -inkey mohit_public.pem -
pubin -in file_name.txt -out file_name.enc

Note − if you openssl version is 3.0 or above use pkeyutl in place of rsautl, rest all the parameters remain the same.

You can send this file to Mohit's workstation by using scp command, if he uses the usual method to read it, he won't be able to read this file. He requires the three pieces of information to decrypt the message.

The encrypted file

His private key

A file name to save the decrypted output

Openssl rsautl -decrypt -inkey mohit_private.pem -
in file_name.enc > file_name.txt

Now Mohit can read the file that Sachin sent him.

Conclusion

We can say the OpenSSl is a program and library that supports many cryptographic functions −

• Symmetric key generation

• Public/Private key pair generation

• Public key encryption

• Hash functions

• Certificate creation and so on.

In the above article, we have seen how to encrypt a large file using OpenSSL. How we can send a file in a secure way and communication between two users by using OpenSSL. We have also seen symmetric and asymmetric encryption, their advantages, and disadvantages.