Asymmetric Cryptography in OpenSSL - Encrypted Key

Author
By Darío Rivera
Posted On in Laravel

In previous posts, we have conceptually seen how asymmetric cryptography works and how to encrypt messages in two different ways (with public or private key) and with different goals (confidentiality or authenticity). If you are not familiar with all of this, in the following links, you can find all the necessary information to catch up with what we will see in today's post.

- Asymmetric Cryptography in OpenSSL - Public Key
- Asymmetric Cryptography in OpenSSL - Private Key

As we have seen, the genrsa command allows us to create our own private key, from which our public key is also derived. However, what happens if you decide to store your secret key on a USB stick and, by some twist of fate, it gets stolen or someone else gets hold of it? In the worst-case scenario, your digital identity is stolen, and this person could send authentic messages on your behalf or decrypt those that have been sent to you and encrypted with your public key. How do we improve the security of our private key so that it is not susceptible to such adversities? The answer is encrypting our private key.

When a private key is protected with an encryption algorithm, every time we want to encrypt or decrypt a message with this key, we will be prompted for that passphrase. This means that it will be of little help if someone else possesses our encrypted private key since they won't know our password. Let's see how to encrypt our private key. But before that, let's generate a new pair of public and private keys.

Key Generation

To generate the private and public keys, we can use the following commands:

openssl genrsa -out key.pem 1024
openssl rsa -in key.pem -pubout -out pub-key.pem

After generating the public key (pub-key.pem) and private key (key.pem), we can proceed to encrypt our private key with a secure passphrase.

Encryption of the Private Key

To encrypt the private key, we will use the triple des (3-des) encryption algorithm. You can use the encryption algorithm of your preference; what really matters in this post is that the encryption password is secure. One of the most commonly used and secure algorithms is AES128 (-aes128).

openssl rsa -in key.pem -des3 -out enc-key.pem

You will be prompted to enter the passphrase with which the private key will be encrypted.

writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

The final product is the enc-key.pem file, and its content will be similar to the one shown below.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,DF3ADE28E0C17D49

hLQq/7AQ0TD2NtrjOs0Nuoeaa+j/F0M0NH91WvwWBOaVENV8vn3Cbmbwm7fTaGsW
xJ+5qQBqNAJRWDo7tYbOr0Qp24qse4hQykhjHoqSEmeLq0sbkIYYWArErQjAwUJF
QvuTZjRBCZ6dMSd0qFMC/Cm398+Uy1rQf3RUN7Qc93da7IAX8b4lagH3Yutiy5oZ
Vczoz+5o9wauobb87Gb09SzYUVA0Y1S5u3yn9VtTNTov21/14Xsw5hAInmDnMOWR
acxmzSL5OiL/syysg5Qe6DCmbTlxbWyApZ9zsEQbGdZzO/5l9D1i5jWcFeo75HlY
bcyXxBql02GvQ0vwkV5ISA1fBcw73dkRiuq03zwg4Hf/G0od3u6PRVzU9+Dhmq9X
yy/EGx8VrW9fmO3qmbSq6OAjjvvpjnqfiup7PfWS2Sp4HxSi12yEuL9tHVYvXEea
t0dFF1KZfcN2nzq+0HXqtE/IZgqL2U4IkezNdSFit2/ATISDJsfPQmNkWwMC1L8X
CzOgD3zjERedhxQMVTCznZoEmsCWacfSJli98IoYsZyWBynS9IIJWcDOa54Ho4K2
p/VNSdyaCHDPkbEMhdbNELujGHs1JOi1tYTve5z8KNgiliBL/sc8yb7unoSZ3nqC
8s+DV/riL5kue3uQJFP9LLHhQSrbVQ1vZ5LJkAqHT6d5qyHXGlxqiuB2dIpPtMt7
RMAyJgVdZ07Z/QOOorv/S/I016tL+p38HW8Qv0p0NmIzdsdmfAeP9XUCdujN1jsk
LqTsaK62lrKbWgYrTucgDnDJF7eUzEsgvow6sgux5u0QC/V07nCZIw==
-----END RSA PRIVATE KEY-----

Encryption with Public Key

To encrypt a message in the file message.txt with the public key pub-key.pem, we must use the openssl rsautl command with the -encrypt option.

openssl rsautl -encrypt -inkey pub-key.pem -pubin -in message.txt -out message.enc

The result of this execution is the file message.enc, which can be decrypted using the same command with the -decrypt option.

openssl rsautl -decrypt -inkey enc-key.pem -in message.enc -out message.dec

The content of the file message.dec will contain the original message. 

Encryption with Private Key (encrypted)

To encrypt a message in the file message.txt with the enc-key.pem private key, we must use the openssl rsautl command with the -encrypt option.

openssl rsautl -inkey enc-key.pem -in message.txt -sign > message.enc

The result of this execution is the file message.enc, which can be decrypted using the same command in the following way using our public key.

openssl rsautl -inkey pub-key.pem -pubin -in message.enc -out message.dec

The content of the file message.dec will contain the original message.


Acerca de Darío Rivera

Author

Application Architect at Elentra Corp . Quality developer and passionate learner with 10+ years of experience in web technologies. Creator of EasyHttp , an standard way to consume HTTP Clients.

LinkedIn Twitter Instagram

Sólo aquellos que han alcanzado el éxito saben que siempre estuvo a un paso del momento en que pensaron renunciar.