Asymmetric Cryptography in OpenSSL - Public Key

By Darío Rivera
Posted On in Laravel

In our previous post, we saw the basics to get started with OpenSSL and its encryption algorithms. Today, we will go a little further and explore asymmetric cryptography or two-key cryptography.


Asymmetric cryptography or two-key cryptography, as its name indicates, is a cryptographic system that uses two keys for the sending and receiving of messages. These two keys belong to the same person, and one of them is public, while the other is private. This person must ensure that their private key never falls into the hands of another person. On the contrary, their public key must be shared with other users to allow the sending or receiving of messages. Asymmetric cryptography ensures two attributes of the information: confidentiality (encrypted with the public key) and authenticity (encrypted with the private key).

In this post, we will focus on addressing confidentiality. That is, a message sent can only be decrypted by the person to whom it is directed. Let's see the following example.


Let's suppose that Steve wants to send a confidential message to Emily. Of course, both have chosen asymmetric cryptography for this purpose. For this scenario to be possible, only Emily's two keys (public and private) are needed. The following are the steps for sending and receiving the mentioned message.

  1. Steve writes the message he will send to Emily.
  2. Steve encrypts the message he will send with Emily's public key.
  3. Steve sends the message over the internet.
  4. Emily receives the encrypted message from Steve.
  5. Emily uses her private key to decrypt the message and read it.

As you can see, this simple information sending scheme implies that messages are first encrypted before being sent through a channel like the internet (yes, it is quite obvious). Secondly, the message recipient must share their public key so that the messages sent to them can be encrypted with it. These encrypted messages can only be decrypted by their intended recipient; not even the sender can decrypt them once they are encrypted. Thirdly, it is presumed that the person to whom the message is directed is the only one who has the private key that will decrypt the message, ensuring the confidentiality of the message.

One of the best analogies I have found to understand this with a real-life example is the mailbox or mail slot. We can assume that the mailbox slot is the public key since it is exposed, and anyone who knows its location (our address) would be able to send us a message there. On the other hand, only the person who has the key to the mailbox can open the messages inside it. Essentially, only we possess the key, and therefore, the messages are confidential. This is very similar to asymmetric cryptography. Notice that even a person who has written us a message and inserted it in the slot (encrypted) will not be able to see it again (decrypt it).

Key Generation

To generate a private key, simply execute the following command:


It is important to familiarize yourself with each of the results that can be obtained from an openssl command to recognize private keys, public keys, certificates, among others.

By default, the key is created in PEM format. To choose between any of the DER or NET formats, you must use the -outform option to convert the PEM to the chosen format.

openssl genrsa -in key.pem -outform DER -out key.der 1024

From the private key, we extract the part that will be the public key. To do this, we execute the following command:

openssl rsa -in key.pem -pubout -out pub-key.pem

The result of executing this command is the file pub-key.pem and its contents will be similar to the following:

-----END PUBLIC KEY-----

We now have our public key (pub-key.pem) and private key (key.pem). Let's see now how to send an encrypted message following the previously discussed scheme.


Let's assume that we want to send a message and we have the public key of the sender, which in our case is pub-key.pem. To encrypt a message with this public key, we must use the openssl rsautl command with the -encrypt option.

echo "Hello world" > message.txt
openssl rsautl -encrypt -inkey pub-key.pem -pubin -in message.txt -out message.enc

The result of this execution is the file message.enc, which can be sent to the recipient. Consequently, the recipient can decrypt the message using basically the same command with the -decrypt option.

openssl rsautl -decrypt -inkey key.pem -in message.enc -out message.dec

The contents of the file message.dec will contain the original message. 

Acerca de Darío Rivera


Application Architect at Elentra Corp . Quality developer and passionate learner with 10+ years of experience in web technologies. Creator of EasyHttp , an standard way to consume HTTP Clients.

LinkedIn Twitter Instagram

Sólo aquellos que han alcanzado el éxito saben que siempre estuvo a un paso del momento en que pensaron renunciar.