Asymmetric Cryptography in OpenSSL - Encrypted Key

By Darío Rivera

Posted On 2023-05-31 in Laravel

In previous posts, we have conceptually seen how asymmetric cryptography works and how to encrypt messages in two different ways (with public or private key) and with different goals (confidentiality or authenticity). If you are not familiar with all of this, in the following links, you can find all the necessary information to catch up with what we will see in today's post.

- Asymmetric Cryptography in OpenSSL - Public Key
- Asymmetric Cryptography in OpenSSL - Private Key

As we have seen, the genrsa command allows us to create our own private key, from which our public key is also derived. However, what happens if you decide to store your secret key on a USB stick and, by some twist of fate, it gets stolen or someone else gets hold of it? In the worst-case scenario, your digital identity is stolen, and this person could send authentic messages on your behalf or decrypt those that have been sent to you and encrypted with your public key. How do we improve the security of our private key so that it is not susceptible to such adversities? The answer is encrypting our private key.

When a private key is protected with an encryption algorithm, every time we want to encrypt or decrypt a message with this key, we will be prompted for that passphrase. This means that it will be of little help if someone else possesses our encrypted private key since they won't know our password. Let's see how to encrypt our private key. But before that, let's generate a new pair of public and private keys.

Key Generation

To generate the private and public keys, we can use the following commands:

openssl genrsa -out key.pem 1024
openssl rsa -in key.pem -pubout -out pub-key.pem

After generating the public key (pub-key.pem) and private key (key.pem), we can proceed to encrypt our private key with a secure passphrase.

Encryption of the Private Key

To encrypt the private key, we will use the triple des (3-des) encryption algorithm. You can use the encryption algorithm of your preference; what really matters in this post is that the encryption password is secure. One of the most commonly used and secure algorithms is AES128 (-aes128).

openssl rsa -in key.pem -des3 -out enc-key.pem

You will be prompted to enter the passphrase with which the private key will be encrypted.

writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

The final product is the enc-key.pem file, and its content will be similar to the one shown below.

Encryption with Public Key

To encrypt a message in the file message.txt with the public key pub-key.pem, we must use the openssl rsautl command with the -encrypt option.

openssl rsautl -encrypt -inkey pub-key.pem -pubin -in message.txt -out message.enc

The result of this execution is the file message.enc, which can be decrypted using the same command with the -decrypt option.

openssl rsautl -decrypt -inkey enc-key.pem -in message.enc -out message.dec

The content of the file message.dec will contain the original message.

Encryption with Private Key (encrypted)

To encrypt a message in the file message.txt with the enc-key.pem private key, we must use the openssl rsautl command with the -encrypt option.

openssl rsautl -inkey enc-key.pem -in message.txt -sign > message.enc

The result of this execution is the file message.enc, which can be decrypted using the same command in the following way using our public key.

openssl rsautl -inkey pub-key.pem -pubin -in message.enc -out message.dec

The content of the file message.dec will contain the original message.

Key Generation

Encryption of the Private Key

Encryption with Public Key

Encryption with Private Key (encrypted)

Categories