Thursday, 15 April 2010

Encrypting with OpenSSL

These days I've been immersed into new projects creating certificates with the OpenSSL tool, and I found interesting the part of encrypting files. Then, with simple steps, we can encrypt/decrypt our documents and share information safely. I've tested both of the versions (for Linux and Windows) and then following example is for windows. You can find a little distro of the OpenSSL for windows here. Once there, you need to download the full version (with source). This one will copy all the necessary libraries you need to generate certificates and encrypting documents. You can find the OpenSSL app into the next path : C:\OpenSSL\bin. You can also download and install the available version in "Shining Light Productions" The version I've tested is the Win32 OpenSSL v0.9.8m. If we want to encrypt a file we need to execute the following sentence into the command dialog:
C:\OpenSSL\bin>openssl aes-256-cbc -a -salt -in "fileToencrypt.rar" -out "fileToEncrypt.rar.enc"
  • Openssl command to launch the OpenSSL.
  • aes-256-cbc The encryption system used is AES 256 bits.
  • -a The encrypted files is in base64.
  • -salt Add strong to the encryption.
  • -in Input file.
  • -out Output file.
For the desencryption, we only need to do:
C:\OpenSSL\bin>openssl aes-256-cbc -d -a -in "fileToEncrypt.rar.enc" -out "fileToencrypt.rar"
  • -d decrypting command.
  • -a The encrypted files is in base64.
  • -in Input file.
  • -out Output file.
We can play with all these parameters, and we'll find more information on the help page.

If in windows, you find this error message:

unable to load config info from /usr/local/ssl/openssl.cnf

you only need to add at the end of the OpenSSL command the option: -config openssl.cfg.
you can find a little description of the problem here.

Then, if we want to create a little certificate, we can do it with a simple command like this:
C:\OpenSSL\bin>openssl req -x509 -newkey rsa:2048 -keyout key.pem -days 3650 -out certificate.pem
After the execution, you'll need to fill up all the fields needed, and then your certificate will be generated.

C:\OpenSSL\bin>openssl req -x509 -newkey rsa:2048 -keyout key.pem -days 3650 -out certificate.pem
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:Australia
Locality Name (eg, city) []:Sidney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sky
Organizational Unit Name (eg, section) []:Sky
Common Name (eg, YOUR name) []:Test
Email Address []
If you open the certificate.pem you'll get something like this:


Post a Comment