You are on page 1of 5

Tomcat web server

Sometimes I need to encrypt some stuff but do not want to install PGP or GPG. I typically use
OpenSSL for this kind of thing and have written a simple frontend script to achieve strong
password based encryption using OpenSSL. Sometimes you need public / private key
encryption though, below will show you how to do it using just OpenSSL.
Public/Private key encryption is a method used usually when you want to receive or send data
to thirdparties. The system requires everyone to have 2 keys one that they keep secure the
private key and one that they give to everyone the public key. Data encrypted using the
public key can only ever be unencrypted using the private key. This method of encryption that
uses 2 keys is called asymmetric encryption.
So by example if Person A want to send Person B data in a secure fashion she just have to
encrypt it with Person Bs public key, only Person B can then open the file using her private
key. There are other advantages to this kind of encryption. If I met you in person and gave you
my public key, I can send you something electronically using my private key to encrypt it, if
the public key you have can decrypt that data then you can trust that it was sent by me, its
mathematical proof of identity. This is the basis for Digital Signatures.
Using OpenSSL on the command line youd first need to generate a public and private key,
you should password protect this file using the -passout argument, there are many different
forms that this argument can take so consult the OpenSSL documentation about that.
$ openssl genrsa -out private.pem 1024

This creates a key file called private.pem that uses 1024 bits. This file actually have both the
private and public keys, so you should extract the public one from this file:
$ openssl rsa -in private.pem -out public.pem -outform PEM -pubout

Youll now have public.pem containing just your public key, you can freely share this with 3rd
You can test it all by just encrypting something yourself using your public key and then
decrypting using your private key, first we need a bit of data to encrypt:
$ echo 'too many secrets' > file.txt

You now have some data in file.txt, lets encrypt it using OpenSSL and the public key:
$ openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out

This creates an encrypted version of file.txt calling it file.ssl, if you look at this file its just
binary junk, nothing very useful to anyone. Now you can unencrypt it using the private key:
$ openssl rsautl -decrypt -inkey private.pem -in file.ssl -out

You will now have an unencrypted file in decrypted.txt:

$ cat decrypted.txt<br>
too many secrets

All of these examples use the RSA encryption method, some hard core mathematical
information about it here.
There are a fair few limitations to this approach it will only encrypt data up to the key size
for example. And you really should never encrypt english plain text using a method like this.
Youd use this to safely encrypt a random generated password and then aes encrypt the actual
text you care about. Look in the comments for examples of that.

Author R.I. Pienaar

Category Code Usefull Things
Tag linux sysadmin
Comments 26 Comments


michael ossareh
02/15/2006 - 13:40
Ive yet to try this. You say that the encrypted file is binary junk, one of the nice things
about GPG/PGP is that you can ascii armour it, so your binary junk is now ascii junk
making it more resilient when sending via email. I dont see anything like this in
openssls man page. Is there such functionality to you knowledge?

02/15/2006 - 19:30
yeah rsautl cant do ASCII mode, the other encryption methods in openssl can though
the linked crypt script has that option.
All mail clients though have sorted out attaching binary data without options though,
the mail clients mime encodes data, seems more appropriete for the mail clients to
make the data SMTP friendly to me anyway.

03/25/2006 - 17:02
Thanks! Ive been looking all over for this!

06/12/2006 - 17:03
If I have some pretty big file to encrypt, the above method is not good enough. The
best way to do that is to encrypt the file using secret key and then to encrypt secret key
using public/private pair of keys. My question is how can I encrypt my big file with
secret key using openssl?

06/15/2006 - 01:07
Basically, it boils down to this:
Generate secretkey:
dd if=/dev/random of=secretkey bs=1k count=1
Symmetric encryption:
openssl enc -blowfish -pass file:secretkey < bigfile >
Symmetric decryption:
openssl enc -d -blowfish -pass file:secretkey < > bigfile.
Who dislikes the idea of binary junk, look at converters/base64.


10/19/2006 - 19:00
Would there be any issues with using a real cert (like one issued for email from

10/19/2006 - 19:02
It only uses the keys, not the certificates so Verisign and co doesnt come into play.

10/19/2006 - 19:03
Ok..I tried it with a real cert I exported from thunderbird that was issued to me from
As a test I did the following
1. Exported my certificate from thunderbird as a pkcs12 (.p12)
formatted file (its the only format it will let me export it as)
2. Converted it to a PEM formatted file
openssl pkcs12 -clcerts -in cert.p12 -out cert.pem
3. Extracted the public key
openssl rsa -in cert.pem -out public.pem -outform PEM -pubout
4. Tried to encrypt a file using the public key
openssl rsautl -encrypt -inkey cert.pem -pubin -in test.pdf -out

RSA operation error
1047:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too
large for key size:rsa_pk1.c:151:
Im missing something fundamental somehowany help would be greatly