OpenSSL is a software library for applications that secure communications over computer networks. Is a C library that implements the main cryptographic operations like symmetric encryption, public-key encryption, digital signature, hash functions, etc. Cryptography Foundations
OpenSSL contains an open-source implementation of the SSL and TLS protocols.
The OpenSSL Software Foundation (OSF) represents the OpenSSL project in most legal capacities including contributor license agreements, managing donations, and so on. OpenSSL Software Services (OSS) also represents the OpenSSL project, for Support Contracts.
OpenSSL is available for most Unix-like operating systems (including Linux, macOS, and BSD) and Microsoft Windows.
The source code can be downloaded from www.openssl.org
There are several forks of OpenSSL project.
LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.
BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs. Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is.
On Ubuntu Linux distribution
On Ubuntu Linux distribution, OpenSSL is usually already available; however, it can be installed using the following commands:
$ sudo apt-get install openssl
- Install Homebrew
- To install OpenSSL - The Open Source SSL and TLS toolkit, run the following command from the terminal:
$ brew install openssl
- Install Chocolatey
- To install OpenSSL - The Open Source SSL and TLS toolkit, run the following command from the command line or from PowerShell:
choco install openssl.light --version=126.96.36.199
Checking the version of OpenSSL
$ openssl version -a
To list OpenSSL commands run the following command on a terminal.
$ openssl list-standard-commands
See a brief description of each command: STANDARD COMMANDS
OpenSSL secret key encryption algorithms
To list OpenSSL secret key encryption algorithms run the following command on a terminal.
$ openssl list-cipher-commands
See a brief description of each command: ENCODING AND CIPHER COMMANDS
How to encrypt and decrypt using AES
Encrypting Using Passwords
OpenSSL makes it easy to encrypt/decrypt files using a passphrase. Unfortunately, pass phrases are usually “terrible” and difficult to manage and distribute securely.
$ openssl aes-256-cbc -in secret.txt -out secret.txt.enc ... enter aes-256-cbc encryption password: **** Verifying - enter aes-256-cbc encryption password: ****
Note that secret.txt.enc is a binary file; sometimes, it is desirable to encode this binary file into a text format for compatibility/interoperability reasons. The following command can be used to do that:
$ openssl enc -base64 -in secret.txt.enc -out secret.txt.enc.b64 $ cat secret.txt.enc.b64 ... U2FsdGVkX19rgggeH83tOHp0kpmseWLw0tBJqvYA9QRtYuj9pHn5u30T5A5pBcwH
In order to decode from base64, the following commands are used. Take the secret.txt.enc.b64 file from the previous example:
$ openssl enc -d -base64 -in secret.txt.enc.b64 -out secret.txt.enc
Decrypting Using Passwords
$ openssl aes-256-cbc -d -in secret.txt.enc -out secret.txt.dec ... enter aes-256-cbc decryption password: ****
Encrypting Using pseudo-random bytes key.
$ openssl rand 192 -out key $ openssl aes-256-cbc -in secret.txt -out secret.txt.enc -pass file:key $ tar -zcvf secret.tgz *.enc
Decrypting Using pseudo-random bytes key.
$ tar -xzvf secret.tgz $ openssl aes-256-cbc -d -in secret.txt.enc -out secret.txt.dec -pass file:key
Sharing the file:key using rsautl
Assuming that id_rsa.pub is the public key you want to use and that id_rsa is the private key the recipient will use, and secret.txt is the data you want to transmit…
$ openssl rand 192 -out key $ openssl aes-256-cbc -in secret.txt -out secret.txt.enc -pass file:key $ openssl rsautl -encrypt -pubin -inkey ~/.ssh/id_rsa.pub -in key -out key.enc $ tar -zcvf secret.tgz *.enc
$ tar -xzvf secret.tgz $ openssl rsautl -decrypt -ssl -inkey ~/.ssh/id_rsa -in key.enc -out key $ openssl aes-256-cbc -d -in secret.txt.enc -out secret.txt.dec -pass file:key
How to encrypt and decrypt using RSA
Generating the private key
$ openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:1024 ............++++++ ........++++++
After executing the command, a file named privatekey.pem is produced, which contains the generated private key. This is shown as follows:
$ cat privatekey.pem -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALtVw+eLI95poiqN YOJlt3udH5rq70K0pwx6nXJhhZRsMD767RAFjbZThhJ3QCDvd8K7s/IvR29Jeq3L IEDN2uM+nB1ZE5I5Hq901Qc1aLneQ4BMzSlzjYTIFfrpYX07EqWtAfOouk+zxp5I 12z4vV1kAU/W2WK4P98xZc9xd8WjAgMBAAECgYBigtxNA1cuW0AivkvHYhPVli+L iKWe317E6imnf27+ONI6HDvTZAg8a7miNkFr0GGa7pfW8FPRSsOPZrSkP1wtourj LVmENjKaUuSyIxxSTJ8sD70KFJ5xNRZe7bPgekF+q5TXUQzMLub31z+/iYca76Sy kdptaxBPD8OlC4XQWQJBAOnY4Mv3tpvLcQBxpUaRxUOGoVJ1+OCzpFIKHtgAlCMa pGXxPDXs89kePa8RNPn/vZDiswe/2WM2imfYAu8A0i8CQQDNFObubb4n/WRIdvxJ QMSYlmcFB3Lhe5ONbRpS1JMWmigtxpVWtSnKN8Y5nHOEAZyYYxeQcynta/ZwxCFr uGrNAkBl7L7GiFjSfRDq5Z3pLV4yuXqVK5BnuEUV8Q1SjqYCyvj+6e+ZfYcnilPO e4yAruRcQ0NPTGKfKMWYz4Ev1UbHAkEAqRn+HUXCUUkgIpxyBJjyQntp8PymXoS+ MxRuazQ7IJz2WmBvjXKORd7dhW2a1pNZo1G6AXLkdI/cQjmG8UK8VQJAJ2GmzyPL fwO9P1IFhBFV7eYAeoma3UuoeqH1/nDarPT6HPGVIZWILimgjKJSb8nNcYLSGijX eL0GJ/rWk5BgUw== -----END PRIVATE KEY-----
Generating the public key
As the private key is mathematically linked to the public key, it is possible to generate or derive the public key out of the private key. Taking the example of the preceding private key, the public key can be generated as shown here:
$ openssl rsa -pubout -in privatekey.pem -out publickey.pem writing RSA key
Public key can be viewed using a file reader or any text viewer, as shown here:
$ cat publickey.pem -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7VcPniyPeaaIqjWDiZbd7nR+a 6u9CtKcMep1yYYWUbDA++u0QBY22U4YSd0Ag73fCu7PyL0dvSXqtyyBAzdrjPpwd WROSOR6vdNUHNWi53kOATM0pc42EyBX66WF9OxKlrQHzqLpPs8aeSNds+L1dZAFP 1tliuD/fMWXPcXfFowIDAQAB -----END PUBLIC KEY-----
Taking the public key generated, the command to encrypt a text file secret.txt can be constructed, as shown here:
openssl rsautl -encrypt -inkey publickey.pem -pubin -in secret.txt -out secret.txt.rsa.enc
In order to decrypt the RSA-encrypted file, using the private key, the following command can be used:
openssl rsautl -decrypt -inkey privatekey.pem -in secret.txt.rsa.enc -out secret.txt.rsa.dec