I am generating a .pem file using openssl using the command:
openssl genrsa -aes256 -out ca.key.pem 4096
It is working great but when I do this:
openssl genrsa -aes256 -out ca.key.pem 4096 -password pass:abcd
It is still asking me for a password in the terminal and not automatically taking the supplied password.
I've tried generating certificates before and it works for them eg.
openssl pkcs12 -name username -inkey cert/key.key -in abc.pem -export -out cert.p12 -password pass:abcd
You're very close to the goal ! Key size must be the last parameter and -password replace with -passout
openssl genrsa -aes256 -out ca.key.pem -passout pass:abcd 4096
I have a basic script that backups, compress and encrypts a MySQL dump:
mysqldump --events --routines --triggers --add-drop-database \
--compress --hex-blob --opt --skip-comments --single-transaction \
my-database | \
xz -c | \
/usr/bin/openssl smime \
-encrypt \
-aes256 \
-binary \
-out /mnt/test.sql.xz.enc \
-outform DER /path/to/cert.pem
To encrypt basically this command is used:
openssl smime -encrypt -aes256 -binary -out test.sql.xz.enc -outform DER cert.pem
To decrypt normally I use:
openssl smime -decrypt -in test.sql.xz.enc -binary -inform DEM -inkey private.key -out sql.xz
Over the time this has been working in both ways, encrypting and decrypting but now that the data after being compressed has reached more than 1.5GB while decrypting I am getting this error:
Error reading S/MIME message
34380825992:error:07069041:memory buffer
routines:BUF_MEM_grow_clean:malloc failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/buffer/buffer.c:150:
34380825992:error:0D06B041:asn1 encoding routines:ASN1_D2I_READ_BIO:malloc failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_d2i_fp.c:239:
I have move the file to a biger instance (4 cores, 8GB ram) but still have the issue.
Therefore wondering if there is a size limit while encrypting using the smime option, and what options could be used to encrypt/decrypt files in the order of gigabytes.
For now, I am testing with the option -stream seems to be working:
openssl smime -encrypt -aes256 -stream -binary -out test.sql.xz.enc -outform DER cert.pem
but don't know what will be the limit, so any possible alternatives or ideas are more than welcome.
I am new to shell script. In my project there is a requirement to keep all the sensitive data in encrypted format. For to achieve this I need to openssl in command line tool. I tried the following command
openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc
It is not asking me to enter password. And it is not showing anything. Please help me to solve this problem.
Clik here to see the screen shot
I had the same issue with openssl not providing any output. Executed the same using winpty and it worked as expected:
$ winpty openssl enc -salt -aes-256-cbc -in file -out file.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
$ git --version
git version 2.14.1.windows.1
If the question is indeed, "How do I encrypt a file with AES" then I think this line might work, found from either here, or here.
openssl enc -aes-256-cbc -salt -in secrets.txt -out secrets.txt.enc
I am running a unix script in which I am pasing a USERNAME and a PASSWORD to isql to connect to sybase databse and I have used the below command to encrypt and decrypt the password which I am passing to isql command but I am getting the below error.
openssl aes-256-cbc -salt -in sybase_pwd.txt -out SybasePad.txt.enc -pass file:SybasePadKey.txt
openssl aes-256-cbc -d -salt -in SybasePad.txt.enc -pass file:SybasePadKey.txt
I am using the above command to encrypt and decrypt but I am getting this error:
error:aes-256-cbc: not found [No such file or directory]
But when I run the same command in putty it works fine. Could you please assis me?
#!/bin/ksh
export SCRIPT_HOME=/tmp/REGCOM
cd ${SCRIPT_HOME}
DBPASSWORDENC=openssl aes-256-cbc -salt -in sybase_pwd.txt -out SybasePad.txt.enc -pass file:SybasePadKey.txt
DBPASSWORD=openssl aes-256-cbc -d -salt -in SybasePad.txt.enc -pass file:SybasePadKey.txt
echo $DBPASSWORDENC
echo $DBPASSWORD
exit
Posted sample script but still the same error.
You're running this in ksh, not in bash as you originally tagged, but the same thing would happen in both. You're running
DBPASSWORDENC=openssl aes-256-cbc ....
which is actually running command aes-256-cbc with environment variable DBPASSWORDENC set to openssl.
You likely want something like:
DBPASSWORDENC=$(openssl aes-256-cbc ....)
This question already has answers here:
Encrypting data with a public key in Node.js
(6 answers)
Closed 2 years ago.
In crypto, I see only Signer/Verifier for doing digital signature and Cipher/Decipher with symmetric key encryption.
How do I encrypt data with public key?
As mentioned in the official nodejs api docs here:
crypto.publicEncrypt(key, buffer)
Encrypts the content of buffer with key and returns a new Buffer with encrypted content. The returned data can be decrypted using the corresponding private key, for example using crypto.privateDecrypt().
If key is not a KeyObject, this function behaves as if key had been
passed to crypto.createPublicKey(). If it is an object, the padding
property can be passed. Otherwise, this function uses
RSA_PKCS1_OAEP_PADDING.
Because RSA public keys can be derived from private keys, a private
key may be passed instead of a public key.
So the answer is:
var encrypted = crypto.publicEncrypt(publicKey, buffer);
You might be interested in my NaCl bindings. From its API:
// Encrypt and sign
box(message, nonce, pubkey, privkey)
// Decrypt and validate
unbox(box, nonce, pubkey, privkey)
// Generates a new keypair, returns {private: <buffer>, public: <buffer>}
boxKeypair()
// Lengths of nonces and public and private keys in bytes
// { nonce: x, pubkey: x, privkey: x }
lengths.box
Yet another approach is using Cryptographic Message Syntax (CMS). It's not a pure Node.js solution, but you likely have all tools you need in the box. Below is the example using OpenSSL:
Generate x509 certificate (recipient) and private key files (in Bash):
openssl req -nodes -new -x509 -keyout key.pem -out cert.pem
Encrypt/Decrypt message from standard input (in Bash):
echo 123 | openssl cms -encrypt -recip cert.pem | openssl cms -decrypt -inkey key.pem
You can use -in/-out parameters to work with files. Below is an example you can use for Node.js:
require('child_process').execSync("openssl cms -encrypt -in file.json -recip cert.pem -out file.json.cms")
On Linux you'll likely have OpenSSL installed already. You can get OpenSSL on Windows by installing Git Bash, although you can also use built-in PowerShell commands. You'll need to generate a PFX certificate (using New-SelfSignedCertificate) or install existing one (can be generated with OpenSSL too). Once the certificate installed in the certificate store, you can use below commands for encryption/decryption:
Protect-CmsMessage -to CN=MyCertName -Path file.json -OutFile file.json.cms
Unprotect-CmsMessage -Path file.json # It will find proper cert in cert store for you
Below is an example how to generate .pem and PFX certificates from the same private key using OpenSSL, and make messages interchangeable between OpenSSL and PowerShell.
Generate certificate with extensions (that's required on Windows):
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem -subj '/CN=MyCertName' -addext extendedKeyUsage=1.3.6.1.4.1.311.80.1 -addext keyUsage=keyEncipherment
The above snippet will work only for newer versions of OpenSSL (1.1.1). Otherwise you need a separate file to define extensions. Then generate a PFX certificate (protect it with some password):
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in cert.pem -passout pass:P#ssw0rd
Then copy that PFX file to your Windows machine. You should be able to install it via PowerShell (Import-PfxCertificate) or manually (click on it and follow wizard, use all defaults). In order to make messages interchangeable use the -inform \ -outform parameter when using OpenSSL. For example:
openssl cms -encrypt -in file.json -recip cert.pem -outform PEM
openssl cms -decrypt -in file.json.cms -inkey key.pem -inform PEM
# If having both OpenSSL/PowerShell on the same OS, use this for testing:
echo test | Protect-CmsMessage -to CN=MyCertName | openssl cms -decrypt -inform PEM -inkey key.pem
Btw, the CmsMessage commands will be available on PowerShell Core 7.1, so you can use it on Linux/Mac too (it's in preview now, and a stable version will be released in Dec 2020).