OpenSSL provides several tools that allow you to RSA encrypt/sign arbitrary data files. Of course, directly RSA encrypting large volumes of data is impractical because the encrypted/signed data cannot exceed the size of the key material. This is one of the reasons why SSL connections typically handshake and then pass an AES (or RC4, et cetera) key to do symmetric encryption thereafter.1
Generate a private key. You can change the last number to the preferred modulus size. Keys greater than 4096-bit will take a long time to generate.2
openssl genrsa -out private.pem 4096
With the private key we can now encrypt the data.
openssl rsautl -encrypt -inkey private.pem -in publicfile -out privatefile
To decrypt just reverse it.
openssl rsautl -decrypt -inkey private.pem -in privatefile -out publicfile
If you would rather sign the data…
openssl rsautl -sign -inkey private.pem -in filetosign -out signed_data
To verify the signature just use -verify.3
openssl rsautl -verify -inkey private.pem -in signed_data
- Another big reason is speed. AES is much, much faster than RSA. ↩
- If you attempt to encrypt or sign data larger than your key length allows, you will receive an error similar to this: 23465:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:151: ↩
- You can also use -hexdump or -raw to view the data in those forms. ↩
Hey Paul; bet you never figured your old Uncle Dan would land on your blog…then again, you probably didn’t know I now have a blog myself (whatworksforbusiness.com). Uses wordpress; self-hosted. The right column widgets on mine are boring and I’m trying to figure out how to make it look better. btw, we launched a new homepage yesterday at Business.com; check it out