RSA Encryption and Signing

Paul Kehrer — Sun, 22 Mar 2009 04:02:51 +0000

OpenSSL provides several tools that allow you to RSA encrypt/sign arbitrary data files. Of course, directly RSA encrypting large volumes of data is impractical because the encrypted/signed data cannot exceed the size of the key material. This is one of the reasons why SSL connections typically handshake and then pass an AES (or RC4, et cetera) key to do symmetric encryption thereafter.¹

Generate a private key. You can change the last number to the preferred modulus size. Keys greater than 4096-bit will take a long time to generate.²

openssl genrsa -out private.pem 4096

With the private key we can now encrypt the data.

openssl rsautl -encrypt -inkey private.pem -in publicfile -out privatefile

To decrypt just reverse it.

openssl rsautl -decrypt -inkey private.pem -in privatefile -out publicfile

If you would rather sign the data…

openssl rsautl -sign -inkey private.pem -in filetosign -out signed_data

To verify the signature just use -verify.³

openssl rsautl -verify -inkey private.pem -in signed_data

Another big reason is speed. AES is much, much faster than RSA. ↩
If you attempt to encrypt or sign data larger than your key length allows, you will receive an error similar to this: 23465:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:151: ↩
You can also use -hexdump or -raw to view the data in those forms. ↩

langui.sh » rsa

RSA Encryption and Signing