RSA Encryption and Signing
OpenSSL provides several tools that allow you to RSA encrypt/sign arbitrary data files. Of course, directly RSA encrypting large volumes of data is impractical because the encrypted/signed data cannot exceed the size of the key material. This is one of the reasons why SSL connections typically handshake and then pass an AES (or RC4, et cetera) key to do symmetric encryption thereafter.1
Generate a private key. You can change the last number to the preferred modulus size. Keys greater than 4096-bit will take a long time to generate.2
openssl genrsa -out private.pem 4096
With the private key we can now encrypt the data.
openssl rsautl -encrypt -inkey private.pem -in publicfile -out privatefile
To decrypt just reverse it.
openssl rsautl -decrypt -inkey private.pem -in privatefile -out publicfile
If you would rather sign the data…
openssl rsautl -sign -inkey private.pem -in filetosign -out signed_data
To verify the signature just use -verify.3
openssl rsautl -verify -inkey private.pem -in signed_data
-
Another big reason is speed. AES is much, much faster than RSA. ↩
-
If you attempt to encrypt or sign data larger than your key length allows, you will receive an error similar to this: 23465:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:151: ↩
-
You can also use -hexdump or -raw to view the data in those forms. ↩