Difference between revisions of "SSH encrypt and decrypt"

From ATI public wiki
Jump to: navigation, search
(How)
Line 90: Line 90:
 
linux:/home/user> cat message.enc | openssl rsautl -decrypt -inkey ~/.ssh/id_rsa > message.txt
 
linux:/home/user> cat message.enc | openssl rsautl -decrypt -inkey ~/.ssh/id_rsa > message.txt
 
</pre>
 
</pre>
 +
 +
== Notes ==
 +
 +
=== Message size ===
 +
 +
This encryption / decryption method is suitable only for small messages, messages whose bitlength is smaller than used RSA key length.
 +
 +
If You want to encrypt longer messages or some big file(s) then the above method can be used for passing on encrypted passwords that are used for file encryption/decryption.
 +
 +
One should use CBC (Cipher Block Chaining) continuous block cipher like AES256 for big file encryption / decryption. <code>openssl</code> utility is able to do that too.

Revision as of 19:21, 19 November 2019

Tutorial on how to encrypt and decrypt small messages using Secure Shell keys

Why?

For example,
when you have to send someone a password and sending it over internet in plaintext is out of the question.

How

The keys

Everyone who uses Secure Shell (SSH) has an easy access to accompanying Secure Shell keys. When You do not have them, then You generate them.

All it takes is Linux, MacOS command line or Cygwin shell in Windows. A minute or two of Your time and few sips of tea. Done.


One can make simple passwordless RSA key-pair with ssh-keygen utility like this:

linux:/home/user> ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:seDs6vDo55WegAZnG/mr8S+sgz2kvJFCc1wAGsHyB2c user@linux
The key's randomart image is:
+---[RSA 4096]----+
|+o..             |
|oo. E            |
|o. + .. .        |
|  o.oo . o       |
|.o=+  o S        |
|.+== . .         |
|oB*.o +          |
|+o=*+* .         |
| o*OBo+          |
+----[SHA256]-----+

The process above creates 2 files id_rsa id_rsa.pub and places them into subfolder .ssh relative to your home directory.

To encrypt

Now You have Your pair of keys, the public one id_rsa.pub to encrypt and the private one id_rsa to decrypt.

Create the message

Take Your favorite text editor and create short text file message.txt with some content like:

This is very serious short message.
That will be encrypted.
And decrypted.

Prepare Your public key for encryption

One drawback or discouraging step for encryption is that Your public key is not usable as is.

To be usable with openssl utility it has to be in PKCS8 format.

Public key can be converted to PKCS8 format with ssh-keygen utility like this:

linux:/home/user> ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pkcs8 > id_rsa_pub.pkcs8

Encrypt the message

Now You can encrypt Your super secret message with converted public key like this:

linux:/home/user> cat message.txt | openssl rsautl -encrypt -pubin -inkey id_rsa_pub.pkcs8 > message.enc

In above example we send the contents of message.txt file to openssl utility that uses converted public key id_rsa_pub.pkcs8 and then we store the output in file message.enc

To decrypt

To decrypt the encrypted message file message.enc we use openssl utility like this:

linux:/home/user> cat message.enc | openssl rsautl -decrypt -inkey ~/.ssh/id_rsa
This is very serious short message.
That will be encrypted.
And decrypted.

In above example the contents of decrypted message are show in startard output.

To save decrypted contents one can modify the command like this:

linux:/home/user> cat message.enc | openssl rsautl -decrypt -inkey ~/.ssh/id_rsa > message.txt

Notes

Message size

This encryption / decryption method is suitable only for small messages, messages whose bitlength is smaller than used RSA key length.

If You want to encrypt longer messages or some big file(s) then the above method can be used for passing on encrypted passwords that are used for file encryption/decryption.

One should use CBC (Cipher Block Chaining) continuous block cipher like AES256 for big file encryption / decryption. openssl utility is able to do that too.