openssl enc -aes-256-cbc -md md5 -in $1 -out $1.txt
openssl enc -d -aes-256-cbc -md md5 -in $1.txt -out $1
- OpenSSL 1.1.0 implicitly uses
- OpenSSL 1.1.1 implicitly uses
Sometimes you want to asymmetrically protect an encryption without having to create a new key-pair. With a little finesse you can use an existing SSH key-pair to accomplish this.
I've found that one use case for this is for storage of a
.env file that
you want to be able to use to start a service. We want to keep the file
stored securely but in a manner where you will not be able to decrypt without
knowing a password (i.e. the SSH private key passphrase). Additionally, the
actual SSH private key could be thought of as the thing you have. Bam!, now
you have 2 factor authentication to unlock the
aes256 using an SSH public key:
openssl rand 32 | \
tee >(openssl rsautl -encrypt -oaep -pubin -inkey <(ssh-keygen -e -f ~/.ssh/id_rsa.pub -m PKCS8) -out secret.key | \
openssl enc -aes-256-cbc -base64 -in data.txt -out data.txt.enc -pass stdin
aes256 using SSH private key:
openssl rsautl -decrypt -oaep -inkey ~/.ssh/id_rsa -in secret.key | \
openssl enc -d -aes-256-cbc -base64 -in data.txt.enc -out data.txt.dec -pass stdin
Given an encrypted file (as encrypted above) that can be sourced into your
shell environment, you can grab the file from a remote source, decrypt, and
.env into your environment with the following one-liner:
(ssh -T -q [email protected] cat /path/to/key) | \
openssl rsautl -decrypt -oaep -inkey ~/.ssh/id_rsa | \
openssl enc -d -aes-256-cbc -base64 -in data.txt.enc -pass stdin | \
(eval `cat`;exec ./printsecret ANOTHER)
exec ./printsecret ANOTHER with the service command you want to run with the new environment.
Create a CA certificate chain for client certificate verification:
cat root.cert.pem intermediate.cert.pem > cachain.cert.pem
Note: Include all applicable intermediate certificates in the concatenation.
Verify the client certificate matches the CA certificate chain:
openssl verify -verbose -CAfile cachain.cert.pem client.cert.pem
Create a PKCS12 file:
openssl pkcs12 -export -out client_certs.p12 -inkey client.key.pem \
-in client.cert.pem -certfile cachain.cert.pem -name "Friendly Name"
Note: Set Friendly Name to easily locate the loaded certificate in GUI listings.
Setup A Certificate Authority
OpenSSL is a toolbox that has what you need to setup your own CA. The issue is that it has a number of configuration file and database file setups to accomplish correctly. This are non-portable configurations that are fragile and not intended for production. It is recommended to use another more complete CA system that comes with a well defined flow of operations (in contrast to a lose set of tools). Something that also includes ACME support is a major benefit. If you insist on using OpenSSL for CA setup, simply refer to OpenSSL Certificate Authority.