OpenSSL Overview
Symmetric Cryptography
Encrypt:
openssl enc -aes-256-cbc -md md5 -in $1 -out $1.txt
Decrypt:
openssl enc -d -aes-256-cbc -md md5 -in $1.txt -out $1
Notes:
- OpenSSL 1.1.0 implicitly uses
-md md5
- OpenSSL 1.1.1 implicitly uses
-md sha256
SSH Cryptography
Sometimes you want to asymmetrically protect an encryption without having to create a new key-pair. With a little finesse you can use an existing SSH key-pair to accomplish this.
I've found that one use case for this is for storage of a .env
file that
you want to be able to use to start a service. We want to keep the file
stored securely but in a manner where you will not be able to decrypt without
knowing a password (i.e. the SSH private key passphrase). Additionally, the
actual SSH private key could be thought of as the thing you have. Bam!, now
you have 2 factor authentication to unlock the .env
.
Encrypt data.txt
to data.txt.enc
with aes256
using an SSH public key:
openssl rand 32 | \
tee >(openssl rsautl -encrypt -oaep -pubin -inkey <(ssh-keygen -e -f ~/.ssh/id_rsa.pub -m PKCS8) -out secret.key | \
openssl enc -aes-256-cbc -base64 -in data.txt -out data.txt.enc -pass stdin
Decrypt data.txt.enc
to data.txt.dec
with aes256
using SSH private key:
openssl rsautl -decrypt -oaep -inkey ~/.ssh/id_rsa -in secret.key | \
openssl enc -d -aes-256-cbc -base64 -in data.txt.enc -out data.txt.dec -pass stdin
Given an encrypted file (as encrypted above) that can be sourced into your
shell environment, you can grab the file from a remote source, decrypt, and
load the .env
into your environment with the following one-liner:
(ssh -T -q [email protected] cat /path/to/key) | \
openssl rsautl -decrypt -oaep -inkey ~/.ssh/id_rsa | \
openssl enc -d -aes-256-cbc -base64 -in data.txt.enc -pass stdin | \
(eval `cat`;exec ./printsecret ANOTHER)
Note: Replace exec ./printsecret ANOTHER
with the service command you want to run with the new environment.
Certificate Utilities
Create a CA certificate chain for client certificate verification:
cat root.cert.pem intermediate.cert.pem > cachain.cert.pem
Note: Include all applicable intermediate certificates in the concatenation.
Verify the client certificate matches the CA certificate chain:
openssl verify -verbose -CAfile cachain.cert.pem client.cert.pem
PKCS12 / .p12
/ .pfx
Create a PKCS12 file:
openssl pkcs12 -export -out client_certs.p12 -inkey client.key.pem \
-in client.cert.pem -certfile cachain.cert.pem -name "Friendly Name"
Note: Set Friendly Name to easily locate the loaded certificate in GUI listings.
Setup A Certificate Authority
OpenSSL is a toolbox that has what you need to setup your own CA. The issue is that it has a number of configuration file and database file setups to accomplish correctly. This are non-portable configurations that are fragile and not intended for production. It is recommended to use another more complete CA system that comes with a well defined flow of operations (in contrast to a lose set of tools). Something that also includes ACME support is a major benefit. If you insist on using OpenSSL for CA setup, simply refer to OpenSSL Certificate Authority.