How can I encrypt a large file with a public key so that no one other than who has the private key be able to decrypt it? I don't want to use GPG!
How to encrypt a large file with OpenSSL using RSA keys
encryptionopenssl
Related Solutions
In the openssl manual (openssl
man page), search for RSA
, and you'll see that the command for RSA encryption is rsautl
. Then read the rsautl
man page to see its syntax.
echo 'Hi Alice! Please bring malacpörkölt for dinner!' |
openssl rsautl -encrypt -pubin -inkey alice.pub >message.encrypted
The default padding scheme is the original PKCS#1 v1.5 (still used in many procotols); openssl also supports OAEP (now recommended) and raw encryption (only useful in special circumstances).
Note that using openssl directly is mostly an exercise. In practice, you'd use a tool such as gpg (which uses RSA, but not directly to encrypt the message).
It makes no sense to encrypt a file with a private key.
Using a private key to attach a tag to a file that guarantees that the file was provided by the holder of the private key is called signing, and the tag is called a signature.
There is one popular cryptosystem (textbook RSA) where a simplified (insecure) algorithm uses has public and private keys of the same type, and decryption is identical to signature and encryption is identical to verification. This is not the case in general: even RSA uses different mechanisms for decryption and signature (resp. encryption and verification) with proper, secure padding modes; and many other algorithms have private and public keys that aren't even the same kind of mathematical objects.
So you want to sign the file. The de facto standard tool for this is GnuPG.
To sign a file with your secret key:
gpg -s /path/to/file
Use the --local-user
option to select a secret key if you have several (e.g. your app key vs your personal key).
Transfer file.gpg
to the place where you want to use the file. Transfer the public key as well (presumably inside the application bundle). To extract the original text and verify the signature, run
gpg file.gpg
If it's more convenient, you can transfer file
itself, and produce a separate signature file which is called a detached signature. To produce the detached signature:
gpg -b /path/to/file
To verify:
gpg file.gpg file
You can additionally encrypt the file with the -e
option. Of course this means that you need a separate key pair, where the recipient (specified with the -r
option) has the private key and the producer has the public key.
Best Answer
This could be used to encrpyt a file
mypic.png
, given you already have a private/public keypair inccbild-key.pem
/ccbild-crt.pem
. (You can find a guide to creating a keypair in this answer.)Note that the settings may not reflect best practice in selection of crypto standard (in particular if you read this in the future), also it might not be a good choice performance-wise. (We only use it for sub-1M files in our application.)