Encrypt tar file asymmetrically

2

1

I want to achieve something like

tar -c directory | openssl foo > encrypted_tarfile.dat

I need the openssl tool to use public key encryption.

I found an earlier question about symmetric encryption at the command promt (sic!), which does not suffice. I did take a look in the openssl(1) man page and only found symmetric encryption. Does openssl really not support asymmetric encryption?

Basically many users are supposed to create their encrypted tar files and store them in a central location, but only few are allowed to read them.

DerMike

Posted 2011-02-22T15:10:13.327

Reputation: 779

Answers

3

OpenSSL's asymmetric encryption routines lie under the rsautl subcommand. (In recent versions of OpenSSL, this has been superseded by the pkeyutl command, but the arguments seem to be the same.)

Encrypt a tar file using someone's public key:

openssl rsautl -encrypt -inkey Bob.pub -pubin -in foo.tar -out foo.tar.enc

They can then decrypt the tar file using their private key:

openssl rsautl -decrypt -inkey Bob -in foo.tar.enc -out foo.tar

Do note that SSH and SSL use different key formats, so if you want to use an SSH key for the encryption/decryption, you can't just use ~/.ssh/id_rsa.pub as-is.

Jeremy W. Sherman

Posted 2011-02-22T15:10:13.327

Reputation: 606

A different method must be used with large files. – John McGehee – 2020-02-12T20:20:11.553

2

Use gpg --encrypt.

With "-r" you can pass the user ID.

See

man gpg

rems

Posted 2011-02-22T15:10:13.327

Reputation: 1 850

1It appears DerMike is asking for how to do this via openssl, though? – Jeremy W. Sherman – 2013-12-11T15:27:02.543

1

In case you don't want to set gpg infrastructure, and just want to encrypt file using public/private key pair, the following tool could be of use: https://github.com/galets/AsymmetricCrypt . You will need mono on linux to run it.

disclaimer: I wrote it

galets

Posted 2011-02-22T15:10:13.327

Reputation: 401

1

Here are 2 examples from man openssl:

Send encrypted mail using triple DES:

 openssl smime -encrypt -in in.txt -from steve@openssl.org \
        -to someone@somewhere -subject "Encrypted message" \
        -des3 user.pem -out mail.msg
Sign and encrypt mail:

 openssl smime -sign -in ml.txt -signer my.pem -text \
        | openssl smime -encrypt -out mail.msg \
        -from steve@openssl.org -to someone@somewhere \
        -subject "Signed and Encrypted message" -des3 user.pem

Some confusion comes from the fact that s/mime and des3 are mentioned. But in fact the following happens in the examples above:

  • A fresh random symmetric key is generated
  • The file is encrypted using the symmetric key
  • The symmetric key is encrypted using an asymmetric algorithm with a public key stored in user.pem
  • The encrypted symmetric key, the encrypted file and metadata are put into a standard container

The end result is that in.txt file is encrypted into mail.msg file so only the user having the private key matching user.pem public key can decrypt it.

nponeccop

Posted 2011-02-22T15:10:13.327

Reputation: 209

Asked: 2011-02-22T15:10:13.327

Viewed: 2 184 times

Active: 2013-12-11T15:38:15.227