This topic has been explained on many sites on the web. I am neither a cryptography expert nor do I like this kind of things, but the need for it is increasing. Imagine you want to send someone your bank account ID. Would you do this on communication tools like Slack, Hangout, Skype, ... or by e-mail? For sure not, these mediums are not secure. But if you protect your communication, you can use any of them!
This method relies on the fact that you never give away your private key to anyone. Persons that want to send you an encrypted message need a public key generated from your private key. Send a public key to them, you can use any medium that allows file attachments. Decrypt the messages they send to you with your private key.
If you want to send an encrypted message to someone, you need the public key of this person (not its private!). The public key of your partner is for your encryption, your own private key is for decryption of your partner's messages. Never use your own public key for anything else than sending it to communication partners.
It is not possible to find out a private key from one of its public keys. This makes it impossible for anyone else to decrypt the messages sent to you, encrypted by one of your public keys. Not even the sender will be able to decrypt it. That's the reason why it is called "asymmetric" cryptography.
Create a directory on your machine where you keep your private key. Then open a command terminal window and change into that directory. Being there, enter following command:
openssl genrsa -out rsa_private.pem 2048
This command creates a file rsa_private.pem that contains an unencrypted private RSA key. You won't need a password when using this key. PEM is a format that uses just ASCII characters ("Privacy Enhanced Mail").
Alternatively:
openssl genrsa -des3 -out rsa_private.pem 2048
This creates a private key encrypted with DES3 cipher. On creation of this key you will be asked for a password. Any time you use the key in file rsa_private.pem, openssl will ask you interactively for this password. Good privacy, but you must remember the password.
It is recommendable to save your private key to a (password-protected) USB stick, in case your machine crashes and you still need the key for decrypting messages sent to you.
You can generate new public keys at any time from your private key (that you may generate just once).
openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem
The public key will be in file rsa_public.pem after.
Mind that only short texts up to 245 bytes can be encrypted with a public key like generated here. Put some lines of text into file cleartext.txt, and then run this command:
openssl rsautl -encrypt -inkey rsa_public.pem -pubin -in cleartext.txt -out encryptedtext.bin
cleartext.txt will have been written encrypted to file encryptedtext.bin. Mind that this file does not contain readable ASCII characters.
You received a (short) encrypted file encryptedtext.bin.
openssl rsautl -decrypt -inkey rsa_private.pem -in encryptedtext.bin -out decrypted.txt
# diff decrypted.txt cleartext.txt || echo "THIS WENT WRONG!"
Having done this, decryptedtext.txt will contain what was in cleartext.txt on the sender side.
For trying out this, put some more text into file cleartext.txt.
Because we can encrypt just short texts up to 245 bytes with our public key, we need another technique for longer files. We will encrypt the file with AES algorithm and a randomly generated key. This key is called "symmetric" key, because your communication partner will need it also for decryption. But you can send it along with the data, it will be encrypted using the public key of the receiver.
openssl rand -base64 32 >randomkey.txt
A new unencrypted symmetric key now resides in file randomkey.txt.
openssl rsautl -encrypt -inkey rsa_public.pem -pubin -in randomkey.txt -out randomkey_encrypted.bin
Do this with the public key of your communication partner. File randomkey_encrypted.bin is now the encrypted symmetric key, ready to be sent along with the data.
openssl enc -aes-256-cbc -salt -in cleartext.txt -out encryptedtext.bin -pass file:./randomkey.txt
The text that you want to send must be encrypted using the unencrypted symmetric key. Your data in encryptedtext.bin is now encrypted and ready to be sent, along with the encrypted symmetric key.
What to send now:
encryptedtext.binrandomkey_encrypted.binYou received two files. One must be identifiable as the encrypted symmetric key, the other holds the data to be decrypted. Lets say they were:
encryptedtext.binrandomkey_encrypted.bin
openssl rsautl -decrypt -inkey rsa_private.pem -in randomkey_encrypted.bin -out randomkey.txt
The decrypted symmetric random key is now in file randomkey.txt.
openssl enc -d -aes-256-cbc -in encryptedtext.bin -out decrypted.txt -pass file:./randomkey.txt
That's it, the decrypted data is now in decrypted.txt.
Definitely too cryptic to keep in mind all these parameters:-) Keep it in a Blog.
Latest achievement in cryptography is ECDSA ("Elliptic Curve DSA"). OpenSSL already supports it.
Use secure messengers like Signal, Wire, or Threema.
ɔ⃝ Fritz Ritzberger, 2018-04-25