In this tutorial we will go over how to encrypt a text file that we can store in public storage without any security concerns. Suppose you are running an application in a cloud platform, and you are running daily backup of SQL files and want to store it securely in block storage somewhere in the cloud environment. In that case, using certificates to encrypt the file is very useful and worry free.
To get started, I am using a Linux operating system with OpenSSL
.
Generating private and public certificate files
The below command will create 2 files on your Linux file systems.example.priv.pem
– This is your private key. You must store this somewhere secure.example.pub.pem
– This is your public key. That we will use to encrypt files with.
NOTE: The below command will create a private key with a password. I highly encourage using password to keep your private key secure. If you do not wish to use a password. Add
-nodes
to the below command, and it will create a private key without password.
openssl req -x509 -newkey rsa:4096 -keyout example.priv.pem -out example.pub.pem
Interactive view
Generating a 4096 bit RSA private key
.......................................................................................................................................................................................++
.......................................................................................++
writing new private key to 'example.priv.pem'
Enter PEM pass phrase: <YOUR SECRET PASSWORD>
Verifying - Enter PEM pass phrase: <YOUR SECRET PASSWORD>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Houston
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:example
Email Address []:JohnSmith@example.com
Encrypt file
In the below example, I will encrypt a database.sql
file. You can encrypt any file you desire. It can be text, pdf, logs, etc.
openssl smime -encrypt -binary -text -aes256 -in database.sql -out database.sql.enc -outform DER example.pub.pem
Now when you open your database.sql.enc
file. It should look something like as shown below:
0<82>^C ^F *<86>H<86>÷^M^A^G^C <82>^Bú0<82>^Bö^B^A^@1<82>^B±0<82>^B^B^A^@0<81><94>0<81><86>1^K0 ^F^CU^D^F^S^BUS1^N0^L^F^CU^D^H^L^ETexas1^P0^N^F^CU^D^G^L^GHouston1^P0^N^F^CU^D
^L^GExample1^K0 ^F^CU^D^K^L^BIT1^P0^N^F^CU^D^C^L^Gexample1$0"^F *<86>H<86>÷^M^A ^A^V^UJohnSmith@example.com^B ^@ñ<99>%<93>dÑñ40^M^F *<86>H<86>÷^M^A^A^A^E^@^D<82>^B^@^]<90>^\c1TÊUí»?<8b>b½Ü|P^X^F<87>nñfÅ" á^Mîma<9d>ô<94>½>³/Æ<82> >/s,[¸<8d>J<95>^Q<8b>[¯J^@WÜË{ü^Nú@½<99>5XJ^YA æË³Æ ÝN:÷ïìÒúÇe µ¹<99>^R^L^DX´<8a>^H2 Ùñ}Ú^E¥ç´Gë²Ô=JþÁ¾V^Q1Óq+Z£ñÔe´ä<95>^D|.¯Vq<93>Ó¸|û)i3<"^[Q¤\¿><98>ú<95>ö^\W^\^\í~)&<92>¡ÎrÈ<82>Æ·^?XäHs;'ý]<9b>Ü ¥¤<92>>\=¡5 <8a>ß9ßl<92>^T<8a>f"^A}=¸V^S^Qø=^YG÷WM@YØ|yxºÄ<95>\¢°Pbsn,nùãf¾>×Ó®¨ü4:RÁq<97>ÏKïÇ^X.]1^Z<8a>^R^KÜi<96><82>î^HòË%æ¸[eò7<89>,vùÎ8Áb'YõòÔCÝå<9e>hA7èn;ÑÚCê^@ìE÷<9a>¨8<81>Tn«4Ñ^\ª#^?ÁÍ^V^Bcj"£±tÙ<99>^Q^T<87>³§^V °¿z^V^Z^E<9d>%x|K<90>ël¼Á<8b>·»<96><9c>s¢<85>ÙvÚß<92>üs^G^XÚR«REÌ[3³û<9c>®9²´Zr¼^B<93>^P>(^Zü?^O<91>;RKÚ;«¡`,$+^C.C^NÇV1@^?¾^¡<87>^? IZè6MûyõÉð^B¦×{ó<9d>^Nb^^D^\¤¹Õý^LÒ^[^B9<96>á^^ÜæÍ<95>µb¿HỸC^D[<8b>^Q<9a>;6˹Ãä<8d>º<81>p-<9d>îÄIq^Y£^YÌÑ¿<99>^_'*3ìòèÿ0<^F *<86>H<86>÷^M^A^G^A0^]^F `<86>H^Ae^C^D^A*^D^P<9a><84>¥^Qn<84>Á<90><95>Ûjá^A÷íT<80>^P^GA^@4¤^Q#jÉO^X<94>ñõ<9d>§
Decrypt file
Below command will decrypt previously encrypted file. In this example, we will decrypt database.sql.enc
openssl smime -decrypt -in database.sql.enc -binary -inform DEM -inkey example.priv.pem -out database-unencrypted.sql
You will be promoted for password after you execute above command.
Enter pass phrase for example.priv.pem:
Once you enter right password, you should have be able to read database-unencrypted.sql
file.
Using key and crt files to encrypt and decrypt files
openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example.crt -keyout example.key
Above command will generate new .crt
and .key
files. Now we can reference these files to encrypt and decrypt files.
Encrypting file
openssl smime -encrypt -binary -text -aes256 -in database.sql -out database.sql.enc -outform DER example.crt
Decrypting file
openssl smime -decrypt -in database.sql.enc -binary -inform DEM -inkey example.key -out database-unencrypted.sql