In this tutorial we will go over how to encrypt a text file that we can store in public storage without any security concerns. Suppose you are running an application in cloud platform and you are running daily backup of sql files and want to store it securely in block storage somewhere in cloud environment. In that case using certificates to encrypt the file is very useful and worry free.

To get started, I am using linux operating system with openssl.

Generating private and public certificate files

Below command will create 2 files on your linux file systems.
example.priv.pem - This is your private key. You must store this somewhere secure.
example.pub.pem - This is your public key. That we will use to encrypt files with.

NOTE: below command will create private key with password. I highly encourage using password to keep your private key secure. If you do not wish to use password. Add -nodes to below command and it will create private key without password.

openssl req -x509 -newkey rsa:4096 -keyout example.priv.pem -out example.pub.pem

Interactive view

Generating a 4096 bit RSA private key
.......................................................................................................................................................................................++
.......................................................................................++
writing new private key to 'example.priv.pem'
Enter PEM pass phrase: <YOUR SECRET PASSWORD>
Verifying - Enter PEM pass phrase: <YOUR SECRET PASSWORD>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Houston
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:example
Email Address []:JohnSmith@example.com

Encrypt file

In below example, I will encrypt a database.sql file. You can encrypt any file you desire. It can be text, pdf, logs, etc.

openssl smime -encrypt -binary -text -aes256 -in database.sql -out database.sql.enc -outform DER example.pub.pem

Now when you open your database.sql.enc file. It should look something like as shown below:

0<82>^C ^F      *<86>H<86>÷^M^A^G^C <82>^Bú0<82>^Bö^B^A^@1<82>^B±0<82>^B­^B^A^@0<81><94>0<81><86>1^K0   ^F^CU^D^F^S^BUS1^N0^L^F^CU^D^H^L^ETexas1^P0^N^F^CU^D^G^L^GHouston1^P0^N^F^CU^D
^L^GExample1^K0 ^F^CU^D^K^L^BIT1^P0^N^F^CU^D^C^L^Gexample1$0"^F *<86>H<86>÷^M^A ^A^V^UJohnSmith@example.com^B   ^@ñ<99>%<93>dÑñ40^M^F   *<86>H<86>÷^M^A^A^A^E^@^D<82>^B^@^]<90>^\c1TÊUí»?<8b>b½Ü|P^X^F<87>nñfÅ" á^Mîma<9d>ô<94>½>³/Æ<82> >/s,[¸<8d>J<95>^Q<8b>[¯J^@WÜË{ü^Nú@½<99>5XJ^YA æ˳ƠÝN:÷ïìÒúÇe µ¹<99>^R^L^DX´<8a>^H2 Ùñ}Ú^E¥ç´Gë²Ô=JþÁ¾V^Q1Óq+Z£ñÔe´ä<95>^D|.¯Vq<93>Ó¸|û)i3<"^[Q¤\¿><98>ú<95>ö^\W^\^\í~)&<92>¡ÎrÈ<82>Æ·^?XäHs;'ý]<9b>Ü ¥¤<92>>\=¡5     <8a>ß9ßl<92>^T<8a>f"^A}=¸V^S^Qø=^YG÷WM@YØ|yxºÄ<95>\¢°Pbsn,nùãf¾>×Ó®¨ü4:RÁq<97>ÏKïÇ^X.]1^Z<8a>^R^KÜi<96><82>­î^HòË%æ¸[eò7<89>,vùÎ8Áb'YõòÔCÝå<9e>hA7èn;ÑÚCê^@ìE÷<9a>¨8<81>Tn«4Ñ^\ª#^?ÁÍ^V^Bcj"£±tÙ<99>^Q^T<87>³§^V °¿z^V^Z^E<9d>%x|K<90>ël¼Á<8b>·»<96><9c>s¢<85>ÙvÚß<92>üs^G^XÚR«REÌ[3³û<9c>®9²´Zr¼^B<93>^P>(^Zü?^O<91>;RKÚ;«¡`,$+^C.C^NÇV1@^?¾^¡<87>^?   IZè6MûyõÉð^B­¦×{ó<9d>^Nb^^D^\¤¹Õý^LÒ^[^B9<96>á^^ÜæÍ<95>µb¿HỸC^D[<8b>^Q<9a>;6˹Ãä<8d>º<81>p-<9d>îÄIq^Y£^YÌÑ¿<99>^_'*3ìòèÿ0<^F  *<86>H<86>÷^M^A^G^A0^]^F        `<86>H^Ae^C^D^A*^D^P<9a><84>¥^Qn<84>Á<90><95>Ûjá^A÷íT<80>^P^GA^@4¤^Q#jÉO^X<94>ñõ<9d>§

Decrypt file

Below command will decrypt previously encrypted file. In this example, we will decrypt database.sql.enc

openssl smime -decrypt -in database.sql.enc -binary -inform DEM -inkey example.priv.pem -out database-unencrypted.sql

You will be promoted for password after you execute above command.

Enter pass phrase for example.priv.pem:

Once you enter right password, you should have be able to read database-unencrypted.sql file.

Using key and crt files to encrypt and decrypt files

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example.crt -keyout example.key

Above command will generate new .crt and .key files. Now we can reference these files to encrypt and decrypt files.

Encrypting file

openssl smime -encrypt -binary -text -aes256 -in database.sql -out database.sql.enc -outform DER example.crt

Decrypting file

 openssl smime -decrypt -in database.sql.enc -binary -inform DEM -inkey example.key -out database-unencrypted.sql