Symmetic encryption
More generally, the openssl command line tool is mostly a proof-of-concept for testing the OpenSSL library. The right answer to this question is either GPG or some archiver such as 7z. – Gilles 'SO- stop being evil' Apr 18 '14 at 12:00. Create a secret key using a one-time pad key generator; Compile tool on a Windows computer. Use it to encypt a file on Windows with the the -k option and the above secret key; Compile tool on a Linux computer. Use it on Linux to verify that the encrypted file has the same secret key using the -psk option.
For symmetic encryption, you can use the following:
To encrypt:
To decrypt:
Asymmetric encryption
For Asymmetric encryption you must first generate your private key and extract the public key.
To encrypt:
To decrypt:
Encrypting files
You can't directly encrypt a large file using rsautl
. Instead, do the following:
- Generate a key using
openssl rand
, e.g.openssl rand 32 -out keyfile
. - Encrypt the key file using
openssl rsautl
. - Encrypt the data using
openssl enc
, using the generated key from step 1. - Package the encrypted key file with the encrypted data. The recipient will need to decrypt the key with their private key, then decrypt the data with the resulting key.
Ultimate solution for safe and high secured encode anyone file in OpenSSL and command-line:
Private key generation (encrypted private key):
With unecrypted private key:
With encrypted private key:
With existing encrypted (unecrypted) private key:
Encrypt a file
Encrypt binary file:
Encrypt text file:
What is what:
smime
— ssl command for S/MIME utility (smime(1)).-encrypt
— chosen method for file process.-binary
— use safe file process. Normally the input message is converted to 'canonical' format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives).-aes-256-cbc
— chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers).-in plainfile.zip
— input file name.-out encrypted.zip.enc
— output file name.-outform DER
— encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%.yourSslCertificate.pem
— file name of your certificate's. That should be in PEM format.
Generate Aes Key Command Line Commands
That command can very effectively a strongly encrypt any file regardless of its size or format.
Decrypt a file
Decrypt binary file:
For text files:
What is what:
-inform DER
— same as-outform
above.-inkey private.key
— file name of your private key. That should be in PEM format and can be encrypted by password.-passin pass:your_password
— (optional) your password for private key encrypt.
Verification
Creating a signed digest of a file:
Verify a signed digest:
Source
I recently went through the process of learning about how you could encrypt and store passwords for user accounts in a way that they can be easily used in a Powershell script. While researching how to do this, I found a lot of information on how to encrypt the password using Microsoft’s Data Protection Application Programming Interface (DPAPI) encryption. However, I didn’t find very many write-ups on how to do the same thing using AES encryption. So I’m going to share what I found and how it can be implemented.
AES? DPAPI? Why might I choose one over the other?
Before getting to the details for implementation, I want to mention some reasons why you may (or may not) want to use AES instead of DPAPI. Both DPAPI and AES have native support in Powershell, so they can both be used relatively easily.
Data that is encrypted using DPAPI can only be decrypted on the same Host that encrypted the data (and it might even need to be the same user profile…I read a couple of things that mentioned that, but haven’t dug deeper to find out if that’s accurate or tested it). That means that the data that’s encrypted using DPAPI isn’t portable – it can’t be decrypted on other computers (excluding potential attacks against the encryption). Some people might find DPAPI to be appealing because its lack of portability keeps the data more secure from a Confidentiality perspective.
Data that is encrypted using AES, on the other hand, can be decrypted by any computer that has the AES key that was used to encrypt the data. That means that the data that’s encrypted using AES is portable. If the data needs to be migrated to another host for any reason (normal systems migrations, disaster recovery, etc), it will continue to be accessible as long as you have access to the AES key that was used. Some people might find the portability of AES to be appealing because it keeps the encrypted data more secure from an Availability perspective.
Ultimately, whether you choose to use DPAPI or AES is a decision that each person or organization needs to make, and you need to weigh the pros and cons of each option. In either case, if any variety of encryption is implemented without an appropriate amount of consideration, it can result in bad situations like an inability to access data that you need (effectively, a self inflicted Denial of Service attack) or the data not being as confidential as you thought because of poor access controls on the keys.
Now that we’ve covered that part, let’s move on to how you can use Powershell to (1) generate and store a 256-bit AES key, (2) encrypt the password for a User Account using that AES key, and (3) use that AES encrypted password in a script (to authenticate with a mail server, in this case).
Preparing your environment to use AES encrypted passwords
Use the Powershell below to get your environment prepared. Before executing these steps, you will need to have: (1) a secure location to store your key, (2) a secure location to store your encrypted password, (3) the password for the User account that you need to use in your script.
The screenshot below shows Prep Step 1. A 256-Bit (32-Byte) key is generated using a .NET Random Number Generator. For demonstration purposes, the contents of the key file is displayed.
The screenshot below shows Prep Step 2. The password for “Username@YourDomainDotCom” is typed into the Powershell “Read-Host -AsSecureString” prompt, and then the password is encrypted and saved to a file. For demonstration purposes, the content of the encrypted password file is displayed.
After you complete those two Prep Steps, you will have your Key and Encrypted Password saved to files, and you will be able to use them when you execute other Powershell scripts in the future.
Using your AES Encrypted password in a script
The script below demonstrates how you can use your AES Encrypted password in a script. In this example, the password is being used to authenticate with a Mail Server.
The screenshot below shows the demonstration script excluding the “Define Email Message Options” and “Send Email” portions at the end of the script. For demonstration purposes, it also shows what the content of the $EmailCredentials variable, a PSCredential object, looks like. Because the password was loaded as a SecureString, the Password is displayed as “System.Security.SecureString” instead of the actual password being displayed.
I don’t show the email portion in the demonstration screenshots because I’m not using a real Mail Server and User Account for this. But it all works as long as all of the options that you define for the Send-MailMessage command are valid for the Mail Server that you use.
Generate Aes 256 Key Command Line
Decrypting a password file to reveal the plaintext password
As a final note on this post – I mentioned earlier that controlling access to your Key is critical, because anyone that has access to the key can decrypt the data that was secured with it. In the situation that I’m demonstrating, since the key is being used to encrypt the password for an account, if an attacker can get their hands on the Key and the encrypted password file, then they may be able to use the User Account for accessing other services on the network (in addition to authenticating with the Mail Server, as the scripts demonstrate).
So, you got your hands on the key and password file, and you want to decrypt it to recover the plaintext password? This will do it (re-using some variables that were used in previous scripts above)
Openssl Command Line Generate Aes Key
The screenshot below shows that Powershell code being used to expose the plaintext password we encrypted earlier. The password is “ThisIsMyP@ssw0rdfjaldskf;jNENROIEFDnlndlfw392fdkjslfjo3fdkNLFDSNFKJLSo32eo9#(*$)#$#(*%&NFJEI#fdklew”
Comments are closed.