Skip to content

Encryption in a nutshell

exchange information in a safe manner

1. Symmetrical Encryption

the easiest way to encrypt your data is using password, then pass that password to the recipient, and then he can decrypt the data, and get the original file, to do that we will use openssl.

to encrypt data run:

openssl enc -aes-256-cbc -iter 2 < file > file.encypt
# or
openssl enc -aes-256-cbc -iter 2 <<< "super secret data" > file.encypt

let's break the command down, so 'enc' means that we want to do encryption, and '-aes-256-cbc' is the cipher algorithm we want to use, there many others, check the manual page for more information, and the '-iter' is optional and means how many iteration we want, to rencrypt the data. after you run the cmd, it will prompt you for password to use in the encryption.

to decrypt the data use:

openssl enc -d -aes-256-cbc -iter 2 > file.orig < file.encypt

the only difference is that you need to add '-d' flag for decryption, and keep all other flags that were used in the encryption phase.

you could also use gpg for sysmmetrical encryption:

gpg --symmetric file

this will prompt you for a passphrase.

in the other end you just envoke:

gpg -d file.gpg

2. Asymmetrical Encryption

asymetrical encryption is much secure that the symetrical one, because it doesn't use passwords, instead it relies on public/private key pair, to encrypt/decrypt data, so if you encrypt data with someone else's public, theoratically only that person will be able to decrypt it back, assuming that he didn't share his private key with nobody else.

to demonstrate the concept we will use gpg (gnu protection guard). if this is the first time to use gpg, you need to generate your key pair first.

gpg --full-gen-key

and it will prompt you for some information, after that you can start encrypting data, but you first need the key of the recipient, he should send it you after exporting it:

gpg --export

in your computer run:

gpg --import <key-file>

now the recipient key should be in the keyring:

gpg --list-keys

then you can use the key to encrypt stuff:

gpg -r [email protected] -e file > file.gpg

this will generate new file called "file.gpg" contain encrypted version of the "file". the '-r' option is for the recipient, you can use the key fingerprint or just the email.

the recipient can decrypt the data like so:

gpg -d file.gpg > original-file

the "-d" stand for decrypt and if your key matches the recipient, it will ask you for your key password, and you will be able to see the original data.

you can also sign the data in addition to encryption, that helps the recipient to verify that you are the actual sender, and not someone else.

gpg -r [email protected] -se file > file.gpg

bonus:

to make the generated data by gpg strictly in ascii, so that you can send it through email, just specify --armor flag.

Ultimate Encryption

the best possible encryption is to combine both:

gpg
-c # symmetrical (password)
-e # asymmetrical (specify recipient key)
-s # signed (include the signature, so that the recipient can verify it's you)
-a # armored (ascii output, pem format)
file

then you have to share the password with the other end, and both of you should have each others keys. to decrypt that:

gpg -d file.pem # it will ask for password, checks the signature, and print the content to stdout

Digital Certificate

certicate helps encrypt traffic between servers and clients through ssl/tls, it also used by clients to make sure they are talking to the right server to avoid man-in-the-middle attacks. so a certificate is basically a public key, used to encrypt data and the server uses its private key to decrypt it back. certifacates are usually signed by CA (certificate authority), but we could also self sign our certifacates for private uses:

first we need the private key:

openssl genrsa -aes-256 -out my.pem

then we could generate the certificate directly using our private key:

openssl req -x509 -key my.pem -out my.crt

you will be prompted to enter some info, that will be stored in the certificate (e.g domain, organization ...).

done, it's easy.

if you want to dump certificate content use:

openssl x509 -text -in my.crt -noout

to generate a normal public key use:

openssl rsa -pubout -in my.pem -out my-pub.pem

Signatures

signing data is important while sending them through untrusted meduim to verify their integrity, both openssl, gnupg allows signature generation, but gpg is more suited to this kind of tasks:

  • gpg:
gpg --detach-sign file

this will generate another file named file.gpg contains a signature of the content of the file generated using your private key. so no one else can forge it, or alter the data without being discovered.

on the other end (the recepient) you can verify that the data is consistant:

gpg --verify file.sig file

gpg will verify if the signature is valid, and from the right source, also checks if the content of file is not changed. note that you should already have the public key of the sender in your keychain because it will be used to check the signature.

  • openssl:

openssl works in a similar way but it is more verbose:

to sign:

openssl dgst -sha256 -sign privatekey.pem -out file.sig file

to verify:

openssl dgst -sha256 -verify publickey.pem -signature file.sig file