« Previous 1 2 3 Next »
Encrypting files
Safe Files
OpenSSL
SSL and its successor TLS were protocols developed to provide communication security over a network using cryptography. You are probably most familiar with the protocol in web browsers for websites beginning with https . You can take advantage of the encryption in SSL or TLS to encrypt your data as well.
The most common implementation of SSL is OpenSSL [14], an open source community project for a full-featured toolkit implementation of SSL and TLS, as well as general-purpose cryptography. It was the subject of the infamous Heartbleed [15] vulnerability that primarily affected the communication encryption aspect of OpenSSL. The cryptography library aspect of OpenSSL is still extremely useful.
OpenSSL has a number of ciphers, cryptographic hash functions, and public key encryption algorithms (Table 2). OpenSSL really focuses on encryption and decryption and not compression. Consequently, you shouldn't expect the encrypted file to be smaller than the original.
Table 2
OpenSSL Encryption Options
Ciphers |
---|
AES |
Blowfish |
Camellia |
SEED |
CAST-128 |
DES |
IDEA |
RC2/4/5 |
Triple DES |
GOST 28147-89 |
Cryptographic hash functions |
MD5/4/2 |
SHA-1/-2 |
RIPEMD-160 |
MDC-2 |
GOST R 34.11-94 |
Public key cryptography |
RSA |
DSA |
Diffie-Hellman key exchange |
Elliptic curve |
GOST R 34.10-2001 |
Using OpenSSL requires a few more arguments than the typical encryption tool, as you can see in the command line in Listing 10. The first option, aes-256-cbc
tells OpenSSL to use the 256-bit key along with the AES cipher. The -in
option specifies the input file, and -out
specifies the output (encrypted) file.
Listing 10
OpenSSL Encryption
$ ls -s total 7288 196 hpc_001.html 7092 MFS2007.pdf $ openssl aes-256-cbc -salt -in hpc_001.html -out hpc_001.html.enc enter aes-256-cbc encryption password: Verifying -- enter aes-256-cbc encryption password: $ ls -s total 7484 196 hpc_001.html 196 hpc_001.html.enc 7092 MFS2007.pdf
The option -salt
is added to the command line because it can improve security. Classically, a salt [16] is a random bit of data used as an additional input to a one-way function that hashes the passphrase. It protects against dictionary attacks and against precomputed rainbow table attacks [17], because without the salt, the same password always generates the same encryption key. When the salt is used with OpenSSL, the first 8 bytes of the encrypted data are reserved for the salt (i.e., the random bit of data). When the file is decrypted, the salt is read from the encrypted file and used for decryption.
Notice that OpenSSL does not echo the passphrase, so it can't be captured in the shell history. Also notice that OpenSSL doesn't have a standard file extension. I chose .enc
to show that the file is encrypted.
As I mentioned earlier, OpenSSL is just an encryption tool. It doesn't do file compression. Consequently, the file size of the encrypted text file in the previous example is roughly the same as the original text file. OpenSSL can operate on a compressed file as well, but in a separate step, as follows:
$ openssl aes-256-cbc -salt -in hpc_001.html.gz \ -out hpc_001.html.gz.enc enter aes-256-cbc encryption password: Verifying -- enter aes-256-cbc encryption password:
Using the -d
option,
$ openssl aes-256-cbc -d -in hpc_001.html.enc -out hpc_001.html.2 enter aes-256-cbc decryption password:
decrypting a file is also fairly easy.
Crypt Replacements
The *nix of yore came with a command named crypt
that could be used to encrypt data. However, its level of security wasn't very good, so it disappeared from the scene. Even if you can find the source for it, several tools break the encryption, so it should be avoided at all costs. However, the popularity of Crypt was already in place, and some older scripts used it. Today, you have the choice of several Crypt replacements.
Ccrypt
Ccrypt [18] is based on the Rijndael block cipher. The same cipher is the basis of the AES specification. Internally ccrypt
takes the specified password, which can be of any length, and hashes the key to 256 bits. As with almost all ciphers, the longer the password, the better the security.
Ccrypt is not symmetric, which means you have to specify whether you are encrypting or decrypting a file. To encrypt a file, use the command ccrypt
:
$ ls -s total 7288 196 hpc_001.html 7092 MFS2007.pdf $ ccrypt hpc_001.html Enter encryption key: Enter encryption key: (repeat) $ ls -s total 7288 196 hpc_001.html.cpt 7092 MFS2007.pdf
Notice that the encrypted file size is about the same size as the unencrypted file for this text example.
One thing you should pay particular attention to is that Ccrypt encrypts the file but does not leave the original file in place. I worry about this behavior, because if a problem crops up during the encryption process, the file could be corrupted. The final thing to notice is that Ccrypt does not echo the passphrase to stdout, so the shell history cannot capture it.
To decrypt a file, run the command:
$ ccrypt -d hpc_001.html.cpt Enter decryption key:
The -d
option just means "decrypt."
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.