OpenSSL 使用 S/MIME 快速加密、解密大型檔案教學與範例

介紹如何使用 OpenSSL 的 S/MIME 功能對大型檔案進行加密與解密。

準備憑證

在使用 S/MIME 之前，必須要準備加密用的憑證，如果沒有憑證，可以自己產生一個自行簽署的憑證來使用。

產生憑證方法一

第一種產生憑證的方法是使用 openssl 先產生 RSA 金鑰，再透過自行簽署的方式來產生憑證。

# 產生 8912 位元的 RSA 私鑰，以 AES256 加密保護
openssl genrsa -aes256 -out private.pem 8912

Generating RSA private key, 8912 bit long modulus (2 primes)
..............................................................................................................................................................................+++
.....+++
e is 65537 (0x010001)
Enter pass phrase for private.pem:
Verifying - Enter pass phrase for private.pem:

# 從 RSA 私鑰產生 RSA 公鑰
openssl rsa -in private.pem -pubout -out public.pem

Enter pass phrase for private.pem:
writing RSA key

# 產生自行簽署的憑證
openssl req -x509 -new -days 3650 -key private.pem -out certificate.pem

Enter pass phrase for private.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

產生憑證方法二

我們也可以將產生金鑰與簽署憑證合併處理，只要一步即可產生自行簽署的憑證：

# 產生自行簽署憑證
openssl req -x509 -days 3650 -newkey rsa:8912 -keyout private.pem -out certificate.pem

Generating a RSA private key
..........................................................................................................................................................................................................................................................................................................................................................................................................................+++
.......................+++
writing new private key to 'private.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

以憑證加密

準備好 certificate.pem 這個憑證檔案之後，就可以利用 OpenSSL 的 S/MIME 功能對大型檔案進行加密了。

若要對文字檔進行加密，可以使用以下指令：

# 加密文字檔案
openssl smime -encrypt -aes-256-cbc -in myfile.txt \
  -out myfile.txt.enc -outform DER certificate.pem

這裡的 -outform DER 參數是讓加密後的資料採用二進位的方式輸出，不要以預設的 base64 編碼輸出。

若要加密二進位檔案，則加上 -binary 參數：

# 加密二進位檔案
openssl smime -encrypt -binary -aes-256-cbc -in myfile.zip \
  -out myfile.zip.enc -outform DER certificate.pem

以私鑰解密

經過 certificate.pem 憑證加密之後的檔案，要使用 private.pem 進行解密，以下是加密文字檔的解密方式：

# 解密文字檔案
openssl smime -decrypt -in myfile.txt.enc -inform DER \
  -out myfile.txt -inkey private.pem

Enter pass phrase for private.pem:

加密的二進位檔案，在解密時也是加上 -binary 參數：

# 解密二進位檔案
openssl smime -decrypt -binary -in myfile.zip.enc -inform DER \
  -out myfile.zip -inkey private.pem

Enter pass phrase for private.pem:

參考資料

• dreikanter/encrypt_openssl.md
• LinuxConfig.org：An easy way to encrypt and decrypt large files using OpenSSL and Linux