Linux

OpenSSL 使用 S/MIME 快速加密、解密大型檔案教學與範例

介紹如何使用 OpenSSL 的 S/MIME 功能對大型檔案進行加密與解密。

準備憑證

在使用 S/MIME 之前,必須要準備加密用的憑證,如果沒有憑證,可以自己產生一個自行簽署的憑證來使用。

產生憑證方法一

第一種產生憑證的方法是使用 openssl 先產生 RSA 金鑰,再透過自行簽署的方式來產生憑證。

# 產生 8912 位元的 RSA 私鑰,以 AES256 加密保護
openssl genrsa -aes256 -out private.pem 8912
Generating RSA private key, 8912 bit long modulus (2 primes)
..............................................................................................................................................................................+++
.....+++
e is 65537 (0x010001)
Enter pass phrase for private.pem:
Verifying - Enter pass phrase for private.pem:
# 從 RSA 私鑰產生 RSA 公鑰
openssl rsa -in private.pem -pubout -out public.pem
Enter pass phrase for private.pem:
writing RSA key
# 產生自行簽署的憑證
openssl req -x509 -new -days 3650 -key private.pem -out certificate.pem
Enter pass phrase for private.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

產生憑證方法二

我們也可以將產生金鑰與簽署憑證合併處理,只要一步即可產生自行簽署的憑證:

# 產生自行簽署憑證
openssl req -x509 -days 3650 -newkey rsa:8912 -keyout private.pem -out certificate.pem
Generating a RSA private key
..........................................................................................................................................................................................................................................................................................................................................................................................................................+++
.......................+++
writing new private key to 'private.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

以憑證加密

準備好 certificate.pem 這個憑證檔案之後,就可以利用 OpenSSL 的 S/MIME 功能對大型檔案進行加密了。

若要對文字檔進行加密,可以使用以下指令:

# 加密文字檔案
openssl smime -encrypt -aes-256-cbc -in myfile.txt \
  -out myfile.txt.enc -outform DER certificate.pem

這裡的 -outform DER 參數是讓加密後的資料採用二進位的方式輸出,不要以預設的 base64 編碼輸出。

若要加密二進位檔案,則加上 -binary 參數:

# 加密二進位檔案
openssl smime -encrypt -binary -aes-256-cbc -in myfile.zip \
  -out myfile.zip.enc -outform DER certificate.pem

以私鑰解密

經過 certificate.pem 憑證加密之後的檔案,要使用 private.pem 進行解密,以下是加密文字檔的解密方式:

# 解密文字檔案
openssl smime -decrypt -in myfile.txt.enc -inform DER \
  -out myfile.txt -inkey private.pem
Enter pass phrase for private.pem:

加密的二進位檔案,在解密時也是加上 -binary 參數:

# 解密二進位檔案
openssl smime -decrypt -binary -in myfile.zip.enc -inform DER \
  -out myfile.zip -inkey private.pem
Enter pass phrase for private.pem:

參考資料

Share
Published by
Office Guide

Recent Posts

Python 使用 PyAutoGUI 自動操作滑鼠與鍵盤

本篇介紹如何在 Python ...

1 年 ago

Ubuntu Linux 以 WireGuard 架設 VPN 伺服器教學與範例

本篇介紹如何在 Ubuntu ...

1 年 ago

Linux 網路設定 ip 指令用法教學與範例

本篇介紹如何在 Linux 系...

1 年 ago

Linux 以 Cryptsetup、LUKS 加密 USB 隨身碟教學與範例

介紹如何在 Linux 系統中...

1 年 ago