介紹如何使用 OpenSSL 的 S/MIME 功能對大型檔案進行加密與解密。
在使用 S/MIME 之前,必須要準備加密用的憑證,如果沒有憑證,可以自己產生一個自行簽署的憑證來使用。
第一種產生憑證的方法是使用 openssl 先產生 RSA 金鑰,再透過自行簽署的方式來產生憑證。
# 產生 8912 位元的 RSA 私鑰,以 AES256 加密保護 openssl genrsa -aes256 -out private.pem 8912
Generating RSA private key, 8912 bit long modulus (2 primes) ..............................................................................................................................................................................+++ .....+++ e is 65537 (0x010001) Enter pass phrase for private.pem: Verifying - Enter pass phrase for private.pem:
# 從 RSA 私鑰產生 RSA 公鑰 openssl rsa -in private.pem -pubout -out public.pem
Enter pass phrase for private.pem: writing RSA key
# 產生自行簽署的憑證 openssl req -x509 -new -days 3650 -key private.pem -out certificate.pem
Enter pass phrase for private.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []:
我們也可以將產生金鑰與簽署憑證合併處理,只要一步即可產生自行簽署的憑證:
# 產生自行簽署憑證 openssl req -x509 -days 3650 -newkey rsa:8912 -keyout private.pem -out certificate.pem
Generating a RSA private key ..........................................................................................................................................................................................................................................................................................................................................................................................................................+++ .......................+++ writing new private key to 'private.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []:
準備好 certificate.pem 這個憑證檔案之後,就可以利用 OpenSSL 的 S/MIME 功能對大型檔案進行加密了。
若要對文字檔進行加密,可以使用以下指令:
# 加密文字檔案 openssl smime -encrypt -aes-256-cbc -in myfile.txt \ -out myfile.txt.enc -outform DER certificate.pem
這裡的 -outform DER 參數是讓加密後的資料採用二進位的方式輸出,不要以預設的 base64 編碼輸出。
若要加密二進位檔案,則加上 -binary 參數:
# 加密二進位檔案 openssl smime -encrypt -binary -aes-256-cbc -in myfile.zip \ -out myfile.zip.enc -outform DER certificate.pem
經過 certificate.pem 憑證加密之後的檔案,要使用 private.pem 進行解密,以下是加密文字檔的解密方式:
# 解密文字檔案 openssl smime -decrypt -in myfile.txt.enc -inform DER \ -out myfile.txt -inkey private.pem
Enter pass phrase for private.pem:
加密的二進位檔案,在解密時也是加上 -binary 參數:
# 解密二進位檔案 openssl smime -decrypt -binary -in myfile.zip.enc -inform DER \ -out myfile.zip -inkey private.pem
Enter pass phrase for private.pem: