/media/bill/PROJECTS/System_maintenance/security/encryption notes.txt www.BillHowell.ca 22Nov2015 initial see "Good encryption descriptions" at end of this file for quick explanations of file encryption. ********** Bill Howell's gpg public key Most people aren't comfortable with encryption tools, but this provides vastly better security. If you have the public keys of recipients, you don't have to send keys in separate emails (MUCH more secure). One simply : uses a symmetric key to encrypt file attachments encrypt the symmetric key with each of the recipient's public keys, producing recipient-specific "encrypted symmetric keys" one email to all recipients : the "encrypted symmetric keys" for each recipient, along with the" symmetrically encrypted file" each recipient decrypts their "encrypted symmetric key" using their private key, and uses the decrypted symmetric key to decrypt the file. Most of the time, people won't do this (sigh). It is frustrating to learn, though. Others download my public key via (process varies according to encryption software used) : $ gpg --keyserver hkp://pool.sks-keyservers.net --search-keys "William Neil Howell (09Dec2018) " gpg: searching for "William Neil Howell (09Dec2018) " from hkp server pool.sks-keyservers.net (1) William Neil Howell (09Dec2018) 2048 bit RSA key DA74BE1C, created: 2018-12-09 Keys 1-1 of 1 for "William Neil Howell (09Dec2018) ". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key DA74BE1C from hkp server pool.sks-keyservers.net gpg: key DA74BE1C: "William Neil Howell (09Dec2018) " not changed gpg: Total number processed: 1 gpg: unchanged: 1 >> Note : as I already have my key, this example doesn't make changes to my keyring, as shown above. ********** https://www.howtoforge.com/tutorial/linux-commandline-encryption-tools/#-why-gpg Proceedure : 1. Generate an openssl "symmetric" key to be used for the contents of a file : [adapt, addto, run] "/media/bill/SWAPPER/bin/openssl create [public-private, symmetric] keys.sh" to produce an openssl "symmetric" key for long files This script also does decryption, to check that encryption-decryption works properly. Use gpg instead! -> This script can also produce openssl "public-private" keys for : short sentence like encryption - for encrypting [keys, signatureID] etc - (is this RSA?) public/private keys setup 2. Encrypt the file using the openssl symmetric key generated in step 1 [adapt, addto, run] "/media/bill/SWAPPER/bin/openssl encrypt medium sized file.sh" This also does decryption, to check that encryption-decryption works properly. 3. Encrypt the "symmetric key" of step 1 using the recipients' public key [adapt, addto, run] "/media/bill/SWAPPER/bin/openssl create [public-private, symmetric] keys.sh" To get Bill Howell's public key : 4. Email the encrypted file to the recipient, attaching the encrypted file and it's openssl "symmetric" key 5. They use their private key to decrypt the openssl key 6. They use the openssl key to decrypt the file ********** use $ seahorse & - for general key [generation, viewing, management] >> I don't use this for now, prefer command line ********** To check my public keys : $ gpg --keyserver hkp://pool.sks-keyservers.net --search-keys "William Neil Howell" ********** To download my public key to a file : $ gpg --keyserver hkp://pool.sks-keyservers.net --export "William Neil Howell" >"/media/bill/ramdisk/181209 RSA public Howell 2048 ID DA74BE1C export.pem" >> When I click on the file - up pops a window with information on it. How do I convert an exported key file to ASCII? ********** https://superuser.com/questions/815641/unable-to-send-pgp-key-to-keyserver#1092168 To get my own public key from my keyserver : email to : pgp-public-keys@keys.pgp.net subject : GET 0xDA74BE1C >> don't work! ??? ********** To upload my own public key to my keyserver hkp://pool.sks-keyservers.net : Generate key $ gpg --gen-key Checking that Your Key was Created $ gpg --list-keys https://www.eugenemdavis.com/uploading-your-public-key.html Outputting Your Public Key $ gpg --armor --output publickey.txt --export keyid Uploading Your Public Key $ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys keyid If I want to kill a key (don't just delete within gpg or seahorse!!) : To create a revocation key $ gpg --output revoke.asc --gen-revoke keyid ********** ToDos : How do I convert an exported key file to ASCII? **************************************************** ********************* 09Dec12018 How to upload my public key to my keyserver https://sks-keyservers.net/ : uses gpg - take defaults (press enter) https://www.eugenemdavis.com/uploading-your-public-key.html Outputting Your Public Key $ gpg --armor --output "/media/bill/Midas/keys/181209 RSA public Howell 2048.pem" --export DA74BE1C >> no response - it worked Uploading Your Public Key $ gpg --send-keys --keyserver sks-keyservers.net DA74BE1C gpg: sending key DA74BE1C to hkp server sks-keyservers.net >> didn't work? $ gpg --send-keys --keyserver sks-keyservers.net DA74BE1C https://www.eugenemdavis.com/generating-gnugp-keys.html $ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys DA74BE1C gpg: sending key DA74BE1C to hkp server pool.sks-keyservers.net >> no other feedback $ gpg --list-keys /home/bill/.gnupg/pubring.gpg ----------------------------- pub 2048R/DA74BE1C 2018-12-09 uid William Neil Howell (09Dec2018) sub 2048R/5E364AFA 2018-12-09 >> This only shows what is on my system 10Dec2018 https://askubuntu.com/questions/36507/how-do-i-import-a-public-key Search for key : man gpg : $ gpg --keyserver hkp://pool.sks-keyservers.net --search-keys "William Neil Howell" gpg: searching for "William Neil Howell" from hkp server pool.sks-keyservers.net (1) William Neil Howell (09Dec2018) 2048 bit RSA key DA74BE1C, created: 2018-12-09 (2) William Neil Howell (Public pgp key - so others can send encrypted fil 2048 bit RSA key 4060215C, created: 2018-09-06 Keys 1-2 of 2 for "William Neil Howell". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key DA74BE1C from hkp server pool.sks-keyservers.net gpg: key DA74BE1C: "William Neil Howell (09Dec2018) " not changed gpg: Total number processed: 1 gpg: unchanged: 1 Can I download my public key to a file as a check? https://protonmail.com/support/knowledge-base/download-public-private-key/ >> specific to a software, but interesting - states export, here I choose stdout $ gpg --keyserver hkp://pool.sks-keyservers.net --export "William Neil Howell" >> unreadable!? $ gpg --keyserver hkp://pool.sks-keyservers.net --export "William Neil Howell" >"/media/bill/ramdisk/181209 RSA public Howell 2048 ID DA74BE1C export.pem" >> When I click on the file - up pops a window with information on it. How do I convert an exported key file to ASCII? 10Dec2018 To create a revocation key : $ gpg --output revoke.asc --gen-revoke (old key#) $ gpg --output "/media/bill/Midas/keys/181209 RSA public Howell 2048 ID 4060215C revoke.txt" --gen-revoke 4060215C gpg: secret key "4060215C" not found: eof >> I can't revoke it as I deleted the key from my keyring ********************* 09Dec12018 How to my public/private keys : uses gpg - take defaults (press enter) https://www.eugenemdavis.com/generating-gnugp-keys.html Generate key $ gpg --gen-key Checking that Your Key was Created $ gpg --list-keys $ gpg --gen-key gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: William Neil Howell Email address: Bill@BillHowell.ca Comment: 09Dec2018 new public key You selected this USER-ID: "William Neil Howell (09Dec2018 new public key) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? c Comment: 09Dec2018 You selected this USER-ID: "William Neil Howell (09Dec2018) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. (... I enter password as saved on old ...) We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 127 more bytes) ........+++++ gpg: key DA74BE1C marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u pub 2048R/DA74BE1C 2018-12-09 Key fingerprint = DD32 CD38 0C1E 806F 9CFE 5822 3A1F 1F9D DA74 BE1C uid William Neil Howell (09Dec2018) sub 2048R/5E364AFA 2018-12-09 [1]+ Done seahorse $ gpg --list-keys /home/bill/.gnupg/pubring.gpg ----------------------------- pub 2048R/4060215C 2018-09-06 uid William Neil Howell (Public pgp key - so others can send encrypted files to me) sub 2048R/5E1D3967 2018-09-06 pub 2048R/DA74BE1C 2018-12-09 uid William Neil Howell (09Dec2018) sub 2048R/5E364AFA 2018-12-09 KeyID : DA74BE1C Type : RSA Strength : 2048 ********************* 09Dec12018 To see my keys : Retrieve see $ man gpg gpg [--homedir dir] [--options file] [options] command [args] encrypt with public $ gpg2 --encrypt "/media/bill/PROJECTS/ToDos/_Howell - email signature PROJECTS.txt" ??? >"/media/bill/ramdisk/_Howell - email signature PROJECTS public encrypted.txt" $ gpg --list-public-keys /home/bill/.gnupg/pubring.gpg --fetch-keys URIs Retrieve keys located at the specified URIs. Note that different installations of GnuPG may support different protocols (HTTP, FTP, LDAP, etc.) $ gpg --fetch-keys 4060215C ----------------------------- pub 2048R/4060215C 2018-09-06 uid William Neil Howell (Public pgp key - so others can send encrypted files to me) sub 2048R/5E1D3967 2018-09-06 GUI : $ seahorse & >> gives details of my RSA pgp 2048 keys for "William Neil Howell" [Sign, Certify] ****************** Good example of hybrid [public-private, symmetric] encryption : "/media/bill/SWAPPER/bin/openssl mass email list encryption.sh" Good example of hybrid [public-private, symmetric] decryption & test : "/media/bill/SWAPPER/bin/openssl mass email list dencryption & test.sh" My public key - save in protected file : $ seahorse & Menu -> File -> New -> PGP key -> Full name : William Neil Howell Email address : bill@billhowell.ca -> Advanced key options : Comment - Public pgp key - so others can send encrypted files to me Pwd-confirm - I saved this. It now appears in : Menu -> View -> By Keyring -> GnuPG keys -> William Neil Howell Menu -> Remote -> Sync and publish keys -> Key servers -> hkp://pool.sks-keyservers.net https://sks-keyservers.net/ This website provides services for the SKS keyservers used by OpenPGP. This site is developed and hosted by KF (Kristian Fiskerstrand) Webs He is looking for donations... (10$) ldap://keyserver.pgp.com http://keyserver.pgp.com/vkd/GetWelcomeScreen.event Semantic Corp. PGP Global Directory is a free service ******************* ?date Simple file encryption - send code by email later. NOTE : by sending the encrypted file FIRST, there is time to double-check that the correct file was sent. If an error was made, don't send the key!! Below, "$ " is the command line prompt that I use - it will be different for you. +---+ Example : Encrypt : $ gpg -c "/media/bill/Midas/a_INNS Lexicom email server/mass email text lists/180906 INNS-IJCNN mass email list encrpted to TENG Teck Hou.txt" respond to prompt with pwd that you have created Decrypt the file : 0. Download my public key by : 1. Save the encrypted file that I send to youin an email in a directory of your choice, for example in my Linux system : = "/media/bill/Midas/a_INNS Lexicom email server/mass email text lists/" = "/media/bill/ramdisk/" = "180906 INNS-IJCNN mass email list encripted to TENG Teck Hou.txt.gpg" = "180906 INNS-IJCNN mass email list encripted to TENG Teck Hou.txt" Linux : 2. Check if gpg is on your system on the command line enter $ man gpg which should give instructions. If not, install it. 3. Open a terminal and type : $ gpg -d "" >"" Obviously, it's easiest to modify the text in an editor, then copy-paste to the terminal (mouse right-button paste). 4. After entering the command line above, respond to prompt with the password. Windows : 2. see https://heasarc.gsfc.nasa.gov/ark/rps/help/gpg.html for instructions (GPG4Win or another application is required, but many systems will already have that) 3. After following the Windows instructions, respond to prompt with the password. *********************** 07Oct2018 openssl symmetric encryption NOT using a password https://www.czeskis.com/random/openssl-encrypt-file.html How to encrypt a big file using OpenSSL and someone's public key Step 0) Get their public key The other person needs to send you their public key in .pem format. If they only have it in rsa format (e.g., they use it for ssh), then have them do: openssl rsa -in id_rsa -outform pem > id_rsa.pem openssl rsa -in id_rsa -pubout -outform pem > id_rsa.pub.pem Have them send you id_rsa.pub.pem Step 1) Generate a 256 bit (32 byte) random key openssl rand -base64 32 > key.bin Step 2) Encrypt the key openssl rsautl -encrypt -inkey id_rsa.pub.pem -pubin -in key.bin -out key.bin.enc Step 3) Actually Encrypt our large file openssl enc -aes-256-cbc -salt -in SECRET_FILE -out SECRET_FILE.enc -pass file:./key.bin Step 4) Send/Decrypt the files Send the .enc files to the other person and have them do: openssl rsautl -decrypt -inkey id_rsa.pem -in key.bin.enc -out key.bin openssl enc -d -aes-256-cbc -in SECRET_FILE.enc -out SECRET_FILE -pass file:./key.bin Notes You should always verify the hash of the file with the recipient or sign it with your private key, so the other person knows it actually came from you. If there is a man-in-the-middle, then he/she could substitute the other person's public key for his/her own and then you're screwed. Always verify the other person's public key (take a hash and read it to each other over the phone). +-----+ http://tombuntu.com/index.php/2007/12/12/simple-file-encryption-with-openssl/ Simple File Encryption with OpenSSL December 12, 2007 This is the basic command to encrypt a file: openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc How does this work? openssl is the command for the OpenSSL toolkit. aes-256-cbc is the encryption cipher to be used. (256bit AES is what the United States government uses to encrypt information at the Top Secret level.) -a means that the encrypted output will be base64 encoded, this allows you to view it in a text editor or paste it in an email. This is optional. -salt adds strength to the encryption and should always be used. -in secrets.txt specifies the input file. -out secrets.txt.enc specifies the output file. You will be prompted for a password. It’s not much use unless you can decrypted it: openssl aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new -d decrypts data. -a tells OpenSSL that the encrypted data is in base64. -in secrets.txt.enc specifies the data to decrypt. -out secrets.txt.new specifies the file to put the decrypted data in. Try out OpenSSL by decrypting this string (the password is pass): U2FsdGVkX18YcWkbmhsN7M/MP1E+GLf4IqmNsa53T+A= You can paste it into a text file and use the commands above, or use this command instead: echo U2FsdGVkX18YcWkbmhsN7M/MP1E+GLf4IqmNsa53T+A= | openssl aes-256-cbc -d -a See the OpenSSL man page for more detail on what it can do. >> Not what I want - I want a key, not a password!!! +-----+ Old stuff #Your best source of information for openssl enc would probably be: https://www.openssl.org/docs/apps/enc.html # https://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files # uses pasword !! #openssl enc -aes-256-cbc -in un_encrypted.data -out encrypted.data #openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc #openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem #openssl smime -encrypt -binary -aes-256-cbc -in "$f_input" -out "$f_encrypted" -outform PEM "$key_symmetric" #openssl enc -aes-256-cbc -in "$f_input" -out "$f_encrypted" #https://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files #openssl aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new #openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password #openssl smime -decrypt -binary -in "$f_encrypted" -inform DER -out "$f_decrypted" -inkey "$key_symmetric" *********************** 05Oct2018 Jose Iglesias public key - openssl pem encryption test +-----+ https://www.howtoforge.com/tutorial/linux-commandline-encryption-tools/#-why-gpg 3.3 Encrypting data We can now use the public key to encrypt data. Here we will encrypt the file "test.txt" and store the encrypted text in the file encrypt.dat. Execute the following command: openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat +-----+ >> so it's OpenSSL I must use man openssl - I have it NAME openssl - OpenSSL command line tool SYNOPSIS openssl command [ command_opts ] [ command_args ] openssl [ list-standard-commands | list-message-digest-commands | list-cipher-commands | list-cipher- algorithms | list-message-digest-algorithms | list-public-key-algorithms] openssl no-XXX [ arbitrary options ] DESCRIPTION OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for o Creation and management of private keys, public keys and parameters o Public key cryptographic operations o Creation of X.509 certificates, CSRs and CRLs o Calculation of Message Digests o Encryption and Decryption with Ciphers o SSL/TLS Client and Server Tests o Handling of S/MIME signed or encrypted mail o Time Stamp requests, generation and verification pkeyutl Public key algorithm cryptographic operation utility.utl $ openssl pkeyutl -encrypt -inkey "/media/bill/PROJECTS1/System_maintenance/security/key Iglesias, Jose clave.pub.pem" -pubin -in "/media/bill/PROJECTS1/miniProjects/Schulich class reunion 1978/181005 Schulich Class of 1978, confidentiality agreement.jpg" -out "/media/bill/PROJECTS1/miniProjects/Schulich class reunion 1978/181005 Schulich Class of 1978, confidentiality agreement.jpg.openssl encrypted" unable to load Private Key 1995905120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY Error initializing context Usage: pkeyutl [options] -in file input file -out file output file -sigfile file signature file (verify operation only) -inkey file input key -keyform arg private key format - default PEM -pubin input is a public key -certin input is a certificate carrying a public key -pkeyopt X:Y public key options -sign sign with private key -verify verify with public key -verifyrecover verify with public key, recover original data -encrypt encrypt with public key -decrypt decrypt with private key -derive derive shared secret -hexdump hex dump output -engine e use engine e, possibly a hardware device. -passin arg pass phrase source >> oops - see if public key is encrypted Try 585.4 kbytes pdf : "/media/bill/PROJECTS1/miniProjects/Schulich class reunion 1978/181005 Schulich Class of 1978, confidentiality agreement.jpg" $ openssl rsautl -encrypt -inkey "/media/bill/PROJECTS1/System_maintenance/security/key Iglesias, Jose clave.pub.pem" -pubin -in "/media/bill/PROJECTS1/miniProjects/Schulich class reunion 1978/181005 Schulich Class of 1978, confidentiality agreement.jpg" -out "/media/bill/PROJECTS1/miniProjects/Schulich class reunion 1978/181005 Schulich Class of 1978, confidentiality agreement.jpg.openssl encrypted" RSA operation error 1995581536:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:153: >> maybe Jose gave me the private key? Try a text file 8.9 kbytes : "/media/bill/PROJECTS1/System_maintenance/html/html codes notes.txt" $ openssl rsautl -encrypt -inkey "/media/bill/PROJECTS1/System_maintenance/security/key Iglesias, Jose clave.pub.pem" -pubin -in "/media/bill/PROJECTS1/System_maintenance/html/html codes notes.txt" -out "/media/bill/PROJECTS1/System_maintenance/html/html codes notes.txt.openssl encrypted" RSA operation error 1996195936:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:153: Try 624 byte file : "/media/bill/PROJECTS1/System_maintenance/audio/0_audio notes.txt" $ openssl rsautl -encrypt -inkey "/media/bill/PROJECTS1/System_maintenance/security/key Iglesias, Jose clave.pub.pem" -pubin -in "/media/bill/PROJECTS1/System_maintenance/audio/0_audio notes.txt" -out "/media/bill/PROJECTS1/System_maintenance/audio/0_audio notes.txt.openssl encrypted" RSA operation error 1996322912:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:153: $ openssl rsautl -encrypt -inkey "/media/bill/PROJECTS1/System_maintenance/security/clave.pub.pem" -pubin -in "/media/bill/PROJECTS1/System_maintenance/audio/0_audio notes.txt" -out "/media/bill/PROJECTS1/System_maintenance/audio/0_audio notes.txt.openssl encrypted" RSA operation error 1995647072:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:153: +-----+ 05Oct2018 Generate my own OpenSSL [public, private] key : https://www.howtoforge.com/tutorial/linux-commandline-encryption-tools/#-why-gpg 3.2 Generating the Public and Private keys The first thing we have to do is generate the public and private keys.We first generate the private key. To do so, use the following command: openssl genrsa -out private_key.pem 1024 The above command instructs OpenSSL to use RSA to generate a private key with a size of 1024 bytes. The key is then stored securely within a file called "private_key.pem". The output of this command will look similar to the image below: $ openssl genrsa -out "/media/bill/PROJECTS1/System_maintenance/security/key private openssl Howell.pem" 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ...........................++++++ e is 65537 (0x10001) Once the private (the secret) key is generated, we can use that to generate the public key so that they form a pair. Use the following command to generate the public key: openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout It will look like the image below: $ openssl rsa -in "/media/bill/PROJECTS1/System_maintenance/security/key private openssl Howell.pem" -out "/media/bill/PROJECTS1/System_maintenance/security/key public openssl Howell.pem" -outform PEM -pubout writing RSA key 3.3 Encrypting data We can now use the public key to encrypt data. Here we will encrypt the file "test.txt" and store the encrypted text in the file encrypt.dat. Execute the following command: openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat $ openssl rsautl -encrypt -inkey "/media/bill/PROJECTS1/System_maintenance/security/key public openssl Howell.pem" -pubin -in "/media/bill/PROJECTS1/System_maintenance/html/html codes notes.txt" -out "/media/bill/PROJECTS1/System_maintenance/html/html codes notes.txt.openssl encrypted" RSA operation error 1995446368:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:153: >> Same error as with Jose's public key. So I'm the problem! https://serverfault.com/questions/853720/dkim-fail-openssl-error-data-too-large-for-key-size The publickey in the DNS (default._domainkey.awp1.com) seems to be a 1024 bit long RSA key (link to decoded key) The length of the RSA signature in the DKIM signature (the b-tag, base64 encoded) is 2048 bit. But for RSA, the key size and the size of the signature should be the same. OpenSSL wherefore rightfully complains about the signature size (2048 bit) being to large for used key (1024 bit). answered Jun 4 '17 at 14:58, user228011 >> so OpenSSL is too stupid to automatically generate a public key that is the same size as the private? unbelievable $ openssl rsa -in "/media/bill/PROJECTS1/System_maintenance/security/key private openssl Howell.pem" inform 1024 -out "/media/bill/PROJECTS1/System_maintenance/security/key public openssl Howell 1024.pem" -outform PEM -pubout +-----+ http://certificate.fyicenter.com/2032_OpenSSL_rsautl_data_too_large_for_key_size_Error.html Because of the nature of the RSA algorithm, a single encryption process can only encrypt input data that is smaller than the modulus value of the RSA key. In other words, the size (number of bytes) of the input data should be smaller than the size (number bytes) of the modulus, which is also the RSA key size. If you try to use an RSA public key to encrypt a file larger than the key size, you will get the "data too large for key size" error. For example: C:\Users\fyicenter>type clear.txt The quick brown fox jumped over the lazy dog. The quick brown fox jumped over the lazy dog. The quick brown fox jumped over the lazy dog. C:\Users\fyicenter>dir *.txt 138 clear.txt C:\Users\fyicenter>\local\openssl\openssl.exe OpenSSL> rsautl -encrypt -pubin -inkey my_rsa_pub.key -in clear.txt -out cipher.txt RSA operation error 18472:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2: data too large for key size:.\crypto\rsa\rsa_pk1.c:153: error in rsautl OpenSSL> OpenSSL> pkey -pubin -in my_rsa_pub.key -text -noout Public-Key: (1024 bit) ... The test output tells us that: The RSA public key size is 1024-bit long. The input data, clear.txt, has 138 bytes = 1104 bits, which is larger than the RSA key size. "rsautl" will not encrypt any input data that is larger (longer) than the RSA key size. Actually, OpenSSL could be improved to encrypt larger input files by dividing the input into multiple 128-byte blocks and perform encryption one block at a time. +-----+ >> RSA is the problem? key > data size? so I need a 10Mbyte key for a 10 Mbyte file? >> sound crazy >> hopefully the earlier blog is correct -> private keysize = public keysize >> However, as the public key is a product of two primes, how can the public and private have same length? How do I set the public key size? Try 2048 keysize : $ openssl genrsa -out "/media/bill/PROJECTS1/System_maintenance/security/key private openssl Howell 2048.pem" 2048 Generating RSA private key, 2048 bit long modulus ...................................................+++ ...........................................................................+++ e is 65537 (0x10001) $ openssl rsa -in "/media/bill/PROJECTS1/System_maintenance/security/key private openssl Howell 2048.pem" -inform PEM -out "/media/bill/PROJECTS1/System_maintenance/security/key public openssl Howell 2048.pem" -outform PEM -pubout >BUT [private, public] keyfile size = [1.6, 0.45] kbytes!!! >> However, as the public key is a product of two primes, how can the public and private have same length? "test 61.txt" : /media/bill/PROJECTS1/System_maintenance/security/test 61.txt $ openssl rsautl -encrypt -inkey "/media/bill/PROJECTS1/System_maintenance/security/key public openssl Howell.pem" -pubin -in "/media/bill/PROJECTS1/System_maintenance/security/test 61.txt" -out "/media/bill/PROJECTS1/System_maintenance/security/test 61.txt.openssl encrypted" >> worked 3.4 Decrypting data Here we use the private key to decrypt the file. Run the following command: openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt The file decrypt.txt will contain the decrypted data. The execution of the above command and also the file content is shown in the image below: $ openssl rsautl -decrypt -inkey "/media/bill/PROJECTS1/System_maintenance/security/key private openssl Howell.pem" -in "/media/bill/PROJECTS1/System_maintenance/security/test 61.txt.openssl encrypted" -out "/media/bill/PROJECTS1/System_maintenance/security/test 61.txt.openssl encrypt-decrypted" >> OK worked +-----+ So try again with larger text file : $ openssl rsautl -encrypt -inkey "/media/bill/PROJECTS1/System_maintenance/security/key public openssl Howell.pem" -pubin -in "/media/bill/PROJECTS1/System_maintenance/security/test 8.9 kbytes.txt" -out "/media/bill/PROJECTS1/System_maintenance/security/test 8.9 kbytes.txt.openssl encrypted" CTS1/System_maintenance/security/test 8.9 kbytes.txt.openssl encrypted" RSA operation error 1996101728:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:153: Well, that solves that RSA can't handle even small files? NO! that's not what it's for! +-----+ https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file SSL has been around for long enough you'd think that there would be agreed upon container formats. And you're right, there are. Too many standards as it happens. So this is what I know, and I'm sure others will chime in. .csr - This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The actual format is PKCS10 which is defined in RFC 2986. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats. .pem - Defined in RFCs 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys. .key - This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong. .pkcs12 .pfx .p12 - Originally defined by RSA in the Public-Key Cryptography Standards (abbreviated PKCS), the "12" variant was originally enhanced by Microsoft, and later submitted as RFC 7292. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys: openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes A few other formats that show up from time to time: .der - A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like... .cert .cer .crt - A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not. .p7b .keystore - Defined in RFC 2315 as PKCS number 7, this is a format used by Windows for certificate interchange. Java understands these natively, and often uses .keystore as an extension instead. Unlike .pem style certificates, this format has a defined way to include certification-path certificates. .crl - A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites. In summary, there are four different ways to present certificates and their components: PEM - Governed by RFCs, its used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more) PKCS7 - An open standard used by Java and supported by Windows. Does not contain private key material. PKCS12 - A Microsoft private standard that was later defined in an RFC that provides enhanced security versus the plain-text PEM format. This can contain private key material. Its used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl. DER - The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used very much outside of Windows. I hope this helps. shareimprove this answer edited Sep 21 at 7:28 user2066657 26419 answered May 19 '09 at 2:49 sysadmin1138♦ 114k17143279 246 The great thing about standards is that there are so many to choose from... – squillman May 19 '09 at 4:05 33 .crt is another common extension for .cert and .cer – David Pashley Jun 6 '09 at 8:08 39 PEM is a file format that may consist of a certificate (aka. public key), a private key or indeed both concatenated together. Don't pay so much attention to the file extension; it means Privacy Enhanced Mail, a use it didn't see much use for but the file format stuck around. – Dan Carley Jun 25 '09 at 16:29 16 Very useful answer, but I don't think you've covered the .pub format created by ssh-keygen. It would be useful to know how that ties in with the rest. – Jez Dec 28 '12 at 20:05 19 Can't help noticing "Privacy Enhanced Email" would give the acronym "PEE" as opposed to "PEM". The RFCs tend to use the phrase "Privacy Enhanced Mail" – aidan Jan 12 '15 at 5:20 show 13 more comments up vote 122 down vote PEM on it's own isn't a certificate, it's just a way of encoding data. X.509 certificates are one type of data that is commonly encoded using PEM. PEM is a X.509 certificate (whose structure is defined using ASN.1), encoded using the ASN.1 DER (distinguished encoding rules), then run through Base64 encoding and stuck between plain-text anchor lines (BEGIN CERTIFICATE and END CERTIFICATE). You can represent the same data using the PKCS#7 or PKCS#12 representations, and the openssl command line utility can be used to do this. The obvious benefits of PEM is that it's safe to paste into the body of an email message because it has anchor lines and is 7-bit clean. RFC1422 has more details about the PEM standard as it related to keys and certificates. shareimprove this answer answered Jun 6 '09 at 15:19 James F 5,61912020 1 How do you do this "using openssl command line"? – Samik R Sep 18 '13 at 3:53 2 To convert a DER file (.crt .cer .der) to PEM: openssl x509 -inform der -in cert.cer -out cert.pem. To convert a PEM file to DER: openssl x509 -outform der -in cert.pem -out certi.der. To convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM: openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes. To convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12): openssl pkcs12 -export -out cert.pfx -inkey privateKey.key -in cert.crt -certfile CACert.crt From here – mpeac Jun 5 '16 at 23:10 *********************** 05Oct2018 Jose Iglesias public key - gpg encryption test NO GOOD! Joe's key is openssl saved to : /media/bill/PROJECTS1/System_maintenance/security/key Iglesias, Jose clave.pub.pem man gpg $ gpg --list-public-keys (--list-keys as well - nothing) List all keys from the public keyrings, or just the keys given on the command line. >> nothing on RaspPi, not even mine! $ gpg --import "clave.pub.pem" gpg: can't open `clave.pub.pem': No such file or directory gpg: Total number processed: 0 http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/ - good site to import a public key: gpg --import public.key This adds the public key in the file "public.key" to your public key ring. $ gpg --import "/media/bill/PROJECTS1/System_maintenance/security/key Iglesias, Jose clave.pub.pem" gpg: no valid OpenPGP data found. gpg: Total number processed: 0 Don't use "--symmetric" option $ gpg --encrypt "/media/bill/PROJECTS1/miniProjects/Schulich class reunion 1978/181005 Schulich Class of 1978, confidentiality agreement.jpg" ************ 06Sep2018 INNS-IJCNN mass email list encrpted to TENG Teck Hou $ gpg -c "/media/bill/Midas/a_INNS Lexicom email server/mass email text lists/180906 INNS-BDDL mass email list encrpted for TENG Teck Hou.txt" pwd in simple file g-G1MVf:?lhsBTm%1"=+(lBS Test decrypt : $ gpg -d "/media/bill/ramdisk/180906 INNS-BDDL mass email list encrpted for TENG Teck Hou.txt.gpg" >"/media/bill/ramdisk/180906 INNS-BDDL mass email list encrpted for TENG Teck Hou.txt" $ diff "/media/bill/Midas/a_INNS Lexicom email server/mass email text lists/180906 INNS-BDDL mass email list encrpted for TENG Teck Hou.txt" "/media/bill/ramdisk/180906 INNS-BDDL mass email list encrpted for TENG Teck Hou.txt" >> no differences resulted from the encryption process ******************* Howell's public key & posting $ seahorse - I created a key for TENG Teck Hou My public key : $ seahorse & Menu -> File -> New -> PGP key -> Full name : William Neil Howell Email address : bill@billhowell.ca Pwd-confirm - I saved this Menu -> Remote -> Sync and publish keys -> Key servers -> hkp://pool.sks-keyservers.net https://sks-keyservers.net/ ldap://keyserver.pgp.com http://keyserver.pgp.com/vkd/GetWelcomeScreen.event Semantic Corp. PGP Global Directory is a free service Now what? Menu -> Remote -> Sync and publish keys -> Key servers -> hkp://pool.sks-keyservers.net https://sks-keyservers.net/ This website provides services for the SKS keyservers used by OpenPGP. This site is developed and hosted by KF (Kristian Fiskerstrand) Webs He is looking for donations... (10$) ldap://keyserver.pgp.com http://keyserver.pgp.com/vkd/GetWelcomeScreen.event Semantic Corp. PGP Global Directory is a free service >> I chose hkp://pool.sks-keyservers.net Yes Automatically retrieve keys from key servers Yes Automatically syncronize modified keys with servers ***** 24Nov2015 Enigmail wipes out formatting!!! http://sourceforge.net/p/enigmail/forum/support/thread/072d885f/ Patrick Brunschwig 2013-07-13 The problem is that you try to send a HTML mail using inline-PGP. Inline-PGP means that only the message text is encrypted, but not other parts of the message; PGP/MIME on the other hand is a standard that encrypts the complete message (except the headers). To cut a long story short: inline-PGP is incompatible to HTML. If you want to send HTML mails then you have to use PGP/MIME. >> Howell : still the formatting is trashed when I forward/compose!? http://superuser.com/questions/282016/html-or-rich-e-mails-do-not-work-with-enigmal-in-thunderbird Well, I don't remember very much about it, but I remember about PGP/MIME option. Try that: To compose in HTML: Menu > Tools > Account Settings > Choose your account > OpenPGP security > Check "Use PGP/MIME by default" Menu > Tools > Account Settings > [Your Account] > Composition & Addressing > Compose Messages in HTML format Menu > Tools > Options > Composition > General > Sending options... > "Send the message in both plain text and HTML" To read HTML: Menu > View > Format as > Original HTML format The senders must enable sending in HTML format ***** 23Nov2015 GnuGP for Jose Iglesias on MS Windows : http://gpg4win.org/download.html ************ 23Nov2015 Encryption setup GnuPG = GNU Privacy Guard Seahorse (GNOME software) +-----+ PGP key setup for file encyryption (email maybe later) http://xmodulo.com/how-to-pgp-encrypt-decrypt-digitally-sign-files-via-gnupg-gui.html Dan Nanni - great illustration of PGP key so I did that I also added my 2014 Chinese Passport photo to the key +-----+ Enigmail setup for Thunderbird http://forums.linuxmint.com/viewtopic.php?f=90&t=162000 Re: Installing GnuPg? Postby trapperjohn on Tue Mar 11, 2014 10:29 am For managing your keys, seahorse (synaptic if you don't already have it) provides a front end. For encrypting/signing email in thunderbird (tbird addons), the enigma addon works nicely. I installed 1.8.2 version ************** ************* From Toshiba laptop 22Nov2015 Nemo seahorse downloaded for encryption also https://emailselfdefense.fsf.org/en/ ************************************ ************************************ Good encryption descriptions +-----+ Simple - send doc, send key later in a different email https://www.techrepublic.com/article/how-to-easily-encryptdecrypt-a-file-in-linux-with-gpg/ Let's say you have a file, ~/Documents/important.docx, that you want to password protect. Using gpg, you would do the following. Open a terminal window. Change to the ~/Documents directory with the command cd ~/Documents. Encrypt the file with the command gpg -c important.docx. Enter a unique password for the file and hit Enter. Verify the newly typed password by typing it again and hitting Enter. You should now see the file important.docx.gpg in the ~/Documents folder. To decrypt that file, do the following. Open a terminal window. Change to the ~/Documents directory with the command cd ~/Documents. Decrypt the file with the command gpg important.dox.gpg. When prompted, enter the decryption password you created when encrypting the file. You could send that file to a recipient and, as long as they have gpg installed, they can decrypt the file with the password you used for encryption. +-----+ Public-private approach : https://www.gnupg.org/gph/en/manual/x110.html The procedure for encrypting and decrypting documents is straightforward with this mental model. If you want to encrypt a message to Alice, you encrypt it using Alice's public key, and she decrypts it with her private key. If Alice wants to send you a message, she encrypts it using your public key, and you decrypt it with your key. alice% gpg --output doc.gpg --encrypt --recipient blake@cyb.org doc To decrypt a message the option --decrypt is used. You need the private key to which the message was encrypted. Similar to the encryption process, the document to decrypt is input, and the decrypted result is output. blake% gpg --output doc --decrypt doc.gpg You need a passphrase to unlock the secret key for user: "Blake (Executioner) " 1024-bit ELG-E key, ID 5C8CBD41, created 1999-06-04 (main key ID 9E98BC16) Enter passphrase: Documents may also be encrypted without using public-key cryptography. Instead, only a symmetric cipher is used to encrypt the document. The key used to drive the symmetric cipher is derived from a passphrase supplied when the document is encrypted, and for good security, it should not be the same passphrase that you use to protect your private key. Symmetric encryption is useful for securing documents when the passphrase does not need to be communicated to others. A document can be encrypted with a symmetric cipher by using the --symmetric option. alice% gpg --output doc.gpg --symmetric doc Enter passphrase: +-----+ https://gpgtools.tenderapp.com/kb/gpg-keychain-faq/how-to-find-and-share-your-public-key 2. Sharing your public key 2.1 Key server We recommend using the key servers for distribution of your key. That way it's simple for your friends to retrieve your public key. Once they have your key in their GPG Keychain app, they can create encrypted messages for you. They also can verify incoming signed messages from you. Important: Keys can not be deleted from the key servers, which is a pain in the ass, but that's how it is currently. They can be revoke but not removed. Keep that in mind when fiddling with key servers. After key creation you are asked if you want to upload your public key. To upload your key at a later point in time, select your sec/pub key and select menu bar > Key > Send Public Key to Key Server or press ⌘K. 2.2 email public key To email your public key to a friend select menu bar > Key > Mail Public Key… or press ⇧⌘M Mail.app will create a new draft with your public key attached. Subject and message body are already filled with an explanatory text, informing the recipient about how to handle your public key. 2.3 Email signature with public key It is a good idea, to add your key fingerprint to your email signature. In case you do not use the key servers, consider uploading your public key as .asc file and link to that file in your email signature. There are many ways to solve key distribution - be creative, or use the key servers. To export your public key, drag your sec/pub key to your desktop. The resulting file will contain your public key. To view your exported key in text form, open the exported file with Text Edit. +-----+ Looks good ?: http://blog.ghostinthemachines.com/2015/03/01/how-to-use-gpg-command-line/ https://heasarc.gsfc.nasa.gov/ark/rps/help/gpg.html # enddoc