> On Jan 13, 2017, at 7:50 PM, Tom Francis <thomas.francis...@pobox.com> wrote:
>
>
> The enc command is really just an example, IMO. If you want something that's
> useful for production purposes (and even follows standards!), I recommend
> looking at the cms command. It'll encrypt, decrypt, sign (and verify
> signatures) data in a standards-based format. It's not the easiest thing to
> use, but it's better to focus on something like that, rather than a
> proprietary format that was never really intended for real data exchange.
While CMS is indeed often the more appropriate tool, it has a drawback
for streaming data. Only the write side can stream. CMS readers must
hold the entire decrypted object in memory. For this reason, I've
sometimes used enc(1) with the symmetric random encryption key protected
to a public key, and a separate signed MAC computed over the whole stream.
Otherwise, indeed enc(1) is often more useful for raw symmetric operations
when doing troubleshoots.
--
Viktor.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
