On 17/12/2018 16:21, Nick wrote:
Hello,
I've written a script to try and work around openssl's lack of a way to encrypt
large files with public key or hybrid cryptography. I gather SMIME works for
files < ~ 2.5GB but the current implementation cannot decrypt files larger than
this.
My use case is automated server back-ups, for which I need to back up
arbitrarily large files and copy the result to S3 for storage, but I don't want
to store a decryption key on the server. I contemplated splitting the archives,
except this seemed about as much work as writing something which stored an
encrypted one-time password with the payload and using symmetric encryption.
As I'm not really a crypto/security expert, I thought I'd post it here and ask
for some feedback on it.
https://github.com/wu-lee/hencrypt
A simpler way is to realize that the formats used by SMIME/CMS
(specifically
the PKCS#7 formats) allow almost unlimited file size, and any 2GiB limit is
probably an artifact of either the openssl command line tool or some of the
underlying OpenSSL libraries.
It would be interesting to hear from someone familiar with that part of the
OpenSSL API which calls to use to actually do CMS signing/encryption (and
verification/decryption) of data too large to fit in available memory,
and how
to handle the data length BER encoding for values larger than a size_t.
Anyway, setting up an alternative data format might be suitable if combined
with other functionality requiring chunking, such as recovery from
lost/corrupted data "blocks" (where each block is much much larger than
a 1K "disk block").
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
