On 1/31/19, 09:19, "openssl-users on behalf of Antonio Iacono" <openssl-users-boun...@openssl.org on behalf of ant...@gmail.com> wrote:
> Does anybody know how to use the smartcard to encrypt and decrypt files?
Smartcard performs public-key crypto operations, which aren't suitable for bulk
processing, such as file encryption/decryption. In general, you'd need a hybrid
scheme - generate a random symmetric key, encrypt the file with that symmetric
key, and encrypt this symmetric key itself with an appropriate public key from
the smartcard. Decryption would be the reverse: with the smartcard (using the
private key) decrypt the symmetric key, and pass that symmetric key to OpenSSL
to decrypt the file.
Here's an example, which I hope would be useful, as it shows how to use OpenSSL
to encrypt and decrypt data (like symmetric keys – short). It uses OpenSC as
PKCS#11 library, libp11 as PKCS#11 engine/interface to OpenSSL, p11-kit to
allow URI for objects on the smartcard, and OpenSSL itself:
#!/bin/bash
# Settings for US DoD CAC smartcard
MANUFACTURER="manufacturer=Common%20Access%20Card;"
PRK="pkcs11:${MANUFACTURER}id=%00%03;type=private"
PUBK="pkcs11:${MANUFACTURER}id=%00%03;type=public"
# Generate a random text file
openssl -out textfile.txt -hex 600
TEXTFILE="textfile.txt"
# Generate random symmetric key
KEY=`openssl rand -hex 32`
# Generate random IV for file encryption
IV=`openssl rand -hex 16`
# Encrypt symmetric key to token RSA KEY MAN Key
Echo $KEY | xxd -r -p 200 | openssl pkeyutl -engine pkcs11 -keyform engine
-encrypt -pubin -inkey "${PUBK}" -pkeyopt rsa_padding_mode:oaep -out
encrypted.key.enc
# Encrypt file with above symmetric key and IV
openssl enc -aes-256-cfb -a -e -in ${TEXTFILE} -out ${TEXTFILE}.enc -K ${KEY}
-iv ${IV}
# Decrypt symmetric key on the token
KEY2=`openssl pkeyutl -engine pkcs11 -keyform engine -decrypt -inkey "${PRK}"
-pkeyopt rsa_padding_mode:oaep -in ${TMP}.key.enc | xxd -p -c 200`
# Decrypt the file
openssl enc -aes-256-cfb -a -d -in ${TEXTFILE}.enc -out ${TEXTFILE}.dec -K
${KEY2} -iv ${IV}
Hi Boyd,
there are many ways to encrypt/decrypto with smartcard but since you
wrote to the list of OpenSSL I answer you how to do with OpenSSL.
In the meantime you need two other software, in addition to openssl,
the engine and the pkcs11 library.
A step-by-step guide can be found here:
https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC
Antonio
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
