On 1/31/19, 09:19, "openssl-users on behalf of Antonio Iacono" <openssl-users-bounces@xxxxxxxxxxx on behalf of antiac@xxxxxxxxx> wrote: > Does anybody know how to use the smartcard to encrypt and decrypt files? Smartcard performs public-key crypto operations, which aren't suitable for bulk processing, such as file encryption/decryption. In general, you'd need a hybrid scheme - generate a random symmetric key, encrypt the file with that symmetric key, and encrypt this symmetric key itself with an appropriate public key from the smartcard. Decryption would be the reverse: with the smartcard (using the private key) decrypt the symmetric key, and pass that symmetric key to OpenSSL to decrypt the file. Here's an example, which I hope would be useful, as it shows how to use OpenSSL to encrypt and decrypt data (like symmetric keys – short). It uses OpenSC as PKCS#11 library, libp11 as PKCS#11 engine/interface to OpenSSL, p11-kit to allow URI for objects on the smartcard, and OpenSSL itself: #!/bin/bash # Settings for US DoD CAC smartcard MANUFACTURER="manufacturer=Common%20Access%20Card;" PRK="pkcs11:${MANUFACTURER}id=%00%03;type=private" PUBK="pkcs11:${MANUFACTURER}id=%00%03;type=public" # Generate a random text file openssl -out textfile.txt -hex 600 TEXTFILE="textfile.txt" # Generate random symmetric key KEY=`openssl rand -hex 32` # Generate random IV for file encryption IV=`openssl rand -hex 16` # Encrypt symmetric key to token RSA KEY MAN Key Echo $KEY | xxd -r -p 200 | openssl pkeyutl -engine pkcs11 -keyform engine -encrypt -pubin -inkey "${PUBK}" -pkeyopt rsa_padding_mode:oaep -out encrypted.key.enc # Encrypt file with above symmetric key and IV openssl enc -aes-256-cfb -a -e -in ${TEXTFILE} -out ${TEXTFILE}.enc -K ${KEY} -iv ${IV} # Decrypt symmetric key on the token KEY2=`openssl pkeyutl -engine pkcs11 -keyform engine -decrypt -inkey "${PRK}" -pkeyopt rsa_padding_mode:oaep -in ${TMP}.key.enc | xxd -p -c 200` # Decrypt the file openssl enc -aes-256-cfb -a -d -in ${TEXTFILE}.enc -out ${TEXTFILE}.dec -K ${KEY2} -iv ${IV} Hi Boyd, there are many ways to encrypt/decrypto with smartcard but since you wrote to the list of OpenSSL I answer you how to do with OpenSSL. In the meantime you need two other software, in addition to openssl, the engine and the pkcs11 library. A step-by-step guide can be found here: https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC Antonio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
