[openssl-users] A script for hybrid encryption with openssl
Jakob Bohm
jb-openssl at wisemo.com
Mon Dec 17 22:02:52 UTC 2018
On 17/12/2018 16:21, Nick wrote:
> Hello,
>
> I've written a script to try and work around openssl's lack of a way to encrypt
> large files with public key or hybrid cryptography. I gather SMIME works for
> files < ~ 2.5GB but the current implementation cannot decrypt files larger than
> this.
>
> My use case is automated server back-ups, for which I need to back up
> arbitrarily large files and copy the result to S3 for storage, but I don't want
> to store a decryption key on the server. I contemplated splitting the archives,
> except this seemed about as much work as writing something which stored an
> encrypted one-time password with the payload and using symmetric encryption.
>
> As I'm not really a crypto/security expert, I thought I'd post it here and ask
> for some feedback on it.
>
> https://github.com/wu-lee/hencrypt
>
>
A simpler way is to realize that the formats used by SMIME/CMS
(specifically
the PKCS#7 formats) allow almost unlimited file size, and any 2GiB limit is
probably an artifact of either the openssl command line tool or some of the
underlying OpenSSL libraries.
It would be interesting to hear from someone familiar with that part of the
OpenSSL API which calls to use to actually do CMS signing/encryption (and
verification/decryption) of data too large to fit in available memory,
and how
to handle the data length BER encoding for values larger than a size_t.
Anyway, setting up an alternative data format might be suitable if combined
with other functionality requiring chunking, such as recovery from
lost/corrupted data "blocks" (where each block is much much larger than
a 1K "disk block").
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list