<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Courier;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoPlainText>On 1/31/19, 09:19, "openssl-users on behalf of Antonio Iacono" <openssl-users-bounces@openssl.org on behalf of antiac@gmail.com> wrote:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> > Does anybody know how to use the smartcard to encrypt and decrypt files?<o:p></o:p></p><p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='color:black'>Smartcard performs public-key crypto operations, which aren't suitable for bulk processing, such as file encryption/decryption. In general, you'd need a hybrid scheme - generate a random symmetric key, encrypt the file with that symmetric key, and encrypt this symmetric key itself with an appropriate public key from the smartcard. Decryption would be the reverse: with the smartcard (using the private key) decrypt the symmetric key, and pass that symmetric key to OpenSSL to decrypt the file. <o:p></o:p></span></p><p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='color:black'>Here's an example, which I hope would be useful, as it shows how to use OpenSSL to encrypt and decrypt data (like symmetric keys – short). It uses OpenSC as PKCS#11 library, libp11 as PKCS#11 engine/interface to OpenSSL, p11-kit to allow URI for objects on the smartcard, and OpenSSL itself:<o:p></o:p></span></p><p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>#!/bin/bash<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'># Settings for US DoD CAC smartcard<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>MANUFACTURER="manufacturer=Common%20Access%20Card;"<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>PRK="pkcs11:${MANUFACTURER}id=%00%03;type=private"<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>PUBK="pkcs11:${MANUFACTURER}id=%00%03;type=public"<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'># Generate a random text file<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>openssl -out textfile.txt -hex 600<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>TEXTFILE="textfile.txt"<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'># Generate random symmetric key<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>KEY=`openssl rand -hex 32`<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'># Generate random IV for file encryption<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>IV=`openssl rand -hex 16`<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'># Encrypt symmetric key to token RSA KEY MAN Key<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>Echo $KEY | xxd -r -p 200 | openssl pkeyutl -engine pkcs11 -keyform engine -encrypt -pubin -inkey "${PUBK}" -pkeyopt rsa_padding_mode:oaep -out encrypted.key.enc<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'># Encrypt file with above symmetric key and IV<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>openssl enc -aes-256-cfb -a -e -in ${TEXTFILE} -out ${TEXTFILE}.enc -K ${KEY} -iv ${IV}<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'># Decrypt symmetric key on the token<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>KEY2=`openssl pkeyutl -engine pkcs11 -keyform engine -decrypt -inkey "${PRK}" -pkeyopt rsa_padding_mode:oaep -in ${TMP}.key.enc | xxd -p -c 200`<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'># Decrypt the file<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:Courier;color:black'>openssl enc -aes-256-cfb -a -d -in ${TEXTFILE}.enc -out ${TEXTFILE}.dec -K ${KEY2} -iv ${IV}</span><span style='color:black'><o:p></o:p></span></p><p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText> Hi Boyd,<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText> there are many ways to encrypt/decrypto with smartcard but since you<o:p></o:p></p><p class=MsoPlainText> wrote to the list of OpenSSL I answer you how to do with OpenSSL.<o:p></o:p></p><p class=MsoPlainText> In the meantime you need two other software, in addition to openssl,<o:p></o:p></p><p class=MsoPlainText> the engine and the pkcs11 library.<o:p></o:p></p><p class=MsoPlainText> A step-by-step guide can be found here:<o:p></o:p></p><p class=MsoPlainText> https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText> Antonio<o:p></o:p></p><p class=MsoPlainText> -- <o:p></o:p></p><p class=MsoPlainText> openssl-users mailing list<o:p></o:p></p><p class=MsoPlainText> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p></div></body></html>