[openssl-dev] about enc 'magic' data and salt handling
Viktor Dukhovni
openssl-users at dukhovni.org
Sat Jan 14 19:36:24 UTC 2017
> On Jan 13, 2017, at 7:50 PM, Tom Francis <thomas.francis.jr at pobox.com> wrote:
>
>
> The enc command is really just an example, IMO. If you want something that's useful for production purposes (and even follows standards!), I recommend looking at the cms command. It'll encrypt, decrypt, sign (and verify signatures) data in a standards-based format. It's not the easiest thing to use, but it's better to focus on something like that, rather than a proprietary format that was never really intended for real data exchange.
While CMS is indeed often the more appropriate tool, it has a drawback
for streaming data. Only the write side can stream. CMS readers must
hold the entire decrypted object in memory. For this reason, I've
sometimes used enc(1) with the symmetric random encryption key protected
to a public key, and a separate signed MAC computed over the whole stream.
Otherwise, indeed enc(1) is often more useful for raw symmetric operations
when doing troubleshoots.
--
Viktor.
More information about the openssl-dev
mailing list