[openssl-users] Smartcard cert used for encrypt\decrypt

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Jan 31 21:46:11 UTC 2019

On 1/31/19, 09:19, "openssl-users on behalf of Antonio Iacono" <openssl-users-bounces at openssl.org on behalf of antiac at gmail.com> wrote:


    > Does anybody know how to use the smartcard to encrypt and decrypt files?


Smartcard performs public-key crypto operations, which aren't suitable for bulk processing, such as file encryption/decryption. In general, you'd need a hybrid scheme - generate a random symmetric key, encrypt the file with that symmetric key, and encrypt this symmetric key itself with an appropriate public key from the smartcard. Decryption would be the reverse: with the smartcard (using the private key) decrypt the symmetric key, and pass that symmetric key to OpenSSL to decrypt the file. 


Here's an example, which I hope would be useful, as it shows how to use OpenSSL to encrypt and decrypt data (like symmetric keys – short). It uses OpenSC as PKCS#11 library, libp11 as PKCS#11 engine/interface to OpenSSL, p11-kit to allow URI for objects on the smartcard, and OpenSSL itself:




# Settings for US DoD CAC smartcard





# Generate a random text file

openssl -out textfile.txt -hex 600



# Generate random symmetric key

KEY=`openssl rand -hex 32`

# Generate random IV for file encryption

IV=`openssl rand  -hex 16`


# Encrypt symmetric key to token RSA KEY MAN Key

Echo $KEY | xxd -r -p 200 | openssl pkeyutl -engine pkcs11 -keyform engine -encrypt -pubin -inkey "${PUBK}" -pkeyopt rsa_padding_mode:oaep -out encrypted.key.enc

# Encrypt file with above symmetric key and IV

openssl enc -aes-256-cfb -a -e -in ${TEXTFILE} -out ${TEXTFILE}.enc -K ${KEY} -iv ${IV}


# Decrypt symmetric key on the token

KEY2=`openssl pkeyutl -engine pkcs11 -keyform engine -decrypt -inkey "${PRK}" -pkeyopt rsa_padding_mode:oaep -in ${TMP}.key.enc | xxd -p -c 200`

# Decrypt the file

openssl enc -aes-256-cfb -a -d -in ${TEXTFILE}.enc -out ${TEXTFILE}.dec -K ${KEY2} -iv ${IV}






    Hi Boyd,


    there are many ways to encrypt/decrypto with smartcard but since you

    wrote to the list of OpenSSL I answer you how to do with OpenSSL.

    In the meantime you need two other software, in addition to openssl,

    the engine and the pkcs11 library.

    A step-by-step guide can be found here:





    openssl-users mailing list

    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190131/c5e4d80f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190131/c5e4d80f/attachment-0001.bin>

More information about the openssl-users mailing list