Secure Data with Asymmetric Encryption

TL;DR

This guide shows you how to encrypt user data using asymmetric encryption (public/private key pairs). This means each user has their own keys, and only they can decrypt the data intended for them. We’ll cover generating keys, encrypting data, and decrypting it – all with practical examples.

Generating Key Pairs

1. Choose an Algorithm: RSA is a common choice. OpenSSL is a useful tool.

   openssl genrsa -out private.pem 2048

   This creates a 2048-bit RSA private key file named ‘private.pem’.

2. Extract the Public Key: You need both keys, but share only the public one.

   openssl rsa -in private.pem -pubout -out public.pem

   This creates a public key file named ‘public.pem’.

3. Secure Storage: Keep your private key extremely safe! Never share it.

Encrypting Data

1. Get the Recipient’s Public Key: You need the public key of the user you want to send data to.
2. Use OpenSSL for Encryption:

   openssl rsautl -encrypt -inkey public.pem -pubin -in message.txt -out encrypted.enc

   Replace ‘public.pem’ with the recipient’s public key file and ‘message.txt’ with your data file.

3. File Format: The output (‘encrypted.enc’) will be in a binary format.

Decrypting Data

1. Use OpenSSL for Decryption: You need your private key.

   openssl rsautl -decrypt -inkey private.pem -in encrypted.enc -out decrypted.txt

   Replace ‘private.pem’ with your private key file and ‘encrypted.enc’ with the encrypted data file.

2. Verify Decryption: Check that ‘decrypted.txt’ contains the original message.

Important Considerations

• Key Length: 2048 bits is generally considered secure for RSA, but consider 3072 or 4096 bits for higher security.
• Padding Schemes: Use appropriate padding schemes (e.g., OAEP) with OpenSSL to prevent attacks.

  openssl rsautl -encrypt -inkey public.pem -pubin -in message.txt -out encrypted.enc -padding oaep

• Hybrid Encryption: For large files, asymmetric encryption is slow. Use a hybrid approach:
  • Generate a random symmetric key (e.g., AES).
  • Encrypt the data with the symmetric key.
  • Encrypt the symmetric key with the recipient’s public key.
  • Send both the encrypted data and the encrypted symmetric key.
• cyber security Best Practices: Regularly rotate keys, store private keys securely (e.g., using a Hardware Security Module – HSM), and follow secure coding practices.