Use openssl to create public key and private key

Generally speaking, currently digital encryption methods can be divided into two main categories, symmetric encryption and asymmetric encryption.

For symmetric encryption, the same key is used for encryption and decryption. The encryption methods are AES, DES, RC4, BlowFish, etc.; On the contrary, asymmetric encryption uses different keys for encryption and decryption, which are called public keys or private keys. The encryption methods of asymmetric encryption include RSA, DSA, Diffie-Hellman, etc.

This post will introduce the workflow of asymmetric encryption with the tool openssl.


OpenSSL is an open source project that provides a relatively complete implementation of the Transport Layer Security (TLS) and Secure Sockets (SSL) protocols. At the same time, it is also committed to building itself as a general cryptography tool set. Including:

  • libssl: Provides server-side and client-side implementations of SSL (including SSLv3) and TLS.
  • libcrypto: general cryptography library and support for X.509
  • openssl: a versatile command line tool

OpenSSL installation

On Mac we can install the openssl like brew install openssl.

Linuxs users can refer to this article to install

Windows users can refer to this article to install

Step 1: Create private key

Create simple private key

For asymmetric encryption, first thing we need to do is to create a private key. Here we are using RSA algorithm.

# create a private key (private.pem) with 1024 bits long
openssl genrsa -out private.pem 1024

P.S: 1024 means the size of the private key. we can use 512, 1024, 2048 and etc.

Create a private key with encrpytion

So far we have generated a private key with plain text in it. Also we can use another encrpytion algorithm to encrypt the private key so as to protect it, here we are using the aes256 to encrpyt with a password

openssl genrsa -aes256 -passout stdin -out private.pem 1024
openssl genrsa -aes256 -passout file:passwd.txt  -out private.pem 1024
openssl genrsa -aes256 -passout pass:my_password -out private.pem 1024

P.S: 1024 aes256 requires 4 to 1023 characters as the password

Check the private key we just created:

openssl rsa -text -in private.pem

Step 2: Create public key

After we have the private key, we can create the corresponding private key:

openssl rsa -in private.pem -pubout -out public.pem

Step 3: Use the public key to encrypt the content

Suppose we have a file named content.txt, we can encrypt it using the above public key:

openssl rsautl -encrypt -pubin -inkey public.pem -in content.txt -out content.txt.encrypt

# content of content.txt
some content

# content ofcontent.txt.encrypt

Step 4: Use the private key to decrypt the content

openssl rsautl -decrypt -inkey private.pem -in content.txt.encrypt -out content.txt.decrypt

# content.txt.decrypt
some content

Work with symmetric encryption

Although public and private key encryption is working very well, the disadvantage of asymmetric encryption is obvious: the speed of encryption and decryption is much slower than that of symmetric encryption. In some extreme cases, it can even be thousands of times slower than asymmetric encryption. In addition, due to the RSA algorithm itself, if the key is n bits, then the encrypted information capacity cannot be greater than (n-11) bits. Therefore, symmetric encryption is usually used for the encrypted transmission of large files, and we only use asymmetric encryption to encrpyt and descrpyt the key.

# 1
openssl rand -base64 128 -out aeskey.txt
# 2
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.aesenc -pass file:aeskey.txt
# 3
openssl enc -d -aes-256-cbc -in file.txt.aesenc -out file.txt.aesdec -pass file:aeskey.txt

1, We need to generate a key/password which symmetric encryption (AES 256 CBC) algorithm can use to encrpyt/descrpyt. Here it named aeskey.txt contains the key/password randomly generated by openssl
2, Use AES 256 CBC algorithm to encrpyt the large file content, it can be any file type, text or binary.
3, Client will receive the aeskey.txt key file through asymmetric encryption and decrypt the file.txt.aesdec to get the content.


comments powered by Disqus