# Encrypt using SSH Key Pair

By Zachary Huang

Under some circumstances you might want to send classified messages or files to other users. Openssl library provides us a fast and easy way to encrypt these documents. Before encrypting, a key pair is required. This article will be talking about how to produce encryptions using exist key pairs. For more knowledge, you can refer to previous article on this blog.

# Creating SSH Key Pair

Before we start talking about encryption and decryption, we need something more fundamental. Ｗe need to create our own key pairs.

`ssh-keygen -t rsa`

Doing this gives you 2 files, id_rsa and id_rsa.pub, which are your private key and public key, respectively. They are your RSA key pair. Among two files, you must preserve your private key carefully, or this whole encryption thing will not be secured anymore, which loses its very own purpose. On the other side, you can now send your public key to others so they can encrypt messages for you.

Now, assume you received someone else’s public key. You want to send him/her a secret message, let’s say, a love letter, and of course you don’t want anyone else to read it, or you might die of embarrassment.

# Encryption

To encrypt files, we can use openssl rsa library. By default, ssh-keygen generates key in OpenSSH format that is not very friendly to openssl. It needs some before processing. Transform the public key into PKCS8 format. There are 2 ways to do this

`1. OpenSSH -> PKCS8`

ssh-keygen -e -f ./id_rsa.pub -m PKCS8 > ./id_rsa.pub.pkcs8

or

`2. OpenSSH -> PKCS1 -> PKCS8`

ssh-keygen -e -f ./id_rsa.pub -m pem > id_rsa.pub.pem

openssl rsa -in id_rsa.pub.pem -RSAPublicKey_in -pubout > id_rsa.pub.pkcs8

Now using the PKCS8 file, we can encrypt by doing

`openssl rsautl -encrypt -pubin -inkey id_rsa.pub.pkcs8 -in LoveLetter.txt -out LoveLetter.txt.enc`

However, we usually don’t do this. Despite being well-secured, there are several disadvantages for RSA algorithm. Being an asymmetric cryptography, RSA is much slower on performance. Most importantly, RSA can only encrypt files of the same size as its key size. By default, ssh-keygen creates a 2048 bits key pair. This implies that our target file cannot be longer than 2048 bits. Which means that our love letter here cannot be longer than approximately 256 letters. That would be about 3 sentences. Not a very efficient way to express feelings.

We can do this in an alternative way. Openssl provides us other cryptography algorithm, one of which is AES. Though we will not talk about the details in this article, all we have to know is that as a symmetric cryptography, AES is a good choice when dealing with large files. Now we change our plan a little tiny bit. Instead of encrypting directly with RSA, we first encrypt our target with AES.

Generate a symmetric AES key

`openssl rand 32 -out secret_key // this will be a 32x8 = 256 bits key`

Encrypt using our new AES key

`openssl aes-256-cbc -in LoveLetter.txt -out LoveLetter.txt.enc -pass file:secret_key`

Note that the secret key generated should only be use this one time. Now, as we have done before, we encrypt with RSA. But this time, encrypt the key instead

`openssl rsautl -encrypt -pubin -inkey id_rsa.pub.pkcs8 -in secret_key -out secret_key.enc`

After everything is settled, send the encrypted LoveLetter along with the encrypted secret_key to your friend, and tell him/her to follow the instructions below to decrypt.

# Decryption

STEP 1. Find their private key.

STEP 2. Decrypt the secret_key with private key

`openssl rsautl -decrypt -ssl -inkey id_rsa -in secret_key.enc -out secret_key`

STEP 3. Decrypt the message with the secret_key

`openssl aes-256-cbc -d -in LoveLetter.txt.enc -out LoveLetter.txt -pass file:secret_key`

STEP 4. Enjoy the message

In this article, I use RSA key pair as the key of AES key to solve the problem of key size limitation. Of course, this is just one of many possible solutions. I hope this help.