RSA key generation and file encryption using OpenSSL

Ivan Molina Rebolledo

(The following notes were made as a self-guide for a U. class (Network Security), I usually use GPG for this, hehe. Everything in this document was taken from the man pages of OpenSSL)

First step: RSA private key generation. We use the following command:

openssl genrsa -out id_rsa 3072


This command is requesting an RSA 3072 bits key, without private key encryption (which can be enabled using a symmetric algorithm, i.e. -aes128, -des, -des3). Since we aren't using additional encryption, we don't need to provide a password. In practice, we should use the additional security provided.

The key will be generated:

[email protected] Practica 3 % openssl genrsa -out id_rsa 3072
Generating RSA private key, 3072 bit long modulus
.......................................................................++
....................................................................................++
e is 65537 (0x10001)
[email protected] Practica 3 %


It should look like this:

-----BEGIN RSA PRIVATE KEY-----
SFKFMSFK ... (output omitted for brevity) ... SFJFSKSFSKF
-----END RSA PRIVATE KEY-----


For public key generation, we use the OpenSSL subcommand pkey:

openssl pkey -in id_rsa -pubout -out id_rsa.pub


Ok, bear with me. This command can do a lot of things, including ciphering our previous «exposed» private key. But, we just need a public key, so we'll use it to generate one from the private key. Just keep in mind that we are using the parameter -pubout to request our public key.

Which should look like this:

[email protected] Practica 3 % cat id_rsa.pub
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxPShSYluH29Vw7GdP77B
D4QR7wRFCjS99RGXFifpt5PVyjtqmR3F9jrKy2GM78hnrkbsmEKjN4I2vE6jUcah
PdNL3iEdjeqzyXhTHWQ+drRlDperRGnjqJgHDL0in1My+bnTBOjcSIk6wljv4r0q
FkzaQXNMjzPvJXkBzJ9WRFbmXEtjAIyRCVj1phBs+jEfdqSrDLyT3RMk1SAw9F8H
dth+XGQF04LRTnfbYYmb3R6ZaJdkgLkxd8YB7tNuuWOr6izcvjyEAErPYCJqLLWS
3k2U2bs7wtu6QcM5+bbZ4+PGbNc+siUsc6AU8WHQDjO/jIIcwoya1iNNO5a+RWFe
Pxe7DP1/i/bHX2z4fQu7HunAnLB8nUBeGaO5fdHTs0wkeEGasE32KbG4BQ1fX2Xk
D5fAgwSGghmgMCSfeVp6gc7d6rhnsBS1GY4MzgXmUZEfAgMBAAE=
-----END PUBLIC KEY-----
[email protected] Practica 3 %


And we are done generating our private and public key!

Encrypting a file

For this we are going to use pkeyutl:

openssl pkeyutl -encrypt -in File -pubin -inkey id_rsa.pub -out FileCrypt


We ask OpenSSL's pkeyutl to encrypt our file -in File using the id_rsa.pub (-pubin -inkey id_rsa.pub) public key. The result will be stored at FileCrypt.

Decryption can be done with the same subcommand:

openssl pkeyutl -decrypt -in FileCrypt -inkey id_rsa


In this case we omit the -pubin parameter since we aren't using a public key since we need our private key to decrypt files (id_rsa). I've chosen to omit the -out to just get the result in the standard output; you can use it if you want to.

[email protected] Practica 3 % openssl pkeyutl -decrypt -in Test -inkey id_rsa
Iván Molina Rebolledò
[email protected] Practica 3 %


That's all!

Need more help? Fear no more:

man openssl


(Just a quick note about the manpages: in macOS, all the subcommand are included with the openssl manpage, but that's not the case for other unixes. In Ubuntu, you have to request the manpage for a specific subcommand like this: man enc, for openssl enc`.)