This post will explain a method to encrypt bulk data with a public (known to everyone) password where the encrypted data only can be decrypted with a secret password.
But let's first explain a simpler encryption method using one password only for encryption and decryption. For example, 7-Zip can compress files and also encrypt them.
Alice want to send a file to Bob via email. But she does not want that Eve is able to read the message. Alice uses 7-Zip to encrypt the file with a password ("P@ssw0rd"). The encrypted file contains garbled data and as long as Eve does not know the password, the email can travel safely over the Internet and once Bob has received the email, he can reverse the encryption of the encrypted file by using the password.
|
Symmetric encryption |
Alice must tell Bob the password by a "covert channel", e.g. An SMS or WhatsApp message. Sending the password via email is not a good idea because that allows Eve to find out the password and decrypt the data. This encryption method is called "symmetric" encryption because the encryption and decryption password are the same. The advantage of this method is simplicity, speed and it is suited for the encryption of bulk data. The disadvantages are that Alice must know Bob and they use a secure method to convey the password.
It would be better if the encryption password differs from the decryption password. E.g. Alice uses "pA55w0rd1" to encrypt the message and Bob is using "Th1sI5maiDecrpti0nP@ssword" to decrypt the message. This method has several advantages. The encryption password can be published anywhere, anyone might know this password. Also, Alice does not need to know Bob in advance because Bob only knows the decryption password. If the encrypted message is seen by Eve, she still cannot decrypt the data even if she has the encryption password.
|
Asymmetric encryption |
Asymmetric encryption has a couple of disadvantages too. Without going into nitty-gritty details, asymmetric encryption is slow and not suited for bulk encryption. But when we combine symmetric and asymmetric encryption, we can overcome the disadvantages of both methods and encrypt bulk data with a public password.
To combine asymmetric (OpenSSL) and symmetric (7-Zip) encryption
another password is used: a "Session Password". This password is used
only once, can be long and complex, and can be automatically generated.
Let's now tie it all together. These are the steps to encrypt one set of data:
- Generate a Session Password
- ZIP, and encrypt the bulk data with the Session Password (7-Zip)
- Encrypt the Session Password with the public password, creating a small file with the encrypted Session Password (OpenSSL).
- Send both the encrypted bulk data ZIP file and the encrypted Session Password file to Bob
Once Bob receives the two files he does:
- Decrypt the Session Password with his private password
- Unzip and unencrypt the bulk data with the Session Password
Preparations:
- Download and install OpenSSL. Check the "bin" folder.
- Install 7-Zip. Check the installation folder.
One time only: Create the public password and Bob's decryption password:
set OpenSSLdir=c:\Scripts\OpenSSL-Win32\bin
set OpenSSL="%OpenSSLdir%\openssl.exe"
%openssl% genrsa -out BobsPasswords.pem 4096
%openssl% rsa -in BobsPasswords.pem -out BobsPublicPassword.pem -outform PEM -pubout
Now you will have two files:
BobsPasswords.pem
BobsPublicPassword.pem
IMPORTANT: move the file BobsPasswords.pem to a memory stick and delete it from the hard disk.
This is a script to compress and encrypt a folder (and its subfolders). Save as "ZipEncrypt.bat":
@echo off
cls
echo.
if %1.==. (
echo *** Use: ZipEncrypt {folder}
goto :EOF
)
if not exist %1\ (
echo *** Folder %1\ not found.
goto :EOF
)
::--- Create SessionPassword...
echo.
echo *** Create SessionPassword...
set OpenSSLdir=c:\Scripts\OpenSSL-Win32\bin
set OpenSSL=%OpenSSLdir%\openssl.exe
for /f "usebackq tokens=* delims=" %%I IN (`%OpenSSL% rand
-hex 32 2^>nul`) DO set SessionPassword=%%I
::--- Filename randomization...
set RND=%RANDOM%
echo.
echo *** Filename randomization number: %RND%
::--- Compress and Encrypt folder...
echo.
echo *** Compressing and Encrypting the backup...
"C:\Program Files\7-Zip\7z.exe" a -bb1 -mx=3 -v100m -r -bd
-p%SessionPassword% "%TEMP%\AsymmetricBackup%RND%_data.7z" "%1\*"
::--- Encrypt SessionPassword with BobsPublicPassword.pem...
echo.
echo *** Encrypting the SessionKey...
<nul set /p=%SessionPassword%|"%OpenSSLdir%\openssl.exe "
rsautl -encrypt -inkey "c:\scripts\BobsPublicPassword.pem" -pubin
-out "%TEMP%\EncryptedSession-%RND%.Key"
::--- List result...
echo.
echo *** Folder: %temp%
echo *** These are all the files of this backup:
dir "%TEMP%\*%RND%*.*" | findstr %RND%
This is an example output of the script:
Note: when the backup is larger than 100MB, the backup files will split in chunks of 100MB. (104,857,600 bytes).
When a Bulk ZIP file and encrypted SessionPassword are received by Bob, he has to:
1. Unencrypt the SessionPassword with his decryption password. I assume that the memorystick, with Bob's decryption password, is drive H:
"c:\Scripts\OpenSSL-Win32\bin\openssl.exe" rsautl -decrypt -inkey H:\BobsPasswords.pem -in EncryptedSession-29981.Key -out SessionPassword.key
2. Unzip and unencrypt the Bulk ZIPfile with the SessionPassword