OPENSSL

输入openssl后面随意跟一个错误选项即可调出选项列表

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

[root@station51 ~]# openssl - openssl:Error: '-' is an invalid command. #标准命令 Standard commands asn1parse ca（常用） ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam ec ecparam enc（常用） engine errstr gendh gendsa（常用） genpkey genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req（常用） rsa rsautl s_client s_server s_time sess_id smime speed spkac ts verify version x509 #消息摘要类命令 Message Digest commands (see the `dgst' command for more details) md2 md4 md5 rmd160 sha sha1 #加解密命令 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb zlib

对称加密：

工具：openssl  enc,  gpg
支持的算法：3des, aes, blowfish, towfish

加密：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

#以/etc/fstab文件举例 [root@station51 ~]# cd /etc [root@station51 etc]# openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext enter des-ede3-cbc encryption password: Verifying - enter des-ede3-cbc encryption password: [root@station51 etc]# cat fstab.ciphertext U2FsdGVkX1/C0Rj1Zt+/RbCihTNFSlIW/JQ0fds493+tVA1E972inpvhi7/Oi50v 9vjYfse07fyZgBf2hQALx57j+Bl/8gZoQofs8tTj2uMYqpAiePeDYzKAoXFG+XSf 7bkDnlw3akbD6FGnbF0UblcD90Dz6+OSDQ01/xkIJZFfymwvW0YesKBWzK38dbp7 IW3Hi8LRSs17ND4UHhLP24TQfbEDqure21Zuo3GqOnHa5IhKOtfm1vYePd5fHN/o miYvjpayk8tsLdBTO8pL/Z5Fi07DR9FywhxQ7pdpKQD3wiMm79pIqBm2ZktuQ2cw uK4BwSv0wqeAQiBgAWSAUSijcQ+mC4lh9SI8GwYxyyDRHH06J2mzqnyN7vXesaj6 R3gqbwIK9wDQmXE+j/kahMlzP80WIPvPlJdpJMMPMriv7dW55b3AvZ4AJ+D1jmSF NxctZ+sng18h4nd/f2Ko3bHMdSnDEQzwmUfYKiIEygUlwg8c8HRySp7Q30gDyzy+ k5Q5kjOgSRZEvvCutIxDTwPiZ0Ssapw1Y3UMAc7TdlOuzZxU/3JSU7R31r6jAc4w LQTLzflfEe1bGH5FLkWUg+9B8jZozHp/7EmnMgxi888r3z3JF+qO8K8XdkQSrN2p xbjkdYPCmwhun19XViHMeyFctItbqL8KGzOyGSBbhzq+uE4Qeruu+ogf8EQRzcyG utfE+Rzcvc71WKk2uinIcMG6DsUmKtmvd5gJtVBVhWq4s2JVJ8t/CbHS+8ZUs35a F7eNfUnSae1P2jN/Cad8FwtRClCGTIxGR+g9un76wbscFYR3OLO51w== [root@station51 etc]#

说明：

openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext
openssl enc -d -des3 -a -salt -in fstab.ciphertext -out fstab
-e encrypt加密   <-->   -d decrypt解密
-des3 使用des3加密算法
-a 基于文本格式输出加密后文件内容
-salt 在加密过程中添加一段随机数
-in 对哪个文件加密
-out 加密后的文件输出到哪里

单向加密：

工具：openssl dgst, md5sum, sha1sum, sha224sum, ...
支持算法：md2、md4、md5、rmd160、sha、sha1

加密：

1 2 3 4 5 6 7 8 9

[root@station51 etc]# openssl dgst -md5 /etc/fstab MD5(/etc/fstab)= ec48e5270ea9c035c72aa1519432af8c [root@station51 etc]# md5sum /etc/fstab ec48e5270ea9c035c72aa1519432af8c /etc/fstab ··································································· [root@station51 etc]# openssl dgst -sha1 /etc/fstab SHA1(/etc/fstab)= 43133334e56e2a58245cd0a9e5174f6bebe325a1 [root@station51 etc]# sha1sum /etc/fstab 43133334e56e2a58245cd0a9e5174f6bebe325a1 /etc/fstab

说明：

dgst命令：
    ~]# openssl  dgst  -md5  /PATH/TO/SOMEFILE

生成用户密码：

工具：passwd, openssl  pass 大专栏  OPENSSLwd

1 2 3 4 5 6 7 8 9

[root@station51 etc]# openssl passwd -1 -salt 123456 hello $1$123456$HQ125.2GLsY4GcwH9Mm1P/ [root@station51 etc]# openssl passwd -1 -salt 123456 hello $1$123456$HQ125.2GLsY4GcwH9Mm1P/ [root@station51 etc]# openssl passwd -1 -salt 123456 helloworld $1$123456$jBay/ZlxBUiEX3gCH5Pba. [root@station51 etc]# openssl passwd -1 -salt 12345678 hello $1$12345678$SWwdAXyU/e6YSg8pQlz4D/ [root@station51 etc]#

说明：

语法格式：openssl  passwd  -1  -salt  SALT  文件
salt自己指定，salt相同字符串相同，多次加密后生成密码相同
salt自己指定，salt相同字符串不相同，加密后生成密码不同
salt自己指定，salt不同字符串相同，多次加密后生成密码不同

生成随机数：

工具：openssl  rand 类型 字符串长度

1 2 3 4

[root@station51 etc]# openssl rand -hex 4 2f1e3fb3 [root@station51 etc]# openssl rand -base64 4 HLmG0w==

说明：

语法格式：openssl  rand 类型 字符串长度

结合：生成用户密码+生成随机数

1 2	[root@station51 etc]# openssl passwd -1 -salt $(openssl rand -hex 4) hello $1$874b43cc$yVoAMU.vR5/KJS5VXNDxG.

公钥加密：

加密解密：
    算法：RSA，ELGamal
    工具：openssl  rsautl, gpg
数字签名：
    算法：RSA， DSA， ELGamal
    工具：
密钥交换：
    算法：DH

生成私钥：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

[root@station51 /]# openssl genrsa -out mykey.key 1024 Generating RSA private key, 1024 bit long modulus ........++++++ ........++++++ ........++++++ e is 65537 (0x10001) [root@station51 /]# cat mykey.key -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDB2PBAFQGSVrHFnWBn1iAbwdZRRSIK9usxh3Tq0czeWraJCcqT YpHL9+I6U//fMUaNb57t/JphnnAsJ29ToTPtrf4y5y9xsbZpo7vnSSeBw1cUVsd0 KIxnk9KT1dFW5X3lwo3DkNmgLIWGOB2R/nl5LYC4bnvHI7l+JIsU/8OHiwIDAQAB AoGAbWU5SGDSbzx/vK8w7ciYfDGq+lhSeu+YEW6JW8+kl0OISdP9v6lb8EjnIdWv y8xqLX11qobotPiOA00J9Z8+xwElSrvCK24HKdK85uWjU7RZhbGO2IzmAQFjYhhk cy2PK2J+9DQxbJ6pBofL1/bX6k/QRfFt8avZi1IMo9jM/dkCQQD7goyrng5gRuYs FsR66zScQSY/o5+upE5msRFQ6DWNXdlZ/xxOF6Pp/b9WVnbse13I9quSMlsJUocr WMOyEcC/AkEAxU7cFVcECEMOa/MCBUTFbUNybudY4jaT2OldSCeoPBjCoc+4O1jf lSTEZ7s3Q78uNvu7/TbX+soIwhYHevFgNQJBAIY0IQ+qJQ2mh0dbVrgoLUh7Uwd+ LcSok9UkApNjdL/cJhBpmhbpcmN3LNPLC2YgZejIBsDZ8c3Fpa6xjKrF4k0CQQCd VG6Fzab3d5DuXw2Daf0LTTbYXD0x1Fc8JYkuWgD6OrwoDtxW5l0SLgk2tcAxkyak zUJvfOXnomYtbSd1zzbpAkBmGmzPrntM5O11x1dwMYg4XzHQoxdNaNmuJaq/jBVq 0vy+wvkDn88goH7Wq99kcrUYz1zo7UcL8GA6aOjK1Y9Y -----END RSA PRIVATE KEY-----

说明：

生成私钥： ~]# openssl  genrsa  -out  mykey.key  1024
提出公钥： ~]#  openssl  rsa  -in  mykey.key  -pubout

提取公钥：

只输出公钥不输入私钥

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

[root@station51 /]# openssl rsa -in mykey.key -pubout writing RSA key -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDB2PBAFQGSVrHFnWBn1iAbwdZR RSIK9usxh3Tq0czeWraJCcqTYpHL9+I6U//fMUaNb57t/JphnnAsJ29ToTPtrf4y 5y9xsbZpo7vnSSeBw1cUVsd0KIxnk9KT1dFW5X3lwo3DkNmgLIWGOB2R/nl5LYC4 bnvHI7l+JIsU/8OHiwIDAQAB -----END PUBLIC KEY----- [root@station51 /]# cat mykey.key -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDB2PBAFQGSVrHFnWBn1iAbwdZRRSIK9usxh3Tq0czeWraJCcqT YpHL9+I6U//fMUaNb57t/JphnnAsJ29ToTPtrf4y5y9xsbZpo7vnSSeBw1cUVsd0 KIxnk9KT1dFW5X3lwo3DkNmgLIWGOB2R/nl5LYC4bnvHI7l+JIsU/8OHiwIDAQAB AoGAbWU5SGDSbzx/vK8w7ciYfDGq+lhSeu+YEW6JW8+kl0OISdP9v6lb8EjnIdWv y8xqLX11qobotPiOA00J9Z8+xwElSrvCK24HKdK85uWjU7RZhbGO2IzmAQFjYhhk cy2PK2J+9DQxbJ6pBofL1/bX6k/QRfFt8avZi1IMo9jM/dkCQQD7goyrng5gRuYs FsR66zScQSY/o5+upE5msRFQ6DWNXdlZ/xxOF6Pp/b9WVnbse13I9quSMlsJUocr WMOyEcC/AkEAxU7cFVcECEMOa/MCBUTFbUNybudY4jaT2OldSCeoPBjCoc+4O1jf lSTEZ7s3Q78uNvu7/TbX+soIwhYHevFgNQJBAIY0IQ+qJQ2mh0dbVrgoLUh7Uwd+ LcSok9UkApNjdL/cJhBpmhbpcmN3LNPLC2YgZejIBsDZ8c3Fpa6xjKrF4k0CQQCd VG6Fzab3d5DuXw2Daf0LTTbYXD0x1Fc8JYkuWgD6OrwoDtxW5l0SLgk2tcAxkyak zUJvfOXnomYtbSd1zzbpAkBmGmzPrntM5O11x1dwMYg4XzHQoxdNaNmuJaq/jBVq 0vy+wvkDn88goH7Wq99kcrUYz1zo7UcL8GA6aOjK1Y9Y -----END RSA PRIVATE KEY-----

为了避免私钥被其他用户窃取，建议加密时顺便修改文件权限：

~]#(umask 077;  openssl  genrsa  -out  test.key  1024)

1 2 3 4 5 6 7 8

[root@station51 /]# (umask 077; openssl genrsa -out test.key 1024) Generating RSA private key, 1024 bit long modulus ...................++++++ .................................................++++++ e is 65537 (0x10001) [root@station51 /]# ll -rw-r--r-- 1 root root 887 May 29 16:07 mykey.key -rw------- 1 root root 887 May 29 16:13 test.key