Security and Encryption ======================== * ``easyrsa`` * ``openssl`` * ``ssh-keygen`` https://easy-rsa.readthedocs.io/en/latest/ .. important:: RSA can only encrypt messages that are smaller than the key, because A couple of bytes are lost on random padding, and the rest is available for the message itself. For example, a 512-bit key can encode a 53-byte message (512 bit = 64 bytes, 11 bytes are used for random padding and other stuff). OpenSSH Keys ------------ .. code-block:: bash # RSA ssh-keygen -t rsa -b 2048 -f ./id_rsa -C "mk@plataux.com" # Open SSH Privkey ssh-keygen -m PEM -t rsa -b 2048 -f ./id_rsa -C "mk@plataux.com" # Legacy PEM Privkey ssh-keygen -m PKCS8 -t rsa -b 2048 -f ./id_rsa -C "mk@plataux.com" # PKCS8 Privkey # EC Keys bits can be 256, 384 or 521 ssh-keygen -t ecdsa -b 521 -f ./id_ec521 -C "mk@plataux.com" # OpenSSH Privkey ssh-keygen -m PKCS8 -t ecdsa -b 521 -f ./id_ec521 -C "mk@plataux.com" # PKCS8 Privkey ssh-keygen -m PEM -t ecdsa -b 521 -f ./id_ec521 -C "mk@plataux.com" # PEM SSH Privkey # Only Ed curve 25519 is supported by SSH # Ed keys generated by this tool can only be in OpenSSH Format ssh-keygen -a 100 -t ed25519 -f ./id_ed25519 -C "mk@plataux.com" # Open SSH Privkey .. code-block:: bash # convert existing id_rsa private key from SSH format to PEM format type WITHOUT changing public key ssh-keygen -m PEM -p -f ~/.ssh/id_rsa # Generate / Export pubkey from existing privkey to stdout ssh-keygen -e -f ./id_rsa -m RFC4716 # SSH2 PublicKey format ssh-keygen -e -f ./id_rsa -m PKCS8 ssh-keygen -e -f ./id_rsa -m PEM ssh-keygen -e -f ./id_ed25519 -m RFC4716 # SSH2 format OpenSSL RSA Private and Public Keys ----------------------------------- .. code-block:: bash # bash # Generate a 2048 bit RSA Key in PEM openssl genrsa -out private.pem 2048 # Generate an RSA public key based on an existing RSA private key openssl rsa -in private.pem -outform PEM -pubout -out public.pem # 2 in 1: Generate private key and pub key in current folder in one go openssl genrsa -out private.pem 2048 && openssl rsa -in private.pem -outform PEM -pubout -out public.pem OpenSSL Misc Key Operations --------------------------- .. code-block:: bash # generate rsa private key openssl genrsa 2048 # put it in a variable private_key=$(openssl genrsa 2048) # print the key, the double quotes are needed echo "$private_key" # inspect the key echo "$private_key" | sed -e 's/^[ ]*//' | openssl rsa -text # extract the public key echo "$private_key" | sed -e 's/^[ ]*//' | openssl rsa -pubout # extract the public key in a variable public_key=$(echo "$private_key" | sed -e 's/^[ ]*//' | openssl rsa -pubout) # print the public key, the double quotes are needed echo "$public_key" ###################### # Generate Ed Keys with OpenSSL edkey=$(openssl genpkey -algorithm ED25519) edkey_pub=$(echo "$edkey" | openssl pkey -pubout) echo "$edkey" "$edkey_pub" SSL Certificates ---------------- .. code-block:: bash # bash # SSL Self Signed SSL Cert and Key openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out self.crt # CSR Cetificate sign SSL/TLS request openssl req -new -newkey rsa:2048 -nodes -keyout pymine.key -out pymine.csr # Generate SSL Root Certificate for internal Certificate Authority openssl req -x509 -new -nodes -key key.pem -sha256 -days 1825 -out myCA.pem Base16 and Base64 keys and encoding ----------------------------------- .. important:: The ``=`` character in base64 strings has a special meaning: padding Here is a typical 16-byte, 128-bit base64 string look like ``RS1UDcfs0nDR3n8+ANkilw==`` .. code-block:: bash # bash # to generate random ipv6 IPs openssl rand -hex 4 # 32 byte key in base16 openssl rand -hex 32 # 32 byte key in base64 openssl rand -base64 32 # 16 bytes key in base64 openssl rand -base64 16