Security and Encryption
easyrsaopensslssh-keygen
https://easy-rsa.readthedocs.io/en/latest/
Important
RSA can only encrypt messages that are smaller than the key, because A couple of bytes are lost on random padding, and the rest is available for the message itself. For example, a 512-bit key can encode a 53-byte message (512 bit = 64 bytes, 11 bytes are used for random padding and other stuff).
OpenSSH Keys
# RSA
ssh-keygen -t rsa -b 2048 -f ./id_rsa -C "mk@plataux.com" # Open SSH Privkey
ssh-keygen -m PEM -t rsa -b 2048 -f ./id_rsa -C "mk@plataux.com" # Legacy PEM Privkey
ssh-keygen -m PKCS8 -t rsa -b 2048 -f ./id_rsa -C "mk@plataux.com" # PKCS8 Privkey
# EC Keys bits can be 256, 384 or 521
ssh-keygen -t ecdsa -b 521 -f ./id_ec521 -C "mk@plataux.com" # OpenSSH Privkey
ssh-keygen -m PKCS8 -t ecdsa -b 521 -f ./id_ec521 -C "mk@plataux.com" # PKCS8 Privkey
ssh-keygen -m PEM -t ecdsa -b 521 -f ./id_ec521 -C "mk@plataux.com" # PEM SSH Privkey
# Only Ed curve 25519 is supported by SSH
# Ed keys generated by this tool can only be in OpenSSH Format
ssh-keygen -a 100 -t ed25519 -f ./id_ed25519 -C "mk@plataux.com" # Open SSH Privkey
# convert existing id_rsa private key from SSH format to PEM format type WITHOUT changing public key
ssh-keygen -m PEM -p -f ~/.ssh/id_rsa
# Generate / Export pubkey from existing privkey to stdout
ssh-keygen -e -f ./id_rsa -m RFC4716 # SSH2 PublicKey format
ssh-keygen -e -f ./id_rsa -m PKCS8
ssh-keygen -e -f ./id_rsa -m PEM
ssh-keygen -e -f ./id_ed25519 -m RFC4716 # SSH2 format
OpenSSL RSA Private and Public Keys
# bash
# Generate a 2048 bit RSA Key in PEM
openssl genrsa -out private.pem 2048
# Generate an RSA public key based on an existing RSA private key
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
# 2 in 1: Generate private key and pub key in current folder in one go
openssl genrsa -out private.pem 2048 && openssl rsa -in private.pem -outform PEM -pubout -out public.pem
OpenSSL Misc Key Operations
# generate rsa private key
openssl genrsa 2048
# put it in a variable
private_key=$(openssl genrsa 2048)
# print the key, the double quotes are needed
echo "$private_key"
# inspect the key
echo "$private_key" | sed -e 's/^[ ]*//' | openssl rsa -text
# extract the public key
echo "$private_key" | sed -e 's/^[ ]*//' | openssl rsa -pubout
# extract the public key in a variable
public_key=$(echo "$private_key" | sed -e 's/^[ ]*//' | openssl rsa -pubout)
# print the public key, the double quotes are needed
echo "$public_key"
######################
# Generate Ed Keys with OpenSSL
edkey=$(openssl genpkey -algorithm ED25519)
edkey_pub=$(echo "$edkey" | openssl pkey -pubout)
echo "$edkey" "$edkey_pub"
SSL Certificates
# bash
# SSL Self Signed SSL Cert and Key
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out self.crt
# CSR Cetificate sign SSL/TLS request
openssl req -new -newkey rsa:2048 -nodes -keyout pymine.key -out pymine.csr
# Generate SSL Root Certificate for internal Certificate Authority
openssl req -x509 -new -nodes -key key.pem -sha256 -days 1825 -out myCA.pem
Base16 and Base64 keys and encoding
Important
The = character in base64 strings has a special meaning: padding
Here is a typical 16-byte, 128-bit base64 string look like RS1UDcfs0nDR3n8+ANkilw==
# bash
# to generate random ipv6 IPs
openssl rand -hex 4
# 32 byte key in base16
openssl rand -hex 32
# 32 byte key in base64
openssl rand -base64 32
# 16 bytes key in base64
openssl rand -base64 16