How to encrypt a large file in openssl using public key

Question

How can I encrypt a large file with a public key so that no one other than who has the private key be able to decrypt it?

I can make RSA public and private keys but when it comes to encrypting a large file using this command:

openssl rsautl -encrypt -pubin -inkey public.pem -in myLargeFile.xml -out myLargeFile_encrypted.xml 

and how can i perform the decryption also....

i create my private and public key by the following commands

openssl genrsa -out private.pem 1024 openssl rsa -in private.pem -out public.pem -outform PEM -pubout 

I get this error:

RSA operation error 3020:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:.\crypto\rsa\rsa_pk1.c:151: 

I tried to make keys with sizes from 1024 to 1200 bits, no luck, same error

Answer 1

Public-key crypto is not for encrypting arbitrarily long files. One uses a symmetric cipher (say AES) to do the normal encryption. Each time a new random symmetric key is generated, used, and then encrypted with the RSA cipher (public key). The ciphertext together with the encrypted symmetric key is transferred to the recipient. The recipient decrypts the symmetric key using his private key, and then uses the symmetric key to decrypt the message.

The private key is never shared, only the public key is used to encrypt the random symmetric cipher.

Answer 2

Solution for safe and high secured encode anyone file in OpenSSL and command-line:

You should have ready some X.509 certificate for encrypt files in PEM format.

Encrypt file:

openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem 

What is what:

• smime - ssl command for S/MIME utility (smime(1))
• -encrypt - chosen method for file process
• -binary - use safe file process. Normally the input message is converted to "canonical" format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives).
• -aes-256-cbc - chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers)
• -in plainfile.zip - input file name
• -out encrypted.zip.enc - output file name
• -outform DER - encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%.
• yourSslCertificate.pem - file name of your certificate's. That should be in PEM format.

That command can very effectively a strongly encrypt big files regardless of its format.
Known issue: Something wrong happens when you try encrypt huge file (>600MB). No error thrown, but encrypted file will be corrupted. Always verify each file! (or use PGP - that has bigger support for files encryption with public key)

Decrypt file:

openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password 

What is what:

• -inform DER - same as -outform above
• -inkey private.key - file name of your private key. That should be in PEM format and can be encrypted by password.
• -passin pass:your_password - your password for private key encrypt. (passphrase arguments)