Skip to contents

Asymmetric encryption with openssl

Source: R/openssl.R
keypair_openssl.Rd

Wrap a pair of openssl keys. You should pass your private key and the public key of the person that you are communicating with.

Usage

keypair_openssl(
  pub,
  key,
  envelope = TRUE,
  password = NULL,
  authenticated = TRUE
)

Arguments

pub

An openssl public key. Usually this will be the path to the key, in which case it may either the path to a public key or be the path to a directory containing a file id_rsa.pub. If NULL, then your public key will be used (found via the environment variable USER_PUBKEY, then ~/.ssh/id_rsa.pub). However, it is not that common to use your own public key - typically you want either the sender of a message you are going to decrypt, or the recipient of a message you want to send.

key

An openssl private key. Usually this will be the path to the key, in which case it may either the path to a private key or be the path to a directory containing a file. You may specify NULL here, in which case the environment variable USER_KEY is checked and if that is not defined then ~/.ssh/id_rsa will be used.

envelope

A logical indicating if "envelope" encryption functions should be used. If so, then we use openssl::encrypt_envelope() and openssl::decrypt_envelope(). If FALSE then we use openssl::rsa_encrypt() and openssl::rsa_decrypt(). See the openssl docs for further details. The main effect of this is that using envelope = TRUE will allow you to encrypt much larger data than envelope = FALSE; this is because openssl asymmetric encryption can only encrypt data up to the size of the key itself.

password

A password for the private key. If NULL then you will be prompted interactively for your password, and if a string then that string will be used as the password (but be careful in scripts!)

authenticated

Logical, indicating if the result should be signed with your public key. If TRUE then your key will be verified on decryption. This provides tampering detection.

See also

keypair_sodium() for a similar function using sodium keypairs

Examples


# Note this uses password = FALSE for use in examples only, but
# this should not be done for any data you actually care about.

# Note that the vignette contains much more information than this
# short example and should be referred to before using these
# functions.

# Generate two keypairs, one for Alice, and one for Bob
path_alice <- tempfile()
path_bob <- tempfile()
cyphr::ssh_keygen(path_alice, password = FALSE)
cyphr::ssh_keygen(path_bob, password = FALSE)

# Alice wants to send Bob a message so she creates a key pair with
# her private key and bob's public key (she does not have bob's
# private key).
pair_alice <- cyphr::keypair_openssl(pub = path_bob, key = path_alice)

# She can then encrypt a secret message:
secret <- cyphr::encrypt_string("hi bob", pair_alice)
secret
#>   [1] 58 0a 00 00 00 03 00 04 05 02 00 03 05 00 00 00 00 05 55 54 46 2d 38 00 00
#>  [26] 02 13 00 00 00 04 00 00 00 18 00 00 00 10 1d 81 f9 22 c2 e9 b6 25 cf fc 3e
#>  [51] 70 30 72 fc 47 00 00 00 18 00 00 01 00 b0 d1 73 a4 cc 1c 7a a1 c5 23 1b 59
#>  [76] 7d a9 ee c0 89 4d 2b 43 99 f4 44 2c 67 cb 3e ce 27 f6 e4 2c e3 45 83 43 c8
#> [101] e5 4a 3b 8a 83 bf b7 b8 82 ac 2e ca cf af 95 c2 a3 f4 07 1e bc 92 25 7f e1
#> [126] f0 fa e9 cf 35 4e 99 a2 0f c5 4d 8f d4 34 53 37 e3 b0 9a 4b ba 67 8e 33 48
#> [151] 12 50 22 c8 25 49 57 b7 5f fb 93 57 0f a5 b4 20 87 1a 0c 9f 98 64 8f c1 96
#> [176] 33 a2 73 32 42 71 f5 9a 5b 85 3f 9a bc 12 f6 60 d8 ea 6f ac 6d fa ec 6f cb
#> [201] f3 d4 6d c5 98 d2 27 37 00 fa a2 a0 fd de 9c 08 a9 58 29 59 7e 63 fc 87 cf
#> [226] 25 26 72 11 f6 b0 76 53 57 3d c8 4e 9c 42 12 ad a4 f6 2a 3e 5e 23 17 c4 69
#> [251] 84 31 bc 2e 5f a6 79 d8 f5 bc ad 36 fe 6c a9 8d 44 d0 21 bf b1 29 dd 71 27
#> [276] 39 d1 46 3e 57 9a 6b 31 76 cf da 01 ae 24 bd da 6b be e5 24 80 76 4a 4d c1
#> [301] 45 95 ca ff 58 da 61 24 6d 78 c3 eb d4 ce 7c b1 c8 28 0d 00 00 00 18 00 00
#> [326] 00 10 ac 12 ae a7 71 b9 52 61 10 20 54 c2 8e f5 4f 3e 00 00 00 18 00 00 01
#> [351] 00 77 d5 6c b5 b1 bd 91 01 39 99 75 9b 56 0a 99 1b f7 6b 87 0e 5e e8 da 98
#> [376] 21 82 fb db 3c 30 18 f7 b6 f9 b8 97 5b a2 0e bf a9 30 52 0f ae 7f f7 17 80
#> [401] 42 d0 78 80 c5 81 dd ee 63 c5 46 e8 c3 2b 86 05 82 71 04 be e6 e7 5f 97 70
#> [426] 1e 79 82 44 85 2f 51 6f 4a 11 ad f6 91 d5 5f 27 22 78 89 2c 1c 15 6a 5c 34
#> [451] e9 19 81 a2 86 de 52 ca 82 50 7c 5f 14 84 66 6f ed 7c ed c8 cf a9 68 64 63
#> [476] 0a 81 43 0f 3f 80 4d 39 24 2f 7a 65 c4 89 92 cc 9b c2 e7 6e 64 09 ed 28 84
#> [501] 12 c5 2f 94 e2 4e 0d b8 70 ff c0 e1 2d 5a 6f 9c be db 74 60 8d 7d 3f b7 cf
#> [526] 86 fa 15 4f 95 53 03 79 1f 6d 06 f9 6c 5c 67 45 88 ef 56 50 14 22 0a ec 42
#> [551] e5 d2 34 ef 01 93 8c 51 74 a4 e8 20 0f 68 12 8d 24 d7 d7 ec d9 c6 ce 16 a7
#> [576] fa d8 03 79 46 3d 7d 21 7d 13 7d 96 96 4a d8 99 fa 5d 73 a5 5b c1 19 a2 b4
#> [601] 56 9f 67 78 e5 78 78 00 00 04 02 00 00 00 01 00 04 00 09 00 00 00 05 6e 61
#> [626] 6d 65 73 00 00 00 10 00 00 00 04 00 04 00 09 00 00 00 02 69 76 00 04 00 09
#> [651] 00 00 00 07 73 65 73 73 69 6f 6e 00 04 00 09 00 00 00 04 64 61 74 61 00 04
#> [676] 00 09 00 00 00 09 73 69 67 6e 61 74 75 72 65 00 00 00 fe

# Bob wants to read the message so he creates a key pair using
# Alice's public key and his private key:
pair_bob <- cyphr::keypair_openssl(pub = path_alice, key = path_bob)

cyphr::decrypt_string(secret, pair_bob)
#> [1] "hi bob"

# Clean up
unlink(path_alice, recursive = TRUE)
unlink(path_bob, recursive = TRUE)