系统运维-17-3-OpenSSL工具

1.简单的对称加密

openssl version查看版本号。whatis enc查看enc工具。cp /etc/fstab ./复制测试文件到当前目录。 ll | grep fstab确认文件。openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext使用enc进行加密。cat fstab.ciphertext 查看加密后的文件。rm fstab删除原文件。openssl enc -d -des3 -a -salt -in fstab.ciphertext -out fstab进行解密。cat fstab查看解密后的文件。

[root@lab1 ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

[root@lab1 ~]# whatis enc
enc (1ssl)           - symmetric cipher routines
[root@lab1 ~]# cp /etc/fstab ./
[root@lab1 ~]# ll | grep fstab
-rw-r--r--. 1 root root      465 Jan 13 08:52 fstab
[root@lab1 ~]# openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@lab1 ~]# cat fstab.ciphertext 
U2FsdGVkX1/93liUPU5pQYq6VVK1x0Hw2ivExp5vLcC95JzshrO85/ZVR2PiBvZB
jH3bXoUavqEn8eBI8O1tlaKcvS/oIQYU7EV+JgnqsTM5ZSoPUW7Dyz0OMbdObadl
MTKrFqgS6LQKV6OHGtqbR5fAbo8nF7l7OIRrKyqc0z+uGxvdkzTYgSUyH4smhT0M
lueIH7qvoU0nXmz67VCOMzGsLJUhjh4vAKhDt2V37F6YRtArwwdbZI4VESgfycnQ
kvvslTkoU/sAz66HhCw2uHJEUoYqMxKI2VLxc+vtdbvGKpd8YJPw4FhT/9QZsrf+
6rIUr5sZrSWNntfAigz21Gi9aX1ojmdQWdEFgaXOzd+MugkzqD7cuEcMY+TKgkE+
62vxfFmXv3xGMGOAMoApagDidg0Xg3KwWi488JlqP2Gh+MxSExwHQ/yxGrpnIA44
6HrGXmtHUKs64cLsjg5gtI97zz5ykRjkPAo5kXWWYIXq5SAM1hBQDk9mP3f52sJj
nDH3tTVNq/tHZrHZzTw1X8maLIzWkS/vUiIobsxGE2YuoJ5HMY29+qmeO1QwX5+E
C9SXGa4u8ZNGsgP47AF/AKxMjsdic5LK3IElQN7sf3k09p4kP2wsfmNA6tKmlX+s
8qToPUZY/0Y=

[root@lab1 ~]# rm fstab
rm: remove regular file ‘fstab’? yes
[root@lab1 ~]# openssl enc -d -des3 -a -salt -in fstab.ciphertext -out fstab
enter des-ede3-cbc decryption password:
[root@lab1 ~]# cat fstab

#
# /etc/fstab
# Created by anaconda on Wed Dec  5 07:16:07 2018
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=0ee0448e-a0b8-4ade-8236-620c46e00461 /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0
 

2.简单的单向加密

whatis dgst查看命令信息。md5sum fstab用md5加密。openssl dgst -md5 fstab用md5加密（虽然命令不同，但加密方式相同，最终结果也相同）。openssl dgst -md5 -hex fstab指定16进制发现与之前结果相同（默认为16进制）。

[root@lab1 ~]# whatis dgst
dgst (1ssl)          - message digests
[root@lab1 ~]# md5sum fstab
29db4aa4997c3e3f452ddfe2dfd6170e  fstab
[root@lab1 ~]# openssl dgst -md5 fstab
MD5(fstab)= 29db4aa4997c3e3f452ddfe2dfd6170e
[root@lab1 ~]# openssl dgst -md5 -hex fstab
MD5(fstab)= 29db4aa4997c3e3f452ddfe2dfd6170e
 

3.生成用户密码

whatis passwd查看关于ssl的密码生成信息。openssl passwd -1 -salt 12345678生成密码。openssl passwd -1 -salt 12345679调整后再次查看生成密码（1个数字的变化也会引起很大的变化）。

[root@lab1 ~]# whatis passwd
sslpasswd (1ssl)     - compute password hashes
passwd (1)           - update user's authentication tokens
[root@lab1 ~]# openssl passwd -1 -salt 12345678
Password: 
$1$12345678$0ME5N6oDyoEAwUp7b5UDM/
[root@lab1 ~]# openssl passwd -1 -salt 12345679
Password: 
$1$12345679$jLsg8Kl/2yhy1S59roSYq0
 

4.生成随机数

whatis rand查看随机数信息。openssl rand -base64 4生成随机数。openssl rand -base64 4再次生成不同的随机数。openssl rand -hex 4换成16进制随机数。openssl rand -hex 4再次生成不同的数。ll /dev | grep random顺带简单介绍随机生成数的知识（random是从熵池中取数，而熵池则是IO中断时间的存放池，其可预测性低，urandom则是在熵池中的随机数用尽时利用软件生成随机数，其可预测性高）。

[root@lab1 ~]# whatis rand
sslrand (1ssl)       - generate pseudo-random bytes
[root@lab1 ~]# openssl rand -base64 4
2zK7bA==
[root@lab1 ~]# openssl rand -base64 4
FhXcYQ==
[root@lab1 ~]# openssl rand -hex 4
735b9a17
[root@lab1 ~]# openssl rand -hex 4
fd602a16
[root@lab1 ~]# ll /dev | grep random
crw-rw-rw-. 1 root root      1,   8 Jan 12 23:44 random
crw-rw-rw-. 1 root root      1,   9 Jan 12 23:44 urandom

5.公钥加密

whatis genrsa查看rsa生成器。openssl genrsa -out rsakey.private 2048生成一个私钥。cat rsakey.private 查看私钥。openssl rsa -in rsakey.private -pubout从私钥提取公钥信息。chmod og= rsakey.private 调整权限（否则其他人可以看到其加密性就丧失意义了）。 ll | grep rsa确认权限。(umask 077; openssl genrsa -out key.pri 2048)也可以通过掩码的方式（使用括号表示通过子shell完成，这样不会影响当前掩码）。umask查看当前掩码。ll | grep key.pri查看私钥权限。

[root@lab1 ~]# whatis genrsa
genrsa (1ssl)        - generate an RSA private key
[root@lab1 ~]# openssl genrsa -out rsakey.private 2048
Generating RSA private key, 2048 bit long modulus
...................................................................................................+++
.............................................+++
e is 65537 (0x10001)
[root@lab1 ~]# cat rsakey.private 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAp/6q+Cbn0cACZVLVkX2RVedQg9iJGStzQfpldtoA2zL25KlO
9mSml8SJ2/TshPblpuNwAkHgwcATm1NB6OLiWRuHRC7kuEhSDUTeUd/3NJTKVl+5
yvepCnhuBvPe2OA8bSjSuEcGTy/xZoh3LzombbULcegC53Eoto6TvVPpatMqLmxe
xRCP6NylPVh2fDW9i1hTMlr2rOmba3AAd+xdYgeRLoT5sZpi60dqSEjN2g7sSNB5
mOpeT1h04R5k5Jr0AziHV81kx8SLSiZ/Q2w1dUoVNp9vaQiIzyO49nwxgCHpUD0R
Nb+aopGt2YFn0HVGGLwU2qwdn331YX7mzoPjWQIDAQABAoIBAQCaCt0+2n3rSUNp
IYGP/TINMSQVIbLlD4CKWU48oz3xwVO+7LjpGfXgaGl49acDbVm7pAWLLFkpkDTq
Une3UoP27VUlYlJ74GTMof+x18pXvq+ib/hvcpTgcvmBCpGnEEaYWbyPGSFh7zZN
rIiNF6cxJbeu5O30x0Br1WUHUDBSsH15I7L3mXzvpw5unG6XOdbSSk9c1MqQOOQw
jqRVAcISH2bFQhiDLb5QqecYfQ/8eQ5S2yUz2o07I4cyTuur5t5XiqxSwwpJaXcW
wXUP3fvXhatcDBxnnnC2RnJKA45X7dW38gqgA2ntY/crVCwUMgNC/kytbZ+l8pNU
Fd5N6bhhAoGBAN1BDHhcBGFaQjYglSe4vM/AEs033hiA2yADd2kZLBWX4EbMzIUV
9ya0E/7xx+YkDvVTw5Uupx0XRENc5O1GSEO8GvLoxbIvE48OZqw5ThYPAHyR/G4a
1eQ4jqfKtq2mP4Ha815IewXF2GI9N72Ye9KhZjkgC4f0cweL8j65J+MNAoGBAMJg
d1IuwHzvoP56xM1UU8xwD3ChjAcJxBVzJ31x/1Lf6m/gGAITruJahhb4qesWOolD
Rky2ZfpEFI7wV7RsDYOHchTkVgAXobTyG9dLO0D0D+dX6qF070HHZZmOlBbOVswS
VEuc/g/T5cabpsylduBFRhkF3+ABv+e2yYWNiJ59AoGBAIClg/SvvDRG4NzMES3p
co9xZP1CELc6pS52FYZcho9/oX5JMlnnra8pYb8JImwkZzYqIDyrxatajeyFJO75
wKbxxtGamujCCqNRgk19fHPDAUttLtNucxOh9wCFE7bgRWjhwEP/7Ngsc2abpb9t
3AFaqy9n/IxujDvFGXNzAUg5AoGAdzb5F9OKxVWnNU0Q1SpKNxHntlmua0anF8zH
xJ2dTjP9Ml6L+wIdecCxivc6J/A7OKKlRDl+dC87OKvZ7tNyul/hLUUaJfZYfIUd
ZD9E+UJ3WplGU35Hm91yx+p1k0M8Yu8++h0wiX6Z5+ThOZSmQ0jZhFFhDJ+mFrS6
BopW53UCgYAnbic08a5s0w1g2SZdKPh4OYU/CREAC2TNA1xOjuMlF2a5i/W4Uufi
vxha+FZFW7bbv6q6VLTGgx23w+esJDpX9XihjJqzVYIN5JtNysoP0MAcJVUAsOb9
NcnCtT7cVrnR0nWb6nzqU4K5ApBU3zc1IkxAv4xWB2XPfYkONAuI+w==
-----END RSA PRIVATE KEY-----

[root@lab1 ~]# openssl rsa -in rsakey.private -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp/6q+Cbn0cACZVLVkX2R
VedQg9iJGStzQfpldtoA2zL25KlO9mSml8SJ2/TshPblpuNwAkHgwcATm1NB6OLi
WRuHRC7kuEhSDUTeUd/3NJTKVl+5yvepCnhuBvPe2OA8bSjSuEcGTy/xZoh3Lzom
bbULcegC53Eoto6TvVPpatMqLmxexRCP6NylPVh2fDW9i1hTMlr2rOmba3AAd+xd
YgeRLoT5sZpi60dqSEjN2g7sSNB5mOpeT1h04R5k5Jr0AziHV81kx8SLSiZ/Q2w1
dUoVNp9vaQiIzyO49nwxgCHpUD0RNb+aopGt2YFn0HVGGLwU2qwdn331YX7mzoPj
WQIDAQAB
-----END PUBLIC KEY-----
[root@lab1 ~]# chmod og= rsakey.private 
[root@lab1 ~]# ll | grep rsa
-rw-------. 1 root root     1679 Jan 13 09:26 rsakey.private
[root@lab1 ~]# (umask 077; openssl genrsa -out key.pri 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
.......................................................................................................+++
e is 65537 (0x10001)
[root@lab1 ~]# umask
0022
[root@lab1 ~]# ll | grep key.pri
-rw-------. 1 root root     1675 Jan 13 09:30 key.pri
-rw-------. 1 root root     1679 Jan 13 09:26 rsakey.private