X509Crypt
X509Crypt is used to encrypt files that makes use of PKCS#7 and public keys from a recipient's X509 certificates. The encryption schema is the same adopted for S/MIME encrypted emails.
With X509Crypt you can encrypt a file in a format that only the desired recipient will be able to read/decrypt.
Motivation
Have a simple mechanism in place for encrypting backups without publishing a private key.
Remote machines can encrypt the data on a backup server without disclosing the content and the private key, which is sensible information.
In this way it is possible to host on the same storage content that is encrypted for distinct recipients without disclosing the keys.
Each recipient cannot decrypt a message that is not aimed at them, recipients can only decrypt their own data.
In a modern 'Cloud' scenario you cannot really trust the provider not to disclose the data, in this way, only the legit owner of the information is able to decrypt the data: either who encrypted it in the first place, or the legit recipient.
The server part is only responsible for the data persistence, but not for the content itself, which is sole ownership of the user or service that detains the proper decryption keys.
How does it work
X509Crypt works on top of Openssl commandline and uses the 'smime' subcommand with binary optioni. This actually means it is usingi the PKCS#7 / CMS encryption scheme.
- RSA is used for the keypair generation
- AES-256-CBC is used for the encryption
Repository
x509Crypt repository is accessible from this url
Commandline Options
x509crypt <profile> -e <file> : Encrypt <file> (safety checks)
x509crypt <profile> -E <file> : Encrypt <file>
x509crypt <profile> -d <file> : Decrypt <file>
x509crypt <profile> -g : Generate keys
x509crypt <profile> -x : eXport pub key
x509crypt <profile> -s : export private key
x509crypt <profile> -X : eXport pub key details
x509crypt <profile> -i <file> : Import pub key
x509crypt -l : List profiles
Licensing
The code is freely available under GPL License see: COPYING
Additional commercial support and licensing are available on request. Just issue a support request and mention you are interested in x509Crypt