Home/ Questions/Q 3963250
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T03:11:34+00:00

In an application I want to store sensitive data (which can be arbitrarily large)

  • 0

In an application I want to store sensitive data (which can be arbitrarily large) so that it can later be used for researching. The point is that I don’t want the data to lie around unprotected, so I want to encrypt it before saving it.

On another computer (in a more trustworthy environment) I want to decrypt that data later. The decryption should be possible with readily available tools, for example OpenSSL. Now my question is: How do I do all that?

I already know the abstract steps:

  1. Once and for all generate a public/private key pair.
  2. Encrypt a byte[] in Java using the public key, store it somewhere.
  3. Copy the encrypted data to a “safer” computer.
  4. Decrypt the saved data using a simple OpenSSL command line.

What I’m missing now are the details:

  • What kind of key pair do I need?
  • What encryption scheme should I use? (it’s probably something like “rsa-encrypt a symmetric key, then encrypt the data with that key”)
  • How does the simple OpenSSL command line look like?

[Update 2011-02-13]

After a little research I found a page that describes exactly what I want to do: http://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/. Basically the answer to my step 4 is this command line:

openssl smime -decrypt \
  -in data.smime -binary -inform DER \
  -inkey key.pem \
  -out data

Now my question is: How can I generate a file from Java whose format is compatible to OpenSSL so I can decompress it using this command line? I want to do this hundrets of times per second, so invoking an external process seems too slow. That’s why I want to do it directly in Java.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I finally found exactly what I was looking for. I had just been confused by all the terms like S/MIME, ASN.1, DER, and so on. But finally, and seemingly by coincident, I reached the CMS (whatever that means) package from bouncycastle, which does everything I want. So here is my code:

    package de.roland_illig.crypto;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.GeneralSecurityException;
import java.security.Security;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

import org.apache.commons.io.IOUtils;
import org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator;
import org.bouncycastle.cms.CMSEnvelopedGenerator;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

public class CryptDemo {

  private static final File DIR = new File("c:/program files/cygwin/home/roland/crypto/");

  private static X509Certificate certificate() throws IOException, GeneralSecurityException {
    InputStream is = new FileInputStream(new File(DIR, "key.pub.der"));
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
    is.close();
    return cert;
  }

  private static void encrypt() throws IOException, GeneralSecurityException, CMSException {
    CMSEnvelopedDataStreamGenerator gen = new CMSEnvelopedDataStreamGenerator();
    gen.addKeyTransRecipient(certificate());

    InputStream is = new FileInputStream(new File(DIR, "secret"));
    OutputStream out = new FileOutputStream(new File(DIR, "secret.encrypted"));
    OutputStream encryptingOut = gen.open(out, CMSEnvelopedGenerator.AES128_CBC, "BC");

    IOUtils.copy(is, encryptingOut);

    is.close();
    encryptingOut.close();
    out.close();
  }

  public static void main(String[] args) throws Exception {
    Security.addProvider(new BouncyCastleProvider());

    encrypt();
  }
}
    • 0