# How can I encrypt a file with my SSH public key?

## VinzC

Hi.

I'd like to encrypt a file but I'd also like to not go through PGP process and create yet another pair of keys. So I'd like to reuse my own SSH key pair, which I'm also using to connect remotely. My SSH private key is protected with a passphrase, which I use to initialize ssh-agent once I open my Xfce4 session.

So how could I use my SSH public key to encrypt single file in my home directory? I might as well consider Luks/LVM and loop devices for larger encrypted storage, i.e. for more than just one file. I just need some example to put things together.

Thanks for any hint/suggestion.

----------

## ToeiRei

I am not sure if you are able to encrypt files using your normal ssh keys - but you might peek onto the CAcert.org website for client certificates which could even be abused for logging into a remote machine...

Rei

----------

## VinzC

I'm not sure I understand what you mean...

----------

## xaviermiller

Hello,

To encrypt, you need yout PRIVATE key. Your correspondant decodes with your public key.

Normally you encrypt with your private key and the correspondant's public key, and he decodes with your public key and its private key.

The other post says that to be sure, a key (certificate) must be provided by an official organism, so that the correspondant can verify by a third-person that the public key is really yours.

More info here: http://en.wikipedia.org/wiki/Public-key_cryptography

----------

## cmp

 *Quote:*   

> and he decodes with your public key and its private key. 

 

XavierMiller are you sure that he needs your public key to decode ?? I think he does not need it.

The verify a signature I need your public key.!

----------

## malern

 *XavierMiller wrote:*   

> To encrypt, you need yout PRIVATE key. Your correspondant decodes with your public key.

 

Actually, you can encrypt things with either your private key or public key. In practice there's not much point encrypting a file with your private key, because everyone can decrypt it using your public key. The only benefit is it would allow you to prove it was you that encrypted the file, but people normally use signing for that.

If he wants to encrypt something using is public key, so that he's the only person that can decrypt it later (using his private key). Then that's a perfectly legitimate use of public key cryptography.

----------

## John R. Graham

 *XavierMiller wrote:*   

> Hello,
> 
> To encrypt, you need your PRIVATE key. 
> 
> ...

 Alas, that's exactly backwards.  Think of it this way:  of what use would an encryption scheme be that everyone could decrypt?  It works like this:Encrypt and verify are public key operations.

Decrypt and sign are private key operations.For each of the paired operations, the big number arithmetic is the same but the recommended padding schemes differ.

- John

----------

## xaviermiller

Ok, thank you all for correcting me  :Wink: 

----------

## John R. Graham

VinzC,

To encrypt using your ssh public key, use the openssl command line utility, like so:

```
openssl rsautl -encrypt -inkey ~/.ssh/id_rsa -in cleartext-file -out ciphertext-file
```

The public key is part of the ~/.ssh/id_rsa private key file.  Note that you can't use ~/.ssh/id_rsa.pub because it is in an ssh-specific format.  If you want to extract the public key in standard form so that you don't have to specify the private key's passphrase each time you encrypt, do:

```
cd ~/.ssh

openssl rsa -in id_rsa -pubout -out id_rsa.pub.pem
```

Then the encryption command is a little different but will not prompt for a passphrase:

```
openssl rsautl -encrypt -pubin -inkey ~/.ssh/id_rsa.pub.pem -in cleartext-file -out ciphertext-file
```

- John

----------

## VinzC

Thank you John -- I would certainly not have figured it out by myself.

BTW is there any way to have ssh-agent involved in the process? I think here in the present case, I would not avoid typing my private key password. And I'd like to be able to unlock private data once upon opening my session, for example using ssh-agent but it's not an absolute requirement. SSHFS? dm-crypt?

Gnome and KDE provide such means, gnome-keyring (IIRC) and kdewallet. I'd like such a functionality in Xfce. Do you think it can be done?

----------

## John R. Graham

Unfortunately, I don't think so, since openssl is not part of openssh (although openssh uses openssl).  The openssl executable is just a command line interface to many (perhaps most) functions available in libcrypto.  This has nothing to do with ssh, nor with GPG.  It's just pretty much raw cryptography & certificate services.

- John

----------

## VinzC

Fair enough. That means to me Xfce is probably lacking such a tool -- a good opportunity for developers.  :Smile: 

----------

## xaviermiller

gedit supports live GPG encryption/decryption, maybe vim, and for sure emacs.

----------

## VinzC

 *XavierMiller wrote:*   

> gedit supports live GPG encryption/decryption, maybe vim, and for sure emacs.

 

Sure. And I could even write a plugin for editors which support plugins but this is far from the goal. Fortunately gnome-keyring doesn't depend too heavily on Gnome. There's also seahorse -- pulls down several Gnome dependencies but it could be a good compromise. I'll try that and see.

----------

