Encrypt with private and decrypt with public keys /Openssl

Question

Hi,
Recently, I was studying about openssl. I found that encrypting with a private key is allowed while decrypting with the public one isn't, and throws an error: unable to load Private Key or A private key is needed for this operation

-----------------------------Generating Private/Public Keys--------------------------------------
$ openssl genrsa -out prv.pem 1024  ## generating a private key
$ openssl rsa -in prv.pem -pubout -out Emett_pubKey.pub  ## generating the public key

------------------------------Encrypting/Decrypting Message--------------------------------------
$ openssl rsautl -encrypt -inkey prv.pem -in Message -out Enc_Mssg  ## Encrypt file=Message

$ openssl rsautl -decrypt -in Enc_Mssg -out Messg -inkey -pubin Emett_pubKey.pub  ## try to decrypt file=Enc_Mssg
>A private key is needed for this operation

I am wondering if I'm just using openssl in a wrong way or it must be done in a different way, something like using -sign instead of encrypting the Message like I did.

score 3 · Accepted Answer · answered Nov 08 '22 at 01:53

Algorithmically, A private key can be used to decrypt a message that was encrypted using the correspoding public key, or to sign a message; but a private key cannot be used to encrypt a message. For more information on this subject see Thomas Pornin's answer at If the public key can't be used for decrypting something encrypted by the private key, then how do digital signatures work? (and note in particular where he blames the confusion on 'deleterious effects of post-Disco pop music').

The reason that the openssl rsautl -encrypt command that you copied in your question works with the private key file prv.pem that you created with openssl genrsa is because prv.pem actually contains both the private key and the public key. See https://crypto.stackexchange.com/questions/45151/anatomy-of-an-rsa-private-key for more info.

Thank you a lot, I really appreciate this. and figuring out that private.pem also contains the public key was so interesting for me. — AmineLBD, Nov 09 '22 at 12:15

score 0 · Answer 2 · answered Nov 09 '22 at 16:18

"...I am wondering if I'm just using openssl in a wrong way or it must be done in a different way, something like using -sign instead of encrypting the Message like I did."

GPG supports that approach, it would look like this:

gpg --sign Message.txt

You will be prompted for your password and the output file Message.txt.gpg can be decrypted with the Public key.

gpg --output result.txt --decrypt Message.txt.gpg

No password required as the Public key is used to decrypt.

Encrypt with private and decrypt with public keys /Openssl

2 Answers2