# Encryption

## Used method

Encryption is implemented by using openssl's hybrid encryption feature. It combines RSA private/public key with symmetric aes encryption in order to make use of the the security of public/private keys and the performance of symmetric encryption. The usage is similar to pgp: you will only need to store your public key on the server, which is used to encrypt. Decryption can only be achieved with the private key-pair, which should be located somewhere save.

Encryption is accomplished in the following way:

opensslsmime -encrypt -binary -text -aes256 \ -in input.sql \ -out output.sql.enc \ -outform DER mysqldump-secure.pub.pem

## Why I chose openssl smime over pgp?

Openssl's smime encryption has the same security advantage pgp has: The private key is stored in a safe location away from the server. However, the main advantage of asymmetric encryption over pgp is **speed**.

Here is a simple benchmark that shows how much faster it is with a 1GB file:

# Create random 1GB fileopensslrand -out sample.txt -base64 $(( 2**30 * 3/4 ))

# GPG encrypt $time gpg--yes --batch --no-permission-warning --quiet --recipient cytopia --output sample.txt.gpg --encrypt sample.txt txt real 0m56.060s user 0m54.247s sys 0m1.392s

# Openssl encrypt $time opensslsmime -encrypt -binary -text -outform DER -aes256 -in sample.txt -out sample.txt.aes mysqldump-secure.pub.pem b.pem real 0m18.025s user 0m13.862s sys 0m3.498s

As you can see *openssl* is almost three times as fast as pgp.

## Create public/private key

In order to initially generate the public/private keys, use the bundles shell script create-keypair.sh. This creates a 2048bit pair as follows:

opensslreq -x509 -nodes -newkey rsa:2048 \ -keyout mysqldump-secure.priv.pem \ -out mysqldump-secure.pub.pem

## Performance

### RSA

You can test the performance on your target machine yourself with:

opensslspeed rsa512

Values on my machine are

rsa 512 | rsa 1024 | rsa 2048 | rsa 4096 | |
---|---|---|---|---|

# of sign/s | 6,878.4 | 2,075.8 | 398.8 | 66.4 |

# of verify/s | 99,898.4 | 42,966.3 | 15,396.4 | 4,751.5 |

### AES

You can test the performance on your target machine yourself with:

opensslspeed aes-128-cbc

Values on my machine are

aes 128 cbc | aes 192 cbc | aes 256 cbc | |
---|---|---|---|

16 byes | 150812.11 k | 126749.73 k | 119884.20 k |

64 bytes | 153859.62 k | 134592.51 k | 119803.50 k |

256 bytes | 156139.70 k | 137572.39 k | 116165.86 k |

1024 bytes | 156203.72 k | 136104.24 k | 120017.89 k |

8192 bytes | 159386.04 k | 135400.37 k | 123281.67 k |