rsautl.1s

openssl rsautl -mode [-in file] [-out file] [-inkey keyfile] [-pubin] [-certin] [-ssl] [-pkcs] [-oaep] [-sign] [-verify] [-raw] [-hexdump] [-keyform PEM|DER] [-passin arg]

-in file
    Specifies the input file containing the data to be processed. If not specified, input is read from standard input.

-out file
    Specifies the output file where the result of the operation will be written. If not specified, output is written to standard output.

-inkey keyfile
    Specifies the RSA key file to be used for the operation. This can be a private or public key, depending on the chosen mode.

-pubin
    Indicates that the input key file is a public key, not a private key. This is required for encryption and verification operations when providing a public key.

-certin
    Indicates that the input file contains a certificate from which the public key should be extracted for use.

-ssl
    Uses SSL v23 padding. This padding scheme is generally considered insecure for new applications.

-pkcs
    Uses PKCS#1 v1.5 padding. This is the default padding for encryption and decryption if no other padding is specified. For encryption, OAEP is generally preferred over PKCS#1 v1.5 for security reasons.

-oaep
    Uses PKCS#1 OAEP (Optimal Asymmetric Encryption Padding). This is the recommended padding scheme for encryption and decryption due to its improved security properties compared to PKCS#1 v1.5.

-sign
    Performs an RSA signing operation using the provided private key. The input data is hashed and then signed.

-verify
    Performs an RSA signature verification operation using the provided public key. The input data is verified against the signature (provided via -in).

-encrypt
    Explicitly sets the operation to encryption. Requires a public key. (Often implicit if no other operation is specified and a public key is used).

-decrypt
    Explicitly sets the operation to decryption. Requires a private key. (Often implicit if no other operation is specified and a private key is used).

-raw
    Performs the RSA operation without any padding. This is highly discouraged for cryptographic operations as it can lead to security vulnerabilities. Typically used for specific testing or raw operations.

-hexdump
    Outputs the result of the operation as a hexadecimal dump.

-keyform PEM|DER
    Specifies the format of the key file (PEM or DER). PEM is the default and most common format.

-passin arg
    Specifies the passphrase for the input key file, if it is encrypted. Refer to OpenSSL documentation for accepted argument formats.

The rsautl utility, typically invoked as openssl rsautl, is a command-line tool within the OpenSSL cryptographic library. It provides functionalities for performing RSA public key operations such as encryption, decryption, signing, and signature verification. It is primarily designed for processing small amounts of data, such as session keys, rather than large files, due to the computational overhead and block size limitations of RSA. Users specify input data, an RSA key (private or public), and the desired operation (encrypt, decrypt, sign, or verify), along with optional padding schemes. While rsautl offers specific RSA functions, the more general pkeyutl command provides similar capabilities for various public key algorithms.

rsautl is designed for handling small amounts of data. Encrypting large files directly with RSA is computationally inefficient and subject to RSA block size limits. For large data, a common practice is to encrypt the data with a symmetric cipher (e.g., AES) and then use RSA to encrypt only the symmetric key. The choice of padding scheme is critical for security; OAEP is generally recommended for encryption over PKCS#1 v1.5, and raw padding should be avoided in production environments.

Encryption (-encrypt): Requires a public key.
Decryption (-decrypt): Requires a private key.
Signing (-sign): Requires a private key.
Verification (-verify): Requires a public key.

The tool automatically infers the operation mode if a specific mode is not provided, based on the key type (public/private) and the presence of -sign or -verify.

PKCS#1 v1.5: The traditional RSA padding scheme. While widely supported, it has known vulnerabilities for encryption if not implemented carefully.
PKCS#1 OAEP (Optimal Asymmetric Encryption Padding): A more secure and recommended padding scheme for RSA encryption, offering probabilistic encryption and resistance to various attacks.
SSL v23: A legacy padding scheme associated with SSL/TLS versions 2 and 3. Generally not recommended for new applications due to security concerns.
Raw: No padding applied. Highly discouraged for cryptographic use cases as it exposes the underlying RSA algorithm to direct attacks and removes essential security features.

openssl(1), openssl rsa(1ssl), openssl genrsa(1ssl), openssl pkeyutl(1ssl)