EVP_SealInit(3) OpenSSL EVP_SealInit(3) NNAAMMEE EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption SSYYNNOOPPSSIISS #include int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek, int *ekl, unsigned char *iv, EVP_PKEY **pubk, int npubk); int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); DDEESSCCRRIIPPTTIIOONN The EVP envelope routines are a high level interface to envelope encryption. They generate a random key and IV (if required) then "enve- lope" it by using public key encryption. Data can then be encrypted using this key. _E_V_P___S_e_a_l_I_n_i_t_(_) initializes a cipher context ccttxx for encryption with cipher ttyyppee using a random secret key and IV. ttyyppee is normally supplied by a function such as _E_V_P___d_e_s___c_b_c_(_). The secret key is encrypted using one or more public keys, this allows the same encrypted data to be decrypted using any of the corresponding private keys. eekk is an array of buffers where the public key encrypted secret key will be written, each buffer must contain enough room for the corresponding encrypted key: that is eekk[[ii]] must have room for EEVVPP__PPKKEEYY__ssiizzee((ppuubbkk[[ii]])) bytes. The actual size of each encrypted secret key is written to the array eekkll. ppuubbkk is an array of nnppuubbkk public keys. The iivv parameter is a buffer where the generated IV is written to. It must contain enough room for the corresponding cipher's IV, as deter- mined by (for example) EVP_CIPHER_iv_length(type). If the cipher does not require an IV then the iivv parameter is ignored and can be NNUULLLL. _E_V_P___S_e_a_l_U_p_d_a_t_e_(_) and _E_V_P___S_e_a_l_F_i_n_a_l_(_) have exactly the same properties as the _E_V_P___E_n_c_r_y_p_t_U_p_d_a_t_e_(_) and _E_V_P___E_n_c_r_y_p_t_F_i_n_a_l_(_) routines, as docu- mented on the _E_V_P___E_n_c_r_y_p_t_I_n_i_t(3) manual page. RREETTUURRNN VVAALLUUEESS _E_V_P___S_e_a_l_I_n_i_t_(_) returns 0 on error or nnppuubbkk if successful. _E_V_P___S_e_a_l_U_p_d_a_t_e_(_) and _E_V_P___S_e_a_l_F_i_n_a_l_(_) return 1 for success and 0 for failure. NNOOTTEESS Because a random secret key is generated the random number generator must be seeded before calling _E_V_P___S_e_a_l_I_n_i_t_(_). The public key must be RSA because it is the only OpenSSL public key algorithm that supports key transport. Envelope encryption is the usual method of using public key encryption on large amounts of data, this is because public key encryption is slow but symmetric encryption is fast. So symmetric encryption is used for bulk encryption and the small random symmetric key used is transferred using public key encryption. It is possible to call _E_V_P___S_e_a_l_I_n_i_t_(_) twice in the same way as _E_V_P___E_n_c_r_y_p_t_I_n_i_t_(_). The first call should have nnppuubbkk set to 0 and (after setting any cipher parameters) it should be called again with ttyyppee set to NULL. SSEEEE AALLSSOO _e_v_p(3), _r_a_n_d(3), _E_V_P___E_n_c_r_y_p_t_I_n_i_t(3), _E_V_P___O_p_e_n_I_n_i_t(3) HHIISSTTOORRYY _E_V_P___S_e_a_l_F_i_n_a_l_(_) did not return a value before OpenSSL 0.9.7. 1.0.1u 2016-09-22 EVP_SealInit(3)