Deze pagina is nog niet beschikbaar in uw eigen taal. We werken er hard aan om meer taalversies toe te voegen. Bedankt voor uw steun.
Data Encryption Workshop
Data Encryption Workshop
- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Key Pair Service
- Dedicated HSM
- Auditing Logs
- Permission Control
- Best Practices
-
API Reference
- Before You Start
- Calling APIs
- API Overview
- APIs
- Application Examples
- Permissions Policies and Supported Actions
- Appendix
- Change History
- SDK Reference
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- CSMS Related
-
KPS Related
- How Do I Create a Key Pair?
- What Are a Private Key Pair and an Account Key Pair?
- How Do I Handle an Import Failure of a Key Pair Created Using PuTTYgen?
- What Should I Do When I Fail to Import a Key Pair Using Internet Explorer 9?
- How Do I Log In to a Linux ECS with a Private Key?
- How Do I Use a Private Key to Obtain the Password to Log In to a Windows ECS?
- How Do I Handle the Failure in Binding a Key Pair?
- How Do I Handle the Failure in Replacing a Key Pair?
- How Do I Handle the Failure in Resetting a Key Pair?
- How Do I Handle the Failure in Unbinding a Key Pair?
- Do I Need to Restart Servers After Replacing Its Key Pair?
- How Do I Enable the Password Login Mode for an ECS?
- How Do I Handle the Failure in Logging In to ECS After Unbinding the Key Pair?
- What Should I Do If My Private Key Is Lost?
- How Do I Convert the Format of a Private Key File?
- Can I Change the Key Pair of a Server?
- Can a Key Pair Be Shared by Multiple Users?
- How Do I Obtain the Public or Private Key File of a Key Pair?
-
Dedicated HSM Related
- What Is Dedicated HSM?
- How Does Dedicated HSM Ensure the Security for Key Generation?
- Do Equipment Room Personnel Has the Super Administrator Role to Steal Information by Using a Privileged UKey?
- What HSMs Are Used for Dedicated HSM?
- What APIs Does Dedicated HSM Support?
- How Do I Enable Public Access to a Dedicated HSM Instance?
- Pricing
- General
- Change History
-
KMS Related
- Videos
Help Center/
Data Encryption Workshop/
FAQs/
KMS Related/
Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
Updated on 2023-01-31 GMT+08:00
Symptom
By default, the -id-aes256-wrap-pad algorithm is not enabled in OpenSSL. To wrap a key, upgrade OpenSSL to the latest version and patch it first.
Solution
Use bash commands to create a local copy of the existing OpenSSL. You do not need to delete or modify the default OpenSSL client installation configurations.
- Switch to the root user.
sudo su -
- Run the following command and record the OpenSSL version:
openssl version
- Run the following commands to create the /root/build directory. This directory will be used to store the latest OpenSSL binary file.
mkdir $HOME/build
mkdir -p $HOME/local/ssl
cd $HOME/build
- Download the latest OpenSSL version from https://www.openssl.org/source/.
- Download and decompress the binary file.
- Replace openssl-1.1.1d.tar.gz with the latest OpenSSL version downloaded in step 4.
curl -O https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar -zxf openssl-1.1.1d.tar.gz
- Use the gcc tool to patch the version, and compile the downloaded binary file.
yum install patch make gcc -y
NOTE:
If you are using a version other than OpenSSL-1.1.1d, you may need to change the directory and commands used, or this patch may not work properly.
- Run the following commands:
sed -i "/BIO_get_cipher_ctx(benc, &ctx);/a\ EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);" $HOME/build/openssl-1.1.1d/apps/enc.c
- Run the following commands to compile the OpenSSL enc.c file:
cd $HOME/build/openssl-1.1.1d/
./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
make -j$(grep -c ^processor /proc/cpuinfo)
make install
- Configure the environment variable LD_LIBRARY_PATH to ensure that required libraries are available for OpenSSL. The latest version of OpenSSL has been dynamically linked to the binary file in the $HOME/local/ssl/lib/ directory, and cannot be directly executed in shell.
- Create a script named openssl.sh to load the $HOME/local/ssl/lib/ path before running the binary file.
cd $HOME/local/bin/
echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh
- Run the following command to configure an execute bit on the script:
chmod 755 ./openssl.sh
- Run the following command to start the patched OpenSSL version:
$HOME/local/bin/openssl.sh
Parent topic: KMS Related
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
The system is busy. Please try again later.
