Tribblix: manual page: encrypt.1

ENCRYPT(1) User Commands ENCRYPT(1)

NAME

encrypt, decrypt - encrypt or decrypt files

SYNOPSIS

/usr/bin/encrypt -l

/usr/bin/encrypt -a algorithm [-v]
[-k key_file | -K key_label [-T token_spec]]
[-i input_file] [-o output_file]

/usr/bin/decrypt -l

/usr/bin/decrypt -a algorithm [-v]
[-k key_file | -K key_label [-T token_spec]]
[-i input_file] [-o output_file]

DESCRIPTION

This utility encrypts or decrypts the given file or stdin using the
algorithm specified. If no output file is specified, output is to
standard out. If input and output are the same file, the encrypted
output is written to a temporary work file in the same filesystem and
then used to replace the original file.

On decryption, if the input and output are the same file, the
cleartext replaces the ciphertext file.

The output file of encrypt and the input file for decrypt contains
the following information:

o Output format version number, 4 bytes in network byte
order. The current version is 1.

o Iterations used in key generation function, 4 bytes in
network byte order.

o IV (ivlen bytes)[1]. iv data is generated by random bytes
equal to one block size.

o Salt data used in key generation (16 bytes).

o Cipher text data.

OPTIONS

The following options are supported:

-a algorithm
Specify the name of the algorithm to use during the
encryption or decryption process. See USAGE,
Algorithms for details.

-i input_file
Specify the input file. Default is stdin if
input_file is not specified.

-k key_file
Specify the file containing the key value for the
encryption algorithm. Each algorithm has specific
key material requirements, as stated in the PKCS#11
specification. If -k is not specified, encrypt
prompts for key material using getpassphrase(3C).
The size of the key file determines the key length,
and passphrases set from the terminal are always
used to generate 128 bit long keys for ciphers with
a variable key length.

For information on generating a key file, see the
genkey subcommand in pktool(1). Alternatively,
dd(8) can be used.

-K key_label
Specify the label of a symmetric token key in a
PKCS#11 token.

-l
Display the list of algorithms available on the
system. This list can change depending on the
configuration of the cryptographic framework. The
keysizes are displayed in bits.

-o output_file
Specify output file. Default is stdout if
output_file is not specified. If stdout is used
without redirecting to a file, the terminal window
can appear to hang because the raw encrypted or
decrypted data has disrupted the terminal
emulation, much like viewing a binary file can do
at times.

-T token_spec
Specify a PKCS#11 token other than the default soft
token object store when the -K is specified.

token_spec has the format of:

token_name [:manuf_id [:serial_no]]

When a token label contains trailing spaces, this
option does not require them to be typed as a
convenience to the user.

Colon separates token identification string. If any
of the parts have a literal colon (:) character, it
must be escaped by a backslash (\). If a colon (:)
is not found, the entire string (up to 32
characters) is taken as the token label. If only
one colon (:) is found, the string is the token
label and the manufacturer.

-v
Display verbose information. See Verbose.

USAGE

Algorithms

The supported algorithms are displayed with their minimum and maximum
key sizes in the -l option. These algorithms are provided by the
cryptographic framework. Each supported algorithm is an alias of the
PKCS #11 mechanism that is the most commonly used and least
restricted version of a particular algorithm type. For example, des
is an alias to CKM_DES_CBC_PAD and arcfour is an alias to CKM_RC4.
Algorithm variants with no padding or ECB are not supported.

These aliases are used with the -a option and are case-sensitive.

Passphrase

When the -k option is not used during encryption and decryption
tasks, the user is prompted for a passphrase. The passphrase is
manipulated into a more secure key using the PBKDF2 algorithm
specified in PKCS #5.

When a passphrase is used with encrypt and decrypt, the user entered
passphrase is turned into an encryption key using the PBKDF2
algorithm as defined defined in http://www.rsasecurity.com, PKCS #5
v2.0.

Verbose

If an input file is provided to the command, a progress bar spans the
screen. The progress bar denotes every 25% completed with a pipe
sign (|). If the input is from standard input, a period (.) is
displayed each time 40KB is read. Upon completion of both input
methods, Done is printed.

EXAMPLES

Example 1: Listing Available Algorithms

The following example lists available algorithms:

example$ encrypt -l
Algorithm Keysize: Min Max
-----------------------------------
aes 128 128
arcfour 8 128
des 64 64
3des 192 192

Example 2: Encrypting Using AES

The following example encrypts using AES and prompts for the
encryption key:

example$ encrypt -a aes -i myfile.txt -o secretstuff

Example 3: Encrypting Using AES with a Key File

The following example encrypts using AES after the key file has been
created:

example$ pktool genkey keystore=file keytype=aes keylen=128 \
outkey=key
example$ encrypt -a aes -k key -i myfile.txt -o secretstuff

Example 4: Using an In Pipe to Provide Encrypted Tape Backup

The following example uses an in pipe to provide encrypted tape
backup:

example$ ufsdump 0f - /var | encrypt -a arcfour \
-k /etc/mykeys/backup.k | dd of=/dev/rmt/0

Example 5: Using an In Pipe to Restore Tape Backup

The following example uses and in pipe to restore a tape backup:

example$ decrypt -a arcfour -k /etc/mykeys/backup.k \
-i /dev/rmt/0 | ufsrestore xvf -

Example 6: Encrypting an Input File Using the 3DES Algorithm

The following example encrypts the inputfile file with the 192-bit
key stored in the des3key file:

example$ encrypt -a 3des -k des3key -i inputfile -o outputfile

Example 7: Encrypting an Input File with a DES token key

The following example encrypts the input file file with a DES token
key in the soft token keystore. The DES token key can be generated
with pktool(1):

example$ encrypt -a des -K mydeskey \
-T "Sun Software PKCS#11 softtoken" -i inputfile \
-o outputfile

EXIT STATUS

The following exit values are returned:

0
Successful completion.

>0
An error occurred.

ATTRIBUTES