User Commands encrypt(1)
NAME
encrypt, decrypt - encrypt or decrypt files
SYNOPSIS
/usr/bin/encrypt -l
/usr/bin/encrypt -a algorithm [-v]
[-k keyfile -K keylabel [-T tokenspec]
[-i inputfile] [-o outputfile]
/usr/bin/decrypt -l
/usr/bin/decrypt -a algorithm [-v]
[-k keyfile -K keylabel [-T tokenspec]
[-i inputfile] [-o outputfile]
DESCRIPTION
This utility encrypts or decrypts the given file or stdin
using the algorithm specified. If no output file is speci-
fied, output is to standard out. If input and output are the
same file, the encrypted output is written to a temporary
work file in the same filesystem and then used to replace
the original file.
On decryption, if the input and output are the same file,
the cleartext replaces the ciphertext file.
The output file of encrypt and the input file for decrypt
contains the following information:
o Output format version number, 4 bytes in network
byte order. The current version is 1.
o Iterations used in key generation function, 4 bytes
in network byte order.
o IV (ivlen bytes)[1]. iv data is generated by random
bytes equal to one block size.
o Salt data used in key generation (16 bytes).
o Cipher text data.
OPTIONS
The following options are supported:
SunOS 5.11 Last change: 17 Dec 2008 1
User Commands encrypt(1)
-a algorithm Specify the name of the algorithm to use
during the encryption or decryption pro-
cess. See USAGE, Algorithms for details.
-i inputfile Specify the input file. Default is stdin
if inputfile is not specified.
-k keyfile Specify the file containing the key value
for the encryption algorithm. Each algo-
rithm has specific key material require-
ments, as stated in the PKCS#11 specifica-
tion. If -k is not specified, encrypt
prompts for key material using
getpassphrase(3C). The size of the key
file determines the key length, and
passphrases set from the terminal are
always used to generate 128 bit long keys
for ciphers with a variable key length.
For information on generating a key file,
see the genkey subcommand in pktool(1).
Alternatively, dd(1M) can be used.
-K keylabel Specify the label of a symmetric token key
in a PKCS#11 token.
-l Display the list of algorithms available
on the system. This list can change
depending on the configuration of the
cryptographic framework. The keysizes are
displayed in bits.
-o outputfile Specify output file. Default is stdout if
outputfile is not specified. If stdout is
used without redirecting to a file, the
terminal window can appear to hang because
the raw encrypted or decrypted data has
disrupted the terminal emulation, much
like viewing a binary file can do at
times.
-T tokenspec Specify a PKCS#11 token other than the
default soft token object store when the
-K is specified.
tokenspec has the format of:
SunOS 5.11 Last change: 17 Dec 2008 2
User Commands encrypt(1)
tokenname [:manufid [:serialno]
When a token label contains trailing
spaces, this option does not require them
to be typed as a convenience to the user.
Colon separates token identification
string. If any of the parts have a literal
colon (:) character, it must be escaped by
a backslash (\). If a colon (:) is not
found, the entire string (up to 32 charac-
ters) is taken as the token label. If only
one colon (:) is found, the string is the
token label and the manufacturer.
-v Display verbose information. See Verbose.
USAGE
Algorithms
The supported algorithms are displayed with their minimum
and maximum key sizes in the -l option. These algorithms are
provided by the cryptographic framework. Each supported
algorithm is an alias of the PKCS #11 mechanism that is the
most commonly used and least restricted version of a partic-
ular algorithm type. For example, des is an alias to
CKMDESCBCPAD and arcfour is an alias to CKMRC4. Algo-
rithm variants with no padding or ECB are not supported.
These aliases are used with the -a option and are case-
sensitive.
Passphrase
When the -k option is not used during encryption and decryp-
tion tasks, the user is prompted for a passphrase. The
passphrase is manipulated into a more secure key using the
PBKDF2 algorithm specified in PKCS #5.
When a passphrase is used with encrypt and decrypt, the user
entered passphrase is turned into an encryption key using
the PBKDF2 algorithm as defined defined in
http:/www.rsasecurity.com, PKCS #5 v2.0.
Verbose
If an input file is provided to the command, a progress bar
spans the screen. The progress bar denotes every 25% com-
pleted with a pipe sign (). If the input is from standard
input, a period (.) is displayed each time 40KB is read.
SunOS 5.11 Last change: 17 Dec 2008 3
User Commands encrypt(1)
Upon completion of both input methods, Done is printed.
EXAMPLES
Example 1 Listing Available Algorithms
The following example lists available algorithms:
example$ encrypt -l
Algorithm Keysize: Min Max
-----------------------------------
aes 128 128
arcfour 8 128
des 64 64
3des 192 192
Example 2 Encrypting Using AES
The following example encrypts using AES and prompts for the
encryption key:
example$ encrypt -a aes -i myfile.txt -o secretstuff
Example 3 Encrypting Using AES with a Key File
The following example encrypts using AES after the key file
has been created:
example$ pktool genkey keystore=file keytype=aes keylen=128 \
outkey=key
example$ encrypt -a aes -k key -i myfile.txt -o secretstuff
Example 4 Using an In Pipe to Provide Encrypted Tape Backup
The following example uses an in pipe to provide encrypted
tape backup:
example$ ufsdump 0f - /var encrypt -a arcfour \
-k /etc/mykeys/backup.k dd of=/dev/rmt/0
SunOS 5.11 Last change: 17 Dec 2008 4
User Commands encrypt(1)
Example 5 Using an In Pipe to Restore Tape Backup
The following example uses and in pipe to restore a tape
backup:
example$ decrypt -a arcfour -k /etc/mykeys/backup.k \
-i /dev/rmt/0 ufsrestore xvf -
Example 6 Encrypting an Input File Using the 3DES Algorithm
The following example encrypts the inputfile file with the
192-bit key stored in the des3key file:
example$ encrypt -a 3des -k des3key -i inputfile -o outputfile
Example 7 Encrypting an Input File with a DES token key
The following example encrypts the input file file with a
DES token key in the soft token keystore. The DES token key
can be generated with pktool(1):
example$ encrypt -a des -K mydeskey \
-T "Sun Software PKCS#11 softtoken" -i inputfile \
-o outputfile
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 17 Dec 2008 5
User Commands encrypt(1)
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsu
Interface Stability Committed
SEE ALSO
digest(1), pktool(1), mac(1), dd(1M), getpassphrase(3C),
libpkcs11(3LIB), attributes(5), pkcs11softtoken(5)
System Administration Guide: Security Services
RSA PKCS#11 v2.11: http:/www.rsasecurity.com
RSA PKCS#5 v2.0: http:/www.rsasecurity.com
SunOS 5.11 Last change: 17 Dec 2008 6
|
