ENCRYPT(1) | User Commands | ENCRYPT(1) |
encrypt, decrypt - encrypt or decrypt files
/usr/bin/encrypt -l
/usr/bin/encrypt -a algorithm [-v]
[-k key_file | -K key_label [-T token_spec]]
[-i input_file] [-o output_file]
/usr/bin/decrypt -l
/usr/bin/decrypt -a algorithm [-v]
[-k key_file | -K key_label [-T token_spec]]
[-i input_file] [-o output_file]
This utility encrypts or decrypts the given file or stdin using the algorithm specified. If no output file is specified, output is to standard out. If input and output are the same file, the encrypted output is written to a temporary work file in the same filesystem and then used to replace the original file.
On decryption, if the input and output are the same file, the cleartext replaces the ciphertext file.
The output file of encrypt and the input file for decrypt contains the following information:
The following options are supported:
-a algorithm
-i input_file
-k key_file
For information on generating a key file, see the genkey subcommand in pktool(1). Alternatively, dd(8) can be used.
-K key_label
-l
-o output_file
-T token_spec
token_spec has the format of:
token_name [:manuf_id [:serial_no]]
When a token label contains trailing spaces, this option does not require them to be typed as a convenience to the user.
Colon separates token identification string. If any of the parts have a literal colon (:) character, it must be escaped by a backslash (\). If a colon (:) is not found, the entire string (up to 32 characters) is taken as the token label. If only one colon (:) is found, the string is the token label and the manufacturer.
-v
The supported algorithms are displayed with their minimum and maximum key sizes in the -l option. These algorithms are provided by the cryptographic framework. Each supported algorithm is an alias of the PKCS #11 mechanism that is the most commonly used and least restricted version of a particular algorithm type. For example, des is an alias to CKM_DES_CBC_PAD and arcfour is an alias to CKM_RC4. Algorithm variants with no padding or ECB are not supported.
These aliases are used with the -a option and are case-sensitive.
When the -k option is not used during encryption and decryption tasks, the user is prompted for a passphrase. The passphrase is manipulated into a more secure key using the PBKDF2 algorithm specified in PKCS #5.
When a passphrase is used with encrypt and decrypt, the user entered passphrase is turned into an encryption key using the PBKDF2 algorithm as defined defined in http://www.rsasecurity.com, PKCS #5 v2.0.
If an input file is provided to the command, a progress bar spans the screen. The progress bar denotes every 25% completed with a pipe sign (|). If the input is from standard input, a period (.) is displayed each time 40KB is read. Upon completion of both input methods, Done is printed.
Example 1 Listing Available Algorithms
The following example lists available algorithms:
example$ encrypt -l
Algorithm Keysize: Min Max
-----------------------------------
aes 128 128
arcfour 8 128
des 64 64
3des 192 192
Example 2 Encrypting Using AES
The following example encrypts using AES and prompts for the encryption key:
example$ encrypt -a aes -i myfile.txt -o secretstuff
Example 3 Encrypting Using AES with a Key File
The following example encrypts using AES after the key file has been created:
example$ pktool genkey keystore=file keytype=aes keylen=128 \
outkey=key example$ encrypt -a aes -k key -i myfile.txt -o secretstuff
Example 4 Using an In Pipe to Provide Encrypted Tape Backup
The following example uses an in pipe to provide encrypted tape backup:
example$ ufsdump 0f - /var | encrypt -a arcfour \
-k /etc/mykeys/backup.k | dd of=/dev/rmt/0
Example 5 Using an In Pipe to Restore Tape Backup
The following example uses and in pipe to restore a tape backup:
example$ decrypt -a arcfour -k /etc/mykeys/backup.k \
-i /dev/rmt/0 | ufsrestore xvf -
Example 6 Encrypting an Input File Using the 3DES Algorithm
The following example encrypts the inputfile file with the 192-bit key stored in the des3key file:
example$ encrypt -a 3des -k des3key -i inputfile -o outputfile
Example 7 Encrypting an Input File with a DES token key
The following example encrypts the input file file with a DES token key in the soft token keystore. The DES token key can be generated with pktool(1):
example$ encrypt -a des -K mydeskey \
-T "Sun Software PKCS#11 softtoken" -i inputfile \
-o outputfile
The following exit values are returned:
0
>0
See attributes(7) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Interface Stability | Committed |
digest(1), mac(1), pktool(1), getpassphrase(3C), libpkcs11(3LIB), attributes(7), pkcs11_softtoken(7), dd(8)
System Administration Guide: Security Services
RSA PKCS#11 v2.11: http://www.rsasecurity.com
RSA PKCS#5 v2.0: http://www.rsasecurity.com
December 17, 2008 | OmniOS |