1gdcmanon(1) GDCM gdcmanon(1)
2
6 gdcmanon - Tool to anonymize a DICOM file.
7
9 gdcmanon [options] file-in file-out
10 gdcmanon [options] dir-in dir-out
11
13 The gdcmanon tool is an implementation of PS 3.15 / E.1 / Basic
14 Application Level Confidentiality Profile (Implementation of E.1.1 De-
15 identify & E.1.2 Re-identify)
16 This tool is split into two very different operating mode:
18 · An implementation of PS 3.15, see -e and -d flags
20 · A dumb mode, see --dumb
21 Dumb mode and PS 3.15 do not work well together, you should really only
22 use one type of anonymization. In case of doubt, avoid using --dumb.
23 In order to use the PS 3.15 implementation (-d & -e flag), you'll need
24 a certificate to do de-identification operations, and the associated
25 private key to do the re-identification operation. If you are only
26 doing a one-shot anonymization and do not need to properly re-identify
27 the DICOM file, you can safely discard the private key and only keep
28 the certificate. See OpenSSL section below for an example on how to
29 generate the private key/certificate pair.
30 gdcmanon will exit early if OpenSSL was not configured/build properly
31 into the library (see GDCM_USE_SYSTEM_OPENSSL in cmake).
33 file-in DICOM input filename
34 file-out DICOM output filename
36 or
37 file-in DICOM input directory
38 file-out DICOM output directory
41 You need to specify at least one operating mode, from the following
42 list (and only one):
43 Required parameters
44 -e --de-identify De-identify DICOM (default)
45 -d --re-identify Re-identify DICOM
46 --dumb Dumb mode anonymizer
47 Warning when operating in dumb mode, you need to also specify an
48 operation to do, such as 'remove' or 'empty' a tag, see below the dumb
49 mode options.
50 OPTIONS
51 -i --input DICOM filename / directory
52 -o --output DICOM filename / directory
53 -r --recursive recursively process (sub-)directories.
54 --continue Do not stop when file found is not DICOM.
55 --root-uid Root UID.
56 --resources-path Resources path.
57 -k --key Path to RSA Private Key.
58 -c --certificate Path to Certificate.
59 encryption options
60 --des DES.
61 --des3 Triple DES.
62 --aes128 AES 128.
63 --aes192 AES 192.
64 --aes256 AES 256.
65 dumb mode options
66 --empty %d,%d DICOM tag(s) to empty
67 --remove %d,%d DICOM tag(s) to remove
68 --replace %d,%d,%s DICOM tag(s) to replace
69 general options
70 -h --help
71 print this help text and exit
72 -v --version
74 print version information and exit
75 -V --verbose
77 verbose mode (warning+error).
78 -W --warning
80 warning mode, print warning information
81 -E --error
83 error mode, print error information
84 -D --debug
86 debug mode, print debug information
87 environment variable
88 GDCM_ROOT_UID Root UID
89 GDCM_RESOURCES_PATH path pointing to resources files (Part3.xml, ...)
91 De-identification (anonymization, encrypt)
92 The only thing required for this operation is a certificate file (in
93 PEM format).
94 $ gdcmanon --certificate certificate.pem -e original.dcm original_anonymized.dcm
95 Re-identification (de-anonymization,decrypt)
96 The only thing required for this operation is a private key (in PEM
97 format). It is required that the private key used for the re-
98 identification process, was the actual private key used to generate the
99 certificate file (certificate.pem) used during the de-identification
100 step.
101 $ gdcmanon --key privatekey.pem -d original_anonymized.dcm original_copy.dcm
102 You can then check that original.dcm and original_copy.dcm are
103 identical.
104 Multiple files caveat
105 It is very important to understand the following section, when
106 anonymizing more than one single file. When anonymizing multiple DICOM
107 files, you are required to use the directory input. You cannot call
108 multiple time the gdcmanon command line tool. Indeed the tool stores in
109 memory during the process only a hash table of conversion so that each
110 time a particular value is found it get always replaced by the same de-
111 identified value (think: consistant Series Instance UID).
112 Dumb mode
113 This functionality is not described in the DICOM standard. Users are
114 advised that improper use of that mode is not recommended, meaning that
115 important tag can be empty/remove/replace resulting in illegal/invalid
116 DICOM file. Only use when you know what you are doing. If you delete a
117 Type 1 attribute, chance is that your DICOM file will be not accepted
118 in most DICOM third party viewer. Unfortunately this is often this mode
119 that is implemented in popular DICOM Viewer, always prefer what the
120 DICOM standard describes, and avoid the dumb mode.
121 The following example shows how to use dumb mode and achieve 5
122 operations at the same time:
123 · Empty the tag (0010,0010) Patient's Name,
125 · Empty the tag (0010,0020) Patient ID,
126 · Remove the tag (0010,0040) Patient's Sex
127 · Remove the tag (0010,1010) Patient's Age
128 · Replace the tag (0010,1030) Patient's Weight with the value '10'
129 You are required to check which DICOM attribute is Type 1 and Type 1C,
130 before trying to 'Empty' or 'Remove' a particular DICOM attribute. For
131 the same reason, you are required to check what are valid value in a
132 replace operation.
133 $ gdcmanon --dumb --empty 10,10 --empty 10,20 --remove 10,40 --remove 10,1010 --replace 10,1030,10 012345.002.050.dcm out.dcm
134 Multiple operation of --dumb mode can take place, just reuse the output
135 of the previous operation. Always use gdcmdump on the input and output
136 file to check what was actually achieved. You can use a diff program to
137 check only what changed (see diff(1) for example).
138 Irreversible Anonymization
139 In some very case, one would want to anonymize using the PS 3.15 mode
140 so as to take benefit of the automatic conversion of all content that
141 could contain Patient related information.
142 In the end all Patient related information has been removed and has
143 been secretely stored in the 0400,0500 DICOM attribute. However to make
144 sure that no-one ever try to break that security using brute-force
145 algorithm, one want want to remove completely this DICOM attribute.
146 This will make the DICOM:
147 · Completely free of any Patient related information (as per PS 3.15
148 specification)
149 · Remove any mean of people to brute force attack the file to find out
150 the identity of the Patient
151 In this case one could simply do, as a first step execute the
152 reversible anonymizer:
153 gdcmanon -c certificate.pem input.dcm anonymized_reversible.dcm
154 and now completely remove the DICOM attribute containing the secretly
155 encrypted Patient related information:
156 gdcmanon --dumb --remove 400,500 --remove 12,62 --remove 12,63 anonymized_reversible.dcm anonymized_irreversible.dcm
158 On most system you can have access to OpenSSL to generate the Private
159 Key/Certificate pair.
160 Generating a Private Key
161 Command line to generate a rsa key (512bit)
162 $ openssl genrsa -out CA_key.pem
163 Command line to generate a rsa key (2048bit)
164 $ openssl genrsa -out CA_key.pem 2048
165 Command line to generate a rsa key (2048bit) + passphrase
166 $ openssl genrsa -des3 -out CA_key.pem 2048
167 Generating a Certificate
168 From your previously generated Private Key, you can now generate a
169 certificate in PEM (DER format is currently not supported).
170 $ openssl req -new -key CA_key.pem -x509 -days 365 -out CA_cert.cer
172 Page to the DICOM Standard:
173 http://dicom.nema.org/
174 The DICOM Standard at the time of releasing gdcmanon is:
175 ftp://medical.nema.org/medical/dicom/2008/
176 Direct link to PS 3.15-2008:
177 ftp://medical.nema.org/medical/dicom/2008/08_15pu.pdf
179 gdcmconv(1), gdcmdump(1), gdcminfo(1), openssl(1)
181 Copyright (c) 2006-2010 Mathieu Malaterre
182Version 2.0.16 Tue Jul 26 2011 gdcmanon(1)