1
2CCRYPT(1)                         Encryption                         CCRYPT(1)
3
4
5

NAME

7       ccrypt - encrypt and decrypt files and streams
8

SYNOPSIS

10       ccrypt [mode] [options] [file...]
11       ccencrypt [options] [file...]
12       ccdecrypt [options] [file...]
13       ccat [options] file...
14

DESCRIPTION

16       ccrypt is a utility for encrypting and decrypting files and streams. It
17       was designed to replace the standard unix crypt utility, which is noto‐
18       rious  for  using a very weak encryption algorithm.  ccrypt is based on
19       the Rijndael block cipher, a version of which was also  chosen  by  the
20       U.S.   government   as  the  Advanced  Encryption  Standard  (AES,  see
21       http://www.nist.gov/aes). This  cipher  is  believed  to  provide  very
22       strong cryptographic security.
23
24       Unlike  unix  crypt, the algorithm provided by ccrypt is not symmetric,
25       i.e., one must specify whether to encrypt or decrypt. The  most  common
26       way to invoke ccrypt is via the commands ccencrypt and ccdecrypt.
27
28       Encryption and decryption depends on a keyword (or key phrase) supplied
29       by the user. By default, the user is prompted to enter a  keyword  from
30       the terminal. Keywords can consist of any number of characters, and all
31       characters are significant (although ccrypt internally hashes  the  key
32       to  256 bits). Longer keywords provide better security than short ones,
33       since they are less likely to be discovered by exhaustive search.
34

MODES

36       ccrypt can operate in five different modes.  If more than one  mode  is
37       specified,  the  last one specified takes precedence. The aliases ccen‐
38       crypt, ccdecrypt, and ccat are provided  as  a  convenience;  they  are
39       equivalent to ccrypt -e, ccrypt -d, and ccrypt -c, respectively.
40
41       -e, --encrypt  Encrypt. This is the default mode. If filename arguments
42                      are given, encrypt the files and append the suffix  .cpt
43                      to their names. Otherwise, run as a filter.
44
45       -d, --decrypt  Decrypt.  If  filename  arguments are given, decrypt the
46                      files and strip the suffix .cpt from the  filenames,  if
47                      present. Otherwise, run as a filter.
48
49       -c, --cat      Decrypt  one  or  more  files  to standard output. If no
50                      filename arguments  are  given,  decrypt  as  a  filter.
51                      Implies -l.
52
53       -x, --keychange
54                      Change  the  key of encrypted data. In this mode, ccrypt
55                      prompts for two passwords: the old one and the new  one.
56                      If  filename arguments are given, modify the files. Oth‐
57                      erwise, run as a filter.
58
59       -u, --unixcrypt
60                      Simulate the old unix crypt command.  Note:  the  cipher
61                      used  by  unix  crypt has been broken and is not secure.
62                      Please use this option only to decrypt  existing  files.
63                      If  filename  arguments  are given, decrypt the files to
64                      stdout. Otherwise, run as a filter. Note  that  for  the
65                      unix  crypt  format,  there  is  no  easy  way to detect
66                      whether a given key matches or not;  thus,  for  safety,
67                      this mode does not overwrite files.
68

OPTIONS

70       The  following options are supported in addition to the modes described
71       above:
72
73       -b, --brave    When reading an encryption key from  the  terminal,  ask
74                      the  user only once for the key. By default, ccrypt will
75                      ask the user to enter such keys twice,  as  a  safeguard
76                      against  accidentally  destroying data due to a mistyped
77                      key. Using  the  --brave  option  disables  this  safety
78                      check. Never use it, unless you know what you are doing.
79                      See also --timid.
80
81       -E var, --envvar var
82                      Read the keyword  from  the  environment  variable  var.
83                      Note  that  this  might  be  unsafe  on certain systems,
84                      namely where users can use the ps  command  to  see  the
85                      environment  of a process owner by another user. On most
86                      modern systems, however, such behavior of ps is disabled
87                      and  the  -E  option  should be safe there.  Also, as an
88                      added security measure, ccrypt erases the  keyword  from
89                      its environment immediately after reading it.
90
91       -f, --force    Overwrite  existing  files or operate on write-protected
92                      files  without  asking  any  questions.  Also,  override
93                      ccrypt's  reluctance  to write or read encrypted data to
94                      or from a terminal.
95
96       -F var, --envvar2 var
97                      Same as -E, except  for  second  keyword  (in  keychange
98                      mode).
99
100       -h, --help     Help. Print usage information and exit.
101
102       -H key, --key2 key
103                      Same  as  -K,  except  for  second keyword (in keychange
104                      mode).
105
106       -k file, --keyfile file
107                      Read the keyword as the first line from the named  file.
108                      In  keychange  mode,  two keywords are read as the first
109                      two lines of the file. The filename "-" may be given for
110                      reading  keywords  from  standard input.  Using the -k -
111                      option and sending the keyword on stdin is probably  the
112                      safest way to pass a keyword to ccrypt from another pro‐
113                      gram or script.
114
115       -K key, --key key
116                      Specify the keyword on the command line. This is unsafe,
117                      because  any other user can see the command line by run‐
118                      ning the ps command.  Only use this option  for  testing
119                      purposes, and never with a real keyword.
120
121       -y file, --keyref file
122                      In  encryption  or  keychange mode, check the encryption
123                      key against the named file, which must have been  previ‐
124                      ously  encrypted  with  the same key. Exit with an error
125                      message if the key does not match. This option is useful
126                      as  an alternative to --timid, to guard against mistyped
127                      keys in situations where  several  files  are  encrypted
128                      with  the  same key. This option implies --brave, unless
129                      the  --timid  option  is  explicitly  given  after   the
130                      --keyref option.
131
132       -l, --symlinks Force   encryption/decryption   of  symbolic  links.  By
133                      default, symbolic links are ignored  except  in  cat  or
134                      unixcrypt  mode.  Note  that with the -l option, encryp‐
135                      tion/decryption of a symbolic  link  causes  the  suffix
136                      .cpt  to be added/removed from the name of the link, not
137                      the name of the file pointed to.
138
139       -L, --license  Print license info and exit.
140
141       -m, --mismatch Normally, ccrypt refuses to decrypt data with a key that
142                      does  not  seem  to  match. The -m option overrides this
143                      restriction. This can sometimes be useful in  recovering
144                      data  from  a  corrupted  file (see RECOVERING DATA FROM
145                      CORRUPTED FILES). To avoid irretrievable  loss  of  data
146                      when  decrypting with a wrong key, this option cannot be
147                      used with modes that overwrite the input file.
148
149       -P prompt, --prompt prompt
150                      Use prompt instead of the default prompt "Enter  encryp‐
151                      tion/decryption  key:  ".   This  may  be useful in some
152                      shell scripts.
153
154       -q, --quiet    Suppress most warnings.
155
156       -Q prompt, --prompt2 prompt
157                      Same as -P, except  for  second  keyword  (in  keychange
158                      mode).
159
160       -r, --recursive
161                      Traverse subdirectories recursively.
162
163       -R, --rec-symlinks
164                      Traverse  subdirectories  recursively,  and  also follow
165                      symbolic links to subdirectories.
166
167       -s, --strictsuffix
168                      Refuse to encrypt files that already have the .cpt  suf‐
169                      fix  (or that selected with -S). This can be useful when
170                      adding some files to a directory  of  already  encrypted
171                      files.  This  option has no effect in decryption or key‐
172                      change mode.
173
174       -S .suf, --suffix .suf
175                      Use the suffix .suf instead of the default suffix .cpt.
176
177       -t, --timid    When reading an encryption key from  the  terminal,  ask
178                      the user to enter the key twice. If the two entered keys
179                      are not identical, abort.  This is a  safeguard  against
180                      accidentally  destroying  data  by  encrypting it with a
181                      mistyped key. Note: this behavior is  now  the  default,
182                      and can be overridden with the --brave option.
183
184       -T, --tmpfiles This  option causes ccrypt to use temporary files during
185                      encryption/decryption, rather than overwriting the  file
186                      contents  destructively. This method leaves the original
187                      file contents lying around in unused sectors of the file
188                      system,  and thus is less secure than the default behav‐
189                      ior. However, in situations where this loss of  security
190                      is  not  important,  the --tmpfiles option can provide a
191                      measure of protection against data being  corrupted  due
192                      to a system crash in the middle of overwriting a file.
193
194       -v, --verbose  Print progress information to stderr.
195
196       -V, --version  Print version info and exit.
197
198       --             End  of options. Any remaining arguments are interpreted
199                      as filenames.  This also turns off filter mode, even  if
200                      zero  filenames follow. This might be useful in the con‐
201                      text of shell pattern expansion; ccrypt -- * will behave
202                      correctly even if no files match the pattern *.
203

NOTES ON USAGE

205       The  user interface of ccrypt intentionally resembles that of GNU gzip,
206       although it is not identical. When  invoked  with  filename  arguments,
207       ccrypt normally modifies the files in place, overwriting their old con‐
208       tent. Unlike gzip, the output is not first written to a temporary file;
209       instead,  the  data  is  literally overwritten. For encryption, this is
210       usually the desired behavior, since one does not  want  copies  of  the
211       unencrypted  data  to  remain  in hidden places in the file system. The
212       disadvantage is that if ccrypt is interrupted in the middle of  writing
213       to  a  file,  the  file will end up in a corrupted, partially encrypted
214       state.  However, in such cases it is possible to recover  most  of  the
215       data;  see  RECOVERING  DATA FROM CORRUPTED FILES below. If you want to
216       force ccrypt to use temporary files, use the --tmpfiles option.
217
218       When ccrypt receives an interrupt signal (Ctrl-C) while updating a file
219       in  place,  it  does  not  exit immediately, but rather delays the exit
220       until after it finishes writing to the current file. This is to prevent
221       files  from being partially overwritten and thus corrupted. If you want
222       to force ccrypt to exit immediately, just press Ctrl-C twice quickly.
223
224       The encryption algorithm used by ccrypt uses a random seed that is dif‐
225       ferent  each  time.  As  a  result, encrypting the same file twice will
226       never yield the same result. The advantage of this method is that simi‐
227       larities  in plaintext do not lead to similarities in ciphertext; there
228       is no way of telling whether the content of two encrypted files is sim‐
229       ilar or not.
230
231       Because  of  the  use  of a random seed, decrypting and re-encrypting a
232       file with the same key will not lead to an identical file. It  is  pri‐
233       marily for this reason that ccrypt refuses to decrypt files with a non-
234       matching key; if this were allowed, there would be no way afterwards to
235       restore the original file, and the data would be irretrievably lost.
236
237       When  overwriting files, special care is taken with hard links and sym‐
238       bolic links. Each physical file (i.e., each inode) is processed at most
239       once,  no  matter  how  many paths to it are encountered on the command
240       line or in subdirectories traversed recursively. For each file that has
241       multiple  hard  links, a warning is printed, to alert the user that not
242       all paths to the file might have been properly renamed.  Symbolic links
243       are ignored except in cat mode, or unless the -l or -R option is given.
244
245       Unlike  gzip,  ccrypt  does not complain about files that have improper
246       suffixes. It is legal to doubly encrypt a file. It  is  also  legal  to
247       decrypt  a  file  that does not have the .cpt suffix, provided the file
248       contains valid data for the given decryption key. Use the  --strictsuf‐
249       fix  option  if  you  want to prevent ccrypt from encrypting files that
250       already have a .cpt suffix.
251
252       Regarding encryption and compression: encrypted data  is  statistically
253       indistinguishable  from  random data, and thus it cannot be compressed.
254       But of course it is possible to compress the data first,  then  encrypt
255       it. Suggested file suffixes are .gz.cpt or .gzc.
256

RECOVERING DATA FROM CORRUPTED FILES

258       Encrypted  data  might  be  corrupted  for  a  number  of  reasons. For
259       instance, a file might have been partially encrypted  or  decrypted  if
260       ccrypt was interrupted while processing the file. Or data might be cor‐
261       rupted by a software or hardware error, or during transmission  over  a
262       network.  The  encryption algorithm used by ccrypt is designed to allow
263       recovery from errors. In general, only a few bytes of data will be lost
264       near where the error occurred.
265
266       Data  encrypted  by  ccrypt  can be thought of as a sequence of 32-byte
267       blocks. To decrypt a particular block, ccrypt only needs  to  know  the
268       decryption key, the data of the block itself, and the data of the block
269       immediately preceding it. ccrypt cannot tell whether a  block  is  cor‐
270       rupted  or not, except the very first block, which is special. Thus, if
271       the encrypted data has been altered in the middle or near the end of  a
272       file,  ccrypt  can  be run to decrypt it as usual, and most of the data
273       will be decrypted correctly, except near where the corruption occurred.
274
275       The very first block of encrypted data is special, because it does  not
276       actually  correspond to any plaintext data; this block holds the random
277       seed generated at encryption time. ccrypt  also  uses  the  very  first
278       block  to  decide whether the given keyword matches the data or not. If
279       the first block has been corrupted, ccrypt will likely decide that  the
280       keyword  does  not  match;  in such cases, the -m option can be used to
281       force ccrypt to decrypt the data anyway.
282
283       If a file contains some encrypted and some unencrypted  data,  or  data
284       encrypted  with  two different keys, one should decrypt the entire file
285       with each applicable key, and then piece together the meaningful  parts
286       manually.
287
288       Finally, decryption will only produce meaningful results if the data is
289       aligned correctly along block boundaries. If the block boundary  infor‐
290       mation has been lost, one has to try all 32 possibilities.
291

DESCRIPTION OF THE CIPHER

293       Block  ciphers  operate  on  data  segments  of  a  fixed  length.  For
294       instance, the Rijndael block cipher used in ccrypt has a  block  length
295       of 32 bytes or 256 bits. Thus, this cipher encrypts 32 bytes at a time.
296
297       Stream ciphers operate on data streams of any length. There are several
298       standard modes for operating a block cipher as  a  stream  cipher.  One
299       such  standard is Cipher Feedback (CFB), defined in NIST Special Publi‐
300       cation 800-38A and ANSI X3.106-1983. ccrypt implements a stream  cipher
301       by operating the Rijndael block cipher in CFB mode.
302
303       Let  P[i]  and  C[i]  be the ith block of the plaintext and ciphertext,
304       respectively. CFB mode specifies that
305
306              C[i] = P[i] ^ E(k,C[i-1])
307
308       Here ^ denotes the bitwise exclusive or function,  and  E(k,x)  denotes
309       the  encryption  of the block x under the key k using the block cipher.
310       Thus, each block of the ciphertext is calculated from the corresponding
311       block  of  plaintext and the previous block of ciphertext. Note that in
312       fact, each byte of P[i] can be calculated from the  corresponding  byte
313       of  C[i],  so  that  the  stream cipher can be applied to one byte at a
314       time. In particular, the stream length need not be a  multiple  of  the
315       block size.
316
317       Assuming  that blocks are numbered starting from 0, a special "initial"
318       ciphertext block C[-1] is needed to provide the base case for the above
319       formula.  This value C[-1] is called the initialization vector or seed.
320       The seed is chosen at encryption time and written as the first block of
321       the  encrypted  stream. It is important that the seed is unpredictable;
322       in particular, the same seed should never by used more than once.  Oth‐
323       erwise,  the two resulting ciphertext blocks C[0] could be related by a
324       simple xor to obtain  information  about  the  corresponding  plaintext
325       blocks  P[0].   If  unpredictable  seeds  are  used, CFB is provably as
326       secure as the underlying block cipher.
327
328       In ccrypt, the seed is constructed as follows: first, a nonce  is  con‐
329       tructed  by  hashing  a  combination  of  the  host name, current time,
330       process id, and an internal counter into a 28-byte value, using a cryp‐
331       tographic  hash  function. The nonce is combined with a fixed four-byte
332       "magic number", and the resulting 32-byte value  is  encrypted  by  one
333       round  of  the Rijndael block cipher with the given key. This encrypted
334       block is used as the seed and appended to the beginning of the  cipher‐
335       text.  The use of the magic number allows ccrypt to detect non-matching
336       keys before decryption.
337

SECURITY

339       ccrypt is believed  to  provide  very  strong  cryptographic  security,
340       equivalent  to  that of the Rijndael cipher with 256-bit block size and
341       256-bit key size. Another  version  of  the  Rijndael  cipher  (with  a
342       smaller  block  size) is used in the U.S. government's Advanced Encryp‐
343       tion  Standard  (AES,  see  http://www.nist.gov/aes).  Therefore,  this
344       cipher  is  very well studied and subject to intensive public scrutiny.
345       This scrutiny has a positive effect on the cipher's security.  In  par‐
346       ticular,  if  an  exploitable weakness in this cipher were ever discov‐
347       ered, this would become widely publicized.
348
349       In practical terms, the security of ccrypt means that,  without  knowl‐
350       edge  of the encryption key, it is effectively impossible to obtain any
351       information about the plaintext from a given ciphertext. This  is  true
352       even  if a large number of plaintext-ciphertext pairs are already known
353       for the same key. Moreover, because ccrypt uses a key size of 256 bits,
354       an exhaustive search of the key space is not feasible, at least as long
355       as sufficiently long keys are actually used in practice. No  cipher  is
356       secure if users choose insecure keywords.
357
358       On  the  other hand, ccrypt does not attempt to provide data integrity,
359       i.e., it will not attempt to detect whether the ciphertext was modified
360       after encryption. In particular, encrypted data can be truncated, leav‐
361       ing the corresponding decrypted data also truncated, but otherwise con‐
362       sistent. If one needs to ensure data integrity as well as secrecy, this
363       can be achieved by other methods. The recommended method is to  prepend
364       a  cryptographic  hash (for instance, an SHA-1 hash) to the data before
365       encryption.
366
367       ccrypt does not claim to  provide  any  particular  safeguards  against
368       information  leaking  via  the local operating system. While reasonable
369       precautions are taken, there is no guarantee that keywords  and  plain‐
370       texts  have been physically erased after encryption in completed; parts
371       of such data might still exist in memory or on disk.  ccrypt  does  not
372       currently use privileged memory pages.
373
374       When  encrypting  files,  ccrypt by default accesses them in read-write
375       mode. This normally causes the original file to be physically overwrit‐
376       ten, but on some file systems, this might not be the case.
377
378       Note  that  the  use of the -K option is unsafe in a multiuser environ‐
379       ment, because the command line of a process is visible to  other  users
380       running  the ps command. The use of the -E option is potentially unsafe
381       for the same reason, although recent versions of ps don't tend to  dis‐
382       play  environment information to other users.  The use of the -T option
383       is unsafe for encryption because the original plaintext will remain  in
384       unused sectors of the file system.
385

EMACS PACKAGE

387       There  is  an  emacs  package  for reading and writing encrypted files.
388       (Note that this package currently  only  works  with  emacs,  not  with
389       xemacs.)   This  package hooks into the low-level file I/O functions of
390       emacs, prompting the user for  a  password  where  appropriate.  It  is
391       implemented  in  much  the same way as support for compressed files. If
392       you have both the ps-ccrypt and jka-compr packages installed, emacs can
393       open  encrypted  files  and compressed files; however, it does not cur‐
394       rently work for files that are encrypted and compressed.
395
396       To use the package, simply load ps-ccrypt, then edit  as  usual.   When
397       you  open a file with the ".cpt" extension, emacs will prompt you for a
398       password for the file. It will remember the password  for  the  buffer,
399       and  when  you  save the file later, it will be automatically encrypted
400       again (provided you save it with a ".cpt" extension).  Except  for  the
401       password  prompt, the operation of the package should be transparent to
402       the user. The command M-x ccrypt-set-buffer-password  can  be  used  to
403       change the current password of a buffer.
404
405       The simplest way to use this package is to include the lines
406
407              (setq load-path (cons "path" load-path))
408              (require 'ps-ccrypt "ps-ccrypt.el")
409
410       in  your  .emacs  file, where path is the directory that holds the file
411       ps-ccrypt.el.
412
413       Limitations of the emacs package: there  is  no  guarantee  that  unen‐
414       crypted  information cannot leak to the file system; in fact, the pack‐
415       age sometimes writes unencrypted  data  to  temporary  files.  However,
416       auto-saved files are normally treated correctly (i.e., encrypted).  For
417       details, see the comments in the file ps-ccrypt.el.
418

EXIT STATUS

420       The exit status is 0 on successful completion, and non-zero  otherwise.
421       An  exit  status of 1 means illegal command line, 2 is out of memory or
422       another system error, 3 is a fatal i/o error, 4 is a  non-matching  key
423       or  wrong  file  format,  6  is interrupt, 7 is mistyped key in --timid
424       mode, 8 is a non-fatal i/o error, and 9 means that no key was  obtained
425       because  the  user failed to enter it, or because the specified keyfile
426       or environment variable could not be read. An exit status of  10  means
427       that  the  file  specified by the --keyref option could not be read, or
428       did not match the requested encryption key.
429
430       Fatal i/o errors are those that occur while processing a file  that  is
431       already  open.  Such errors cause ccrypt to abort its operation immedi‐
432       ately with an exit status of 3. Non-fatal i/o  errors  are  those  that
433       occur  while  handling files that are not already open; typically, such
434       errors are caused by files that are missing, not readable, or can't  be
435       created.   When  encountering a non-fatal i/o error, ccrypt simply con‐
436       tinues to process the next available input file. The exit status  of  8
437       is delayed until after all the files have been processed.
438
439       Non-matching  keys and wrong file formats are also considered non-fatal
440       errors, and cause ccrypt to continue with processing the next available
441       input  file.  In  this case, an exit status of 4 is given after all the
442       files have been processed. If there is a conflict between exit status 4
443       and 8, then 8 is returned.
444
445       The former exit status 5 ("wrong file format") has been eliminated, and
446       is now covered under exit status 4 ("non-matching  key  or  wrong  file
447       format").  Note that ccrypt does not really have a "file format" in the
448       proper sense of the word; any file of  length  at  least  32  bytes  is
449       potentially a valid encrypted file.
450

BUGS

452       While  ccrypt  can  handle keywords of arbitrary length, some operating
453       systems limit the length of an input line to 1024 characters.
454
455       The renaming of files (adding or removing the .cpt suffix) can go wrong
456       if  a filename is repeated on the command line.  In this case, the file
457       is only encrypted/decrypted once,  but  the  suffix  may  be  added  or
458       removed  several  times.  This  is because ccrypt thinks it encountered
459       different hardlinks for the same file.
460
461       The --strictsuffix option can behave in unexpected ways if one file has
462       several  hardlinks,  some  of  which  have the suffix and some of which
463       don't. In this case, the inode will  be  encrypted/decrypted,  but  the
464       suffix  will  be  changed only for those filenames that allow it. Simi‐
465       larly, if a file cannot be renamed because a file  of  the  given  name
466       already  exists,  the  file  may still be encrypted/decrypted if it has
467       another hardlink.
468

VERSION

470       1.10
471

AUTHOR

473       Peter Selinger <selinger at users.sourceforge.net>
474
476       Copyright (C) 2000-2012 Peter Selinger
477
478       This program is free software; you can redistribute it and/or modify it
479       under  the  terms of the GNU General Public License as published by the
480       Free Software Foundation; either version 2 of the License, or (at  your
481       option) any later version.
482
483       This  program  is  distributed  in the hope that it will be useful, but
484       WITHOUT ANY  WARRANTY;  without  even  the  implied  warranty  of  MER‐
485       CHANTABILITY  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
486       Public License for more details.
487
488       You should have received a copy of the GNU General Public License along
489       with this program; if not, write to the Free Software Foundation, Inc.,
490       59 Temple Place, Suite  330,  Boston,  MA  02111-1307,  USA.  See  also
491       http://www.gnu.org/.
492
493
494
495Version 1.10                     October 2012                        CCRYPT(1)
Impressum