1
2CCRYPT(1) Encryption CCRYPT(1)
3
4
5
7 ccrypt - encrypt and decrypt files and streams
8
10 ccrypt [mode] [options] [file...]
11 ccencrypt [options] [file...]
12 ccdecrypt [options] [file...]
13 ccat [options] file...
14
16 ccrypt is a utility for encrypting and decrypting files and streams. It
17 was designed to replace the standard unix crypt utility, which is noto‐
18 rious for using a very weak encryption algorithm. ccrypt is based on
19 the Rijndael block cipher, which was also chosen by the U.S. government
20 as the Advanced Encryption Standard (AES, see http://www.nist.gov/aes).
21 This cipher is believed to provide very strong cryptographic security.
22
23 Unlike unix crypt, the algorithm provided by ccrypt is not symmetric,
24 i.e., one must specify whether to encrypt or decrypt. The most common
25 way to invoke ccrypt is via the commands ccencrypt and ccdecrypt.
26
27 Encryption and decryption depends on a keyword (or key phrase) supplied
28 by the user. By default, the user is prompted to enter a keyword from
29 the terminal. Keywords can consist of any number of characters, and all
30 characters are significant (although ccrypt internally hashes the key
31 to 256 bits). Longer keywords provide better security than short ones,
32 since they are less likely to be discovered by exhaustive search.
33
35 ccrypt can operate in five different modes. If more than one mode is
36 specified, the last one specified takes precedence. The aliases ccen‐
37 crypt, ccdecrypt, and ccat are provided as a convenience; they are
38 equivalent to ccrypt -e, ccrypt -d, and ccrypt -c, respectively.
39
40 -e, --encrypt Encrypt. This is the default mode. If filename arguments
41 are given, encrypt the files and append the suffix .cpt
42 to their names. Otherwise, run as a filter.
43
44 -d, --decrypt Decrypt. If filename arguments are given, decrypt the
45 files and strip the suffix .cpt from the filenames, if
46 present. Otherwise, run as a filter.
47
48 -c, --cat Decrypt one or more files to standard output. If no
49 filename arguments are given, decrypt as a filter.
50 Implies -l.
51
52 -x, --keychange
53 Change the key of encrypted data. In this mode, ccrypt
54 prompts for two passwords: the old one and the new one.
55 If filename arguments are given, modify the files. Oth‐
56 erwise, run as a filter.
57
58 -u, --unixcrypt
59 Simulate the old unix crypt command. Note: the cipher
60 used by unix crypt has been broken and is not secure.
61 Please use this option only to decrypt existing files.
62 If filename arguments are given, decrypt the files to
63 stdout. Otherwise, run as a filter. Note that for the
64 unix crypt format, there is no easy way to detect
65 whether a given key matches or not; thus, for safety,
66 this mode does not overwrite files.
67
69 The following options are supported in addition to the modes described
70 above:
71
72 -b, --brave When reading an encryption key from the terminal, ask
73 the user only once for the key. By default, ccrypt will
74 ask the user to enter such keys twice, as a safeguard
75 against accidentally destroying data due to a mistyped
76 key. Using the --brave option disables this safety
77 check. Never use it, unless you know what you are doing.
78 See also --timid.
79
80 -E var, --envvar var
81 Read the keyword from the environment variable var.
82 Note that this might be unsafe on certain systems,
83 namely where users can use the ps command to see the
84 environment of a process owner by another user. On most
85 modern systems, however, such behavior of ps is disabled
86 and the -E option should be safe there. Also, as an
87 added security measure, ccrypt erases the keyword from
88 its environment immediately after reading it.
89
90 -f, --force Overwrite existing files or operate on write-protected
91 files without asking any questions. Also, override
92 ccrypt's reluctance to write or read encrypted data to
93 or from a terminal.
94
95 -F var, --envvar2 var
96 Same as -E, except for second keyword (in keychange
97 mode).
98
99 -h, --help Help. Print usage information and exit.
100
101 -H key, --key2 key
102 Same as -K, except for second keyword (in keychange
103 mode).
104
105 -k file, --keyfile file
106 Read the keyword as the first line from the named file.
107 In keychange mode, two keywords are read as the first
108 two lines of the file. The filename "-" may be given for
109 reading keywords from standard input. Using the -k -
110 option and sending the keyword on stdin is probably the
111 safest way to pass a keyword to ccrypt from another pro‐
112 gram or script.
113
114 -K key, --key key
115 Specify the keyword on the command line. This is unsafe,
116 because any other user can see the command line by run‐
117 ning the ps command. Only use this option for testing
118 purposes, and never with a real keyword.
119
120 -y file, --keyref file
121 In encryption or keychange mode, check the encryption
122 key against the named file, which must have been previ‐
123 ously encrypted with the same key. Exit with an error
124 message if the key does not match. This option is useful
125 as an alternative to --timid, to guard against mistyped
126 keys in situations where several files are encrypted
127 with the same key. This option implies --brave, unless
128 the --timid option is explicitly given after the
129 --keyref option.
130
131 -l, --symlinks Force encryption/decryption of symbolic links. By
132 default, symbolic links are ignored except in cat or
133 unixcrypt mode. Note that with the -l option, encryp‐
134 tion/decryption of a symbolic link causes the suffix
135 .cpt to be added/removed from the name of the link, not
136 the name of the file pointed to.
137
138 -L, --license Print license info and exit.
139
140 -m, --mismatch Normally, ccrypt refuses to decrypt data with a key that
141 does not seem to match. The -m option overrides this
142 restriction. This can sometimes be useful in recovering
143 data from a corrupted file (see RECOVERING DATA FROM
144 CORRUPTED FILES). To avoid irretrievable loss of data
145 when decrypting with a wrong key, this option cannot be
146 used with modes that overwrite the input file.
147
148 -P prompt, --prompt prompt
149 Use prompt instead of the default prompt "Enter encryp‐
150 tion/decryption key: ". This may be useful in some
151 shell scripts.
152
153 -q, --quiet Suppress most warnings.
154
155 -Q prompt, --prompt2 prompt
156 Same as -P, except for second keyword (in keychange
157 mode).
158
159 -r, --recursive
160 Traverse subdirectories recursively.
161
162 -R, --rec-symlinks
163 Traverse subdirectories recursively, and also follow
164 symbolic links to subdirectories.
165
166 -s, --strictsuffix
167 Refuse to encrypt files that already have the .cpt suf‐
168 fix (or that selected with -S). This can be useful when
169 adding some files to a directory of already encrypted
170 files. This option has no effect in decryption or key‐
171 change mode.
172
173 -S .suf, --suffix .suf
174 Use the suffix .suf instead of the default suffix .cpt.
175
176 -t, --timid When reading an encryption key from the terminal, ask
177 the user to enter the key twice. If the two entered keys
178 are not identical, abort. This is a safeguard against
179 accidentally destroying data by encrypting it with a
180 mistyped key. Note: this behavior is now the default,
181 and can be overridden with the --brave option.
182
183 -T, --tmpfiles This option causes ccrypt to use temporary files during
184 encryption/decryption, rather than overwriting the file
185 contents destructively. This method leaves the original
186 file contents lying around in unused sectors of the file
187 system, and thus is less secure than the default behav‐
188 ior. However, in situations where this loss of security
189 is not important, the --tmpfiles option can provide a
190 measure of protection against data being corrupted due
191 to a system crash in the middle of overwriting a file.
192
193 -v, --verbose Print progress information to stderr.
194
195 -V, --version Print version info and exit.
196
197 -- End of options. Any remaining arguments are interpreted
198 as filenames. This also turns off filter mode, even if
199 zero filenames follow. This might be useful in the con‐
200 text of shell pattern expansion; ccrypt -- * will behave
201 correctly even if no files match the pattern *.
202
204 The user interface of ccrypt intentionally resembles that of GNU gzip,
205 although it is not identical. When invoked with filename arguments,
206 ccrypt normally modifies the files in place, overwriting their old con‐
207 tent. Unlike gzip, the output is not first written to a temporary file;
208 instead, the data is literally overwritten. For encryption, this is
209 usually the desired behavior, since one does not want copies of the
210 unencrypted data to remain in hidden places in the file system. The
211 disadvantage is that if ccrypt is interrupted in the middle of writing
212 to a file, the file will end up in a corrupted, partially encrypted
213 state. However, in such cases it is possible to recover most of the
214 data; see RECOVERING DATA FROM CORRUPTED FILES below. If you want to
215 force ccrypt to use temporary files, use the --tmpfiles option.
216
217 When ccrypt receives an interrupt signal (Ctrl-C) while updating a file
218 in place, it does not exit immediately, but rather delays the exit
219 until after it finishes writing to the current file. This is to prevent
220 files from being partially overwritten and thus corrupted. If you want
221 to force ccrypt to exit immediately, just press Ctrl-C twice quickly.
222
223 The encryption algorithm used by ccrypt uses a random seed that is dif‐
224 ferent each time. As a result, encrypting the same file twice will
225 never yield the same result. The advantage of this method is that simi‐
226 larities in plaintext do not lead to similarities in ciphertext; there
227 is no way of telling whether the content of two encrypted files is sim‐
228 ilar or not.
229
230 Because of the use of a random seed, decrypting and re-encrypting a
231 file with the same key will not lead to an identical file. It is pri‐
232 marily for this reason that ccrypt refuses to decrypt files with a non-
233 matching key; if this were allowed, there would be no way afterwards to
234 restore the original file, and the data would be irretrievably lost.
235
236 When overwriting files, special care is taken with hard links and sym‐
237 bolic links. Each physical file (i.e., each inode) is processed at most
238 once, no matter how many paths to it are encountered on the command
239 line or in subdirectories traversed recursively. For each file that has
240 multiple hard links, a warning is printed, to alert the user that not
241 all paths to the file might have been properly renamed. Symbolic links
242 are ignored except in cat mode, or unless the -l or -R option is given.
243
244 Unlike gzip, ccrypt does not complain about files that have improper
245 suffixes. It is legal to doubly encrypt a file. It is also legal to
246 decrypt a file that does not have the .cpt suffix, provided the file
247 contains valid data for the given decryption key. Use the --strictsuf‐
248 fix option if you want to prevent ccrypt from encrypting files that
249 already have a .cpt suffix.
250
251 Regarding encryption and compression: encrypted data is statistically
252 indistinguishable from random data, and thus it cannot be compressed.
253 But of course it is possible to compress the data first, then encrypt
254 it. Suggested file suffixes are .gz.cpt or .gzc.
255
257 Encrypted data might be corrupted for a number of reasons. For
258 instance, a file might have been partially encrypted or decrypted if
259 ccrypt was interrupted while processing the file. Or data might be cor‐
260 rupted by a software or hardware error, or during transmission over a
261 network. The encryption algorithm used by ccrypt is designed to allow
262 recovery from errors. In general, only a few bytes of data will be lost
263 near where the error occurred.
264
265 Data encrypted by ccrypt can be thought of as a sequence of 32-byte
266 blocks. To decrypt a particular block, ccrypt only needs to know the
267 decryption key, the data of the block itself, and the data of the block
268 immediately preceding it. ccrypt cannot tell whether a block is cor‐
269 rupted or not, except the very first block, which is special. Thus, if
270 the encrypted data has been altered in the middle or near the end of a
271 file, ccrypt can be run to decrypt it as usual, and most of the data
272 will be decrypted correctly, except near where the corruption occurred.
273
274 The very first block of encrypted data is special, because it does not
275 actually correspond to any plaintext data; this block holds the random
276 seed generated at encryption time. ccrypt also uses the very first
277 block to decide whether the given keyword matches the data or not. If
278 the first block has been corrupted, ccrypt will likely decide that the
279 keyword does not match; in such cases, the -m option can be used to
280 force ccrypt to decrypt the data anyway.
281
282 If a file contains some encrypted and some unencrypted data, or data
283 encrypted with two different keys, one should decrypt the entire file
284 with each applicable key, and then piece together the meaningful parts
285 manually.
286
287 Finally, decryption will only produce meaningful results if the data is
288 aligned correctly along block boundaries. If the block boundary infor‐
289 mation has been lost, one has to try all 32 possibilities.
290
292 Block ciphers operate on data segments of a fixed length. For
293 instance, the Rijndael block cipher used in ccrypt has a block length
294 of 32 bytes or 256 bits. Thus, this cipher encrypts 32 bytes at a time.
295
296 Stream ciphers operate on data streams of any length. There are several
297 standard modes for operating a block cipher as a stream cipher. One
298 such standard is Cipher Feedback (CFB), defined in FIPS 81 and ANSI
299 X3.106-1983. ccrypt implements a stream cipher by operating the Rijn‐
300 dael block cipher in CFB mode.
301
302 Let P[i] and C[i] be the ith block of the plaintext and ciphertext,
303 respectively. CFB mode specifies that
304
305 C[i] = P[i] ^ E(k,C[i-1])
306
307 Here ^ denotes the bitwise exclusive or function, and E(k,x) denotes
308 the encryption of the block x under the key k using the block cipher.
309 Thus, each block of the ciphertext is calculated from the corresponding
310 block of plaintext and the previous block of ciphertext. Note that in
311 fact, each byte of P[i] can be calculated from the corresponding byte
312 of C[i], so that the stream cipher can be applied to one byte at a
313 time. In particular, the stream length need not be a multiple of the
314 block size.
315
316 Assuming that blocks are numbered starting from 0, a special "initial"
317 ciphertext block C[-1] is needed to provide the base case for the above
318 formula. This value C[-1] is called the initialization vector or seed.
319 The seed is chosen at encryption time and written as the first block of
320 the encrypted stream. It is important never to use the same seed more
321 than once; otherwise, the two resulting ciphertext blocks C[0] could be
322 related by a simple xor to obtain information about the corresponding
323 plaintext blocks P[0]. If the same seed is never reused, CFB is prov‐
324 ably as secure as the underlying block cipher.
325
326 In ccrypt, the seed is constructed as follows: first, a combination of
327 the host name, current time, process id, and an internal counter are
328 hashed into a 28-byte value, using a cryptographic hash function. A
329 fixed four-byte "magic number" is combined with this value, and the
330 resulting 32-byte value is encrypted by one round of the Rijndael block
331 cipher with the given key. The result is used as the seed and appended
332 to the beginning of the ciphertext. The use of the magic number allows
333 ccrypt to detect non-matching keys before decryption.
334
336 ccrypt is believed to provide very strong cryptographic security,
337 equivalent to that of the Rijndael cipher with 256-bit block size and
338 256-bit key size. Another version of the Rijndael cipher (with a
339 smaller block size) is used in the U.S. government's Advanced Encryp‐
340 tion Standard (AES, see http://www.nist.gov/aes). Therefore, this
341 cipher is very well studied and subject to intensive public scrutiny.
342 This scrutiny has a positive effect on the cipher's security. In par‐
343 ticular, if an exploitable weakness in this cipher were ever discov‐
344 ered, this would become widely publicized.
345
346 In practical terms, the security of ccrypt means that, without knowl‐
347 edge of the encryption key, it is effectively impossible to obtain any
348 information about the plaintext from a given ciphertext. This is true
349 even if a large number of plaintext-ciphertext pairs are already known
350 for the same key. Moreover, because ccrypt uses a key size of 256 bits,
351 an exhaustive search of the key space is not feasible, at least as long
352 as sufficiently long keys are actually used in practice. No cipher is
353 secure if users choose insecure keywords.
354
355 On the other hand, ccrypt does not attempt to provide data integrity,
356 i.e., it will not attempt to detect whether the ciphertext was modified
357 after encryption. In particular, encrypted data can be truncated, leav‐
358 ing the corresponding decrypted data also truncated, but otherwise con‐
359 sistent. If one needs to ensure data integrity as well as secrecy, this
360 can be achieved by other methods. The recommended method is to prepend
361 a cryptographic hash (for instance, an SHA-1 hash) to the data before
362 encryption.
363
364 ccrypt does not claim to provide any particular safeguards against
365 information leaking via the local operating system. While reasonable
366 precautions are taken, there is no guarantee that keywords and plain‐
367 texts have been physically erased after encryption in completed; parts
368 of such data might still exist in memory or on disk. ccrypt does not
369 currently use privileged memory pages.
370
371 When encrypting files, ccrypt by default accesses them in read-write
372 mode. This normally causes the original file to be physically overwrit‐
373 ten, but on some file systems, this might not be the case.
374
375 Note that the use of the -K option is unsafe in a multiuser environ‐
376 ment, because the command line of a process is visible to other users
377 running the ps command. The use of the -E option is potentially unsafe
378 for the same reason, although recent versions of ps don't tend to dis‐
379 play environment information to other users. The use of the -T option
380 is unsafe for encryption because the original plaintext will remain in
381 unused sectors of the file system.
382
384 There is an emacs package for reading and writing encrypted files.
385 (Note that this package currently only works with emacs, not with
386 xemacs.) This package hooks into the low-level file I/O functions of
387 emacs, prompting the user for a password where appropriate. It is
388 implemented in much the same way as support for compressed files; in
389 fact, the package, whose name is jka-compr-ccrypt, is based directly on
390 the jka-compr package, which is part of GNU Emacs. It handles both
391 encrypted and compressed files (although currently not encrypted com‐
392 pressed files).
393
394 To use the package, simply load jka-compr-ccrypt, then edit as usual.
395 When you open a file with the ".cpt" extension, emacs will prompt you
396 for a password for the file. It will remember the password for the buf‐
397 fer, and when you save the file later, it will be automatically
398 encrypted again (provided you save it with a ".cpt" extension). Except
399 for the password prompt, the operation of the package should be trans‐
400 parent to the user. The package also handles compressed ".gz", ".bz2",
401 and ".Z" files, and it should be used instead of, not in addition to,
402 jka-compr. The command M-x ccrypt-set-buffer-password can be used to
403 change the current password of a buffer.
404
405 The simplest way to use this package is to include the lines
406
407 (setq load-path (cons "path" load-path))
408 (require 'jka-compr-ccrypt "jka-compr-ccrypt.el")
409
410 in your .emacs file, where path is the directory that holds the file
411 jka-compr-ccrypt.el. You may also need to disable loading of the old
412 jka-compr package, since the two packages are not compatible with each
413 other (and in any case, jka-compr-ccrypt contains all the functionality
414 of jka-compr).
415
416 Limitations of the emacs package: there is no guarantee that unen‐
417 crypted information cannot leak to the file system; in fact, the pack‐
418 age sometimes writes unencrypted data to temporary files. However,
419 auto-saved files are normally treated correctly (i.e., encrypted). For
420 details, see the comments in the file jka-compr-ccrypt.el.
421
423 The exit status is 0 on successful completion, and non-zero otherwise.
424 An exit status of 1 means illegal command line, 2 is out of memory, 3
425 is a fatal i/o error, 4 is a non-matching key or wrong file format, 6
426 is interrupt, 7 is mistyped key in --timid mode, 8 is a non-fatal i/o
427 error, and 9 means that no key was obtained because the user failed to
428 enter it, or because the specified keyfile or environment variable
429 could not be read. An exit status of 10 means that the file specified
430 by the --keyref option could not be read, or did not match the
431 requested encryption key.
432
433 Fatal i/o errors are those that occur while processing a file that is
434 already open. Such errors cause ccrypt to abort its operation immedi‐
435 ately with an exit status of 3. Non-fatal i/o errors are those that
436 occur while handling files that are not already open; typically, such
437 errors are caused by files that are missing, not readable, or can't be
438 created. When encountering a non-fatal i/o error, ccrypt simply con‐
439 tinues to process the next available input file. The exit status of 8
440 is delayed until after all the files have been processed.
441
442 Non-matching keys and wrong file formats are also considered non-fatal
443 errors, and cause ccrypt to continue with processing the next available
444 input file. In this case, an exit status of 4 is given after all the
445 files have been processed. If there is a conflict between exit status 4
446 and 8, then 8 is returned.
447
448 The former exit status 5 ("wrong file format") has been eliminated, and
449 is now covered under exit status 4 ("non-matching key or wrong file
450 format"). Note that ccrypt does not really have a "file format" in the
451 proper sense of the word; any file of length at least 32 bytes is
452 potentially a valid encrypted file.
453
455 While ccrypt can handle keywords of arbitrary length, some operating
456 systems limit the length of an input line to 1024 characters.
457
458 The renaming of files (adding or removing the .cpt suffix) can go wrong
459 if a filename is repeated on the command line. In this case, the file
460 is only encrypted/decrypted once, but the suffix may be added or
461 removed several times. This is because ccrypt thinks it encountered
462 different hardlinks for the same file.
463
464 The --strictsuffix option can behave in unexpected ways if one file has
465 several hardlinks, some of which have the suffix and some of which
466 don't. In this case, the inode will be encrypted/decrypted, but the
467 suffix will be changed only for those filenames that allow it. Simi‐
468 larly, if a file cannot be renamed because a file of the given name
469 already exists, the file may still be encrypted/decrypted if it has
470 another hardlink.
471
473 1.9
474
476 Peter Selinger <selinger at users.sourceforge.net>
477
479 Copyright (C) 2000-2009 Peter Selinger
480
481 This program is free software; you can redistribute it and/or modify it
482 under the terms of the GNU General Public License as published by the
483 Free Software Foundation; either version 2 of the License, or (at your
484 option) any later version.
485
486 This program is distributed in the hope that it will be useful, but
487 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
488 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
489 Public License for more details.
490
491 You should have received a copy of the GNU General Public License along
492 with this program; if not, write to the Free Software Foundation, Inc.,
493 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. See also
494 http://www.gnu.org/.
495
496
497
498Version 1.9 August 2009 CCRYPT(1)