1
2CCRYPT(1)                         Encryption                         CCRYPT(1)
3
4
5

NAME

7       ccrypt - encrypt and decrypt files and streams
8

SYNOPSIS

10       ccrypt [mode] [options] [file...]
11       ccencrypt [options] [file...]
12       ccdecrypt [options] [file...]
13       ccat [options] file...
14

DESCRIPTION

16       ccrypt is a utility for encrypting and decrypting files and streams. It
17       was designed to replace the standard unix crypt utility, which is noto‐
18       rious  for  using a very weak encryption algorithm.  ccrypt is based on
19       the Rijndael block cipher, which was also chosen by the U.S. government
20       as the Advanced Encryption Standard (AES, see http://www.nist.gov/aes).
21       This cipher is believed to provide very strong cryptographic security.
22
23       Unlike unix crypt, the algorithm provided by ccrypt is  not  symmetric,
24       i.e.,  one  must specify whether to encrypt or decrypt. The most common
25       way to invoke ccrypt is via the commands ccencrypt and ccdecrypt.
26
27       Encryption and decryption depends on a keyword (or key phrase) supplied
28       by  the  user. By default, the user is prompted to enter a keyword from
29       the terminal. Keywords can consist of any number of characters, and all
30       characters  are  significant (although ccrypt internally hashes the key
31       to 256 bits). Longer keywords provide better security than short  ones,
32       since they are less likely to be discovered by exhaustive search.
33

MODES

35       ccrypt  can  operate in five different modes.  If more than one mode is
36       specified, the last one specified takes precedence. The  aliases  ccen‐
37       crypt,  ccdecrypt,  and  ccat  are  provided as a convenience; they are
38       equivalent to ccrypt -e, ccrypt -d, and ccrypt -c, respectively.
39
40       -e, --encrypt  Encrypt. This is the default mode. If filename arguments
41                      are  given, encrypt the files and append the suffix .cpt
42                      to their names. Otherwise, run as a filter.
43
44       -d, --decrypt  Decrypt. If filename arguments are  given,  decrypt  the
45                      files  and  strip the suffix .cpt from the filenames, if
46                      present. Otherwise, run as a filter.
47
48       -c, --cat      Decrypt one or more files  to  standard  output.  If  no
49                      filename  arguments  are  given,  decrypt  as  a filter.
50                      Implies -l.
51
52       -x, --keychange
53                      Change the key of encrypted data. In this  mode,  ccrypt
54                      prompts  for two passwords: the old one and the new one.
55                      If filename arguments are given, modify the files.  Oth‐
56                      erwise, run as a filter.
57
58       -u, --unixcrypt
59                      Simulate  the  old  unix crypt command. Note: the cipher
60                      used by unix crypt has been broken and  is  not  secure.
61                      Please  use  this option only to decrypt existing files.
62                      If filename arguments are given, decrypt  the  files  to
63                      stdout.  Otherwise,  run  as a filter. Note that for the
64                      unix crypt format,  there  is  no  easy  way  to  detect
65                      whether  a  given  key matches or not; thus, for safety,
66                      this mode does not overwrite files.
67

OPTIONS

69       The following options are supported in addition to the modes  described
70       above:
71
72       -b, --brave    When  reading  an  encryption key from the terminal, ask
73                      the user only once for the key. By default, ccrypt  will
74                      ask  the  user  to enter such keys twice, as a safeguard
75                      against accidentally destroying data due to  a  mistyped
76                      key.  Using  the  --brave  option  disables  this safety
77                      check. Never use it, unless you know what you are doing.
78                      See also --timid.
79
80       -E var, --envvar var
81                      Read  the  keyword  from  the  environment variable var.
82                      Note that this  might  be  unsafe  on  certain  systems,
83                      namely  where  users  can  use the ps command to see the
84                      environment of a process owner by another user. On  most
85                      modern systems, however, such behavior of ps is disabled
86                      and the -E option should be safe  there.   Also,  as  an
87                      added  security  measure, ccrypt erases the keyword from
88                      its environment immediately after reading it.
89
90       -f, --force    Overwrite existing files or operate  on  write-protected
91                      files  without  asking  any  questions.  Also,  override
92                      ccrypt's reluctance to write or read encrypted  data  to
93                      or from a terminal.
94
95       -F var, --envvar2 var
96                      Same  as  -E,  except  for  second keyword (in keychange
97                      mode).
98
99       -h, --help     Help. Print usage information and exit.
100
101       -H key, --key2 key
102                      Same as -K, except  for  second  keyword  (in  keychange
103                      mode).
104
105       -k file, --keyfile file
106                      Read  the keyword as the first line from the named file.
107                      In keychange mode, two keywords are read  as  the  first
108                      two lines of the file. The filename "-" may be given for
109                      reading keywords from standard input.  Using  the  -k  -
110                      option  and sending the keyword on stdin is probably the
111                      safest way to pass a keyword to ccrypt from another pro‐
112                      gram or script.
113
114       -K key, --key key
115                      Specify the keyword on the command line. This is unsafe,
116                      because any other user can see the command line by  run‐
117                      ning  the  ps command.  Only use this option for testing
118                      purposes, and never with a real keyword.
119
120       -y file, --keyref file
121                      In encryption or keychange mode,  check  the  encryption
122                      key  against the named file, which must have been previ‐
123                      ously encrypted with the same key. Exit  with  an  error
124                      message if the key does not match. This option is useful
125                      as an alternative to --timid, to guard against  mistyped
126                      keys  in  situations  where  several files are encrypted
127                      with the same key. This option implies  --brave,  unless
128                      the   --timid  option  is  explicitly  given  after  the
129                      --keyref option.
130
131       -l, --symlinks Force  encryption/decryption  of  symbolic   links.   By
132                      default,  symbolic  links  are  ignored except in cat or
133                      unixcrypt mode. Note that with the  -l  option,  encryp‐
134                      tion/decryption  of  a  symbolic  link causes the suffix
135                      .cpt to be added/removed from the name of the link,  not
136                      the name of the file pointed to.
137
138       -L, --license  Print license info and exit.
139
140       -m, --mismatch Normally, ccrypt refuses to decrypt data with a key that
141                      does not seem to match. The  -m  option  overrides  this
142                      restriction.  This can sometimes be useful in recovering
143                      data from a corrupted file  (see  RECOVERING  DATA  FROM
144                      CORRUPTED  FILES).  To  avoid irretrievable loss of data
145                      when decrypting with a wrong key, this option cannot  be
146                      used with modes that overwrite the input file.
147
148       -P prompt, --prompt prompt
149                      Use  prompt instead of the default prompt "Enter encryp‐
150                      tion/decryption key: ".  This  may  be  useful  in  some
151                      shell scripts.
152
153       -q, --quiet    Suppress most warnings.
154
155       -Q prompt, --prompt2 prompt
156                      Same  as  -P,  except  for  second keyword (in keychange
157                      mode).
158
159       -r, --recursive
160                      Traverse subdirectories recursively.
161
162       -R, --rec-symlinks
163                      Traverse subdirectories  recursively,  and  also  follow
164                      symbolic links to subdirectories.
165
166       -s, --strictsuffix
167                      Refuse  to encrypt files that already have the .cpt suf‐
168                      fix (or that selected with -S). This can be useful  when
169                      adding  some  files  to a directory of already encrypted
170                      files. This option has no effect in decryption  or  key‐
171                      change mode.
172
173       -S .suf, --suffix .suf
174                      Use the suffix .suf instead of the default suffix .cpt.
175
176       -t, --timid    When  reading  an  encryption key from the terminal, ask
177                      the user to enter the key twice. If the two entered keys
178                      are  not  identical, abort.  This is a safeguard against
179                      accidentally destroying data by  encrypting  it  with  a
180                      mistyped  key.  Note:  this behavior is now the default,
181                      and can be overridden with the --brave option.
182
183       -T, --tmpfiles This option causes ccrypt to use temporary files  during
184                      encryption/decryption,  rather than overwriting the file
185                      contents destructively. This method leaves the  original
186                      file contents lying around in unused sectors of the file
187                      system, and thus is less secure than the default  behav‐
188                      ior.  However, in situations where this loss of security
189                      is not important, the --tmpfiles option  can  provide  a
190                      measure  of  protection against data being corrupted due
191                      to a system crash in the middle of overwriting a file.
192
193       -v, --verbose  Print progress information to stderr.
194
195       -V, --version  Print version info and exit.
196
197       --             End of options. Any remaining arguments are  interpreted
198                      as  filenames.  This also turns off filter mode, even if
199                      zero filenames follow. This might be useful in the  con‐
200                      text of shell pattern expansion; ccrypt -- * will behave
201                      correctly even if no files match the pattern *.
202

NOTES ON USAGE

204       The user interface of ccrypt intentionally resembles that of GNU  gzip,
205       although  it  is  not  identical. When invoked with filename arguments,
206       ccrypt normally modifies the files in place, overwriting their old con‐
207       tent. Unlike gzip, the output is not first written to a temporary file;
208       instead, the data is literally overwritten.  For  encryption,  this  is
209       usually  the  desired  behavior,  since one does not want copies of the
210       unencrypted data to remain in hidden places in  the  file  system.  The
211       disadvantage  is that if ccrypt is interrupted in the middle of writing
212       to a file, the file will end up in  a  corrupted,  partially  encrypted
213       state.   However,  in  such cases it is possible to recover most of the
214       data; see RECOVERING DATA FROM CORRUPTED FILES below. If  you  want  to
215       force ccrypt to use temporary files, use the --tmpfiles option.
216
217       When ccrypt receives an interrupt signal (Ctrl-C) while updating a file
218       in place, it does not exit immediately,  but  rather  delays  the  exit
219       until after it finishes writing to the current file. This is to prevent
220       files from being partially overwritten and thus corrupted. If you  want
221       to force ccrypt to exit immediately, just press Ctrl-C twice quickly.
222
223       The encryption algorithm used by ccrypt uses a random seed that is dif‐
224       ferent each time. As a result, encrypting  the  same  file  twice  will
225       never yield the same result. The advantage of this method is that simi‐
226       larities in plaintext do not lead to similarities in ciphertext;  there
227       is no way of telling whether the content of two encrypted files is sim‐
228       ilar or not.
229
230       Because of the use of a random seed,  decrypting  and  re-encrypting  a
231       file  with  the same key will not lead to an identical file. It is pri‐
232       marily for this reason that ccrypt refuses to decrypt files with a non-
233       matching key; if this were allowed, there would be no way afterwards to
234       restore the original file, and the data would be irretrievably lost.
235
236       When overwriting files, special care is taken with hard links and  sym‐
237       bolic links. Each physical file (i.e., each inode) is processed at most
238       once, no matter how many paths to it are  encountered  on  the  command
239       line or in subdirectories traversed recursively. For each file that has
240       multiple hard links, a warning is printed, to alert the user  that  not
241       all paths to the file might have been properly renamed.  Symbolic links
242       are ignored except in cat mode, or unless the -l or -R option is given.
243
244       Unlike gzip, ccrypt does not complain about files  that  have  improper
245       suffixes.  It  is  legal  to doubly encrypt a file. It is also legal to
246       decrypt a file that does not have the .cpt suffix,  provided  the  file
247       contains  valid data for the given decryption key. Use the --strictsuf‐
248       fix option if you want to prevent ccrypt  from  encrypting  files  that
249       already have a .cpt suffix.
250
251       Regarding  encryption  and compression: encrypted data is statistically
252       indistinguishable from random data, and thus it cannot  be  compressed.
253       But  of  course it is possible to compress the data first, then encrypt
254       it. Suggested file suffixes are .gz.cpt or .gzc.
255

RECOVERING DATA FROM CORRUPTED FILES

257       Encrypted data  might  be  corrupted  for  a  number  of  reasons.  For
258       instance,  a  file  might have been partially encrypted or decrypted if
259       ccrypt was interrupted while processing the file. Or data might be cor‐
260       rupted  by  a software or hardware error, or during transmission over a
261       network. The encryption algorithm used by ccrypt is designed  to  allow
262       recovery from errors. In general, only a few bytes of data will be lost
263       near where the error occurred.
264
265       Data encrypted by ccrypt can be thought of as  a  sequence  of  32-byte
266       blocks.  To  decrypt  a particular block, ccrypt only needs to know the
267       decryption key, the data of the block itself, and the data of the block
268       immediately  preceding  it.  ccrypt cannot tell whether a block is cor‐
269       rupted or not, except the very first block, which is special. Thus,  if
270       the  encrypted data has been altered in the middle or near the end of a
271       file, ccrypt can be run to decrypt it as usual, and most  of  the  data
272       will be decrypted correctly, except near where the corruption occurred.
273
274       The  very first block of encrypted data is special, because it does not
275       actually correspond to any plaintext data; this block holds the  random
276       seed  generated  at  encryption  time.  ccrypt also uses the very first
277       block to decide whether the given keyword matches the data or  not.  If
278       the  first block has been corrupted, ccrypt will likely decide that the
279       keyword does not match; in such cases, the -m option  can  be  used  to
280       force ccrypt to decrypt the data anyway.
281
282       If  a  file  contains some encrypted and some unencrypted data, or data
283       encrypted with two different keys, one should decrypt the  entire  file
284       with  each applicable key, and then piece together the meaningful parts
285       manually.
286
287       Finally, decryption will only produce meaningful results if the data is
288       aligned  correctly along block boundaries. If the block boundary infor‐
289       mation has been lost, one has to try all 32 possibilities.
290

DESCRIPTION OF THE CIPHER

292       Block ciphers  operate  on  data  segments  of  a  fixed  length.   For
293       instance,  the  Rijndael block cipher used in ccrypt has a block length
294       of 32 bytes or 256 bits. Thus, this cipher encrypts 32 bytes at a time.
295
296       Stream ciphers operate on data streams of any length. There are several
297       standard  modes  for  operating  a block cipher as a stream cipher. One
298       such standard is Cipher Feedback (CFB), defined in  FIPS  81  and  ANSI
299       X3.106-1983.  ccrypt  implements a stream cipher by operating the Rijn‐
300       dael block cipher in CFB mode.
301
302       Let P[i] and C[i] be the ith block of  the  plaintext  and  ciphertext,
303       respectively. CFB mode specifies that
304
305              C[i] = P[i] ^ E(k,C[i-1])
306
307       Here  ^  denotes  the bitwise exclusive or function, and E(k,x) denotes
308       the encryption of the block x under the key k using the  block  cipher.
309       Thus, each block of the ciphertext is calculated from the corresponding
310       block of plaintext and the previous block of ciphertext. Note  that  in
311       fact,  each  byte of P[i] can be calculated from the corresponding byte
312       of C[i], so that the stream cipher can be applied  to  one  byte  at  a
313       time.  In  particular,  the stream length need not be a multiple of the
314       block size.
315
316       Assuming that blocks are numbered starting from 0, a special  "initial"
317       ciphertext block C[-1] is needed to provide the base case for the above
318       formula. This value C[-1] is called the initialization vector or  seed.
319       The seed is chosen at encryption time and written as the first block of
320       the encrypted stream. It is important never to use the same  seed  more
321       than once; otherwise, the two resulting ciphertext blocks C[0] could be
322       related by a simple xor to obtain information about  the  corresponding
323       plaintext  blocks P[0].  If the same seed is never reused, CFB is prov‐
324       ably as secure as the underlying block cipher.
325
326       In ccrypt, the seed is constructed as follows: first, a combination  of
327       the  host  name,  current time, process id, and an internal counter are
328       hashed into a 28-byte value, using a  cryptographic  hash  function.  A
329       fixed  four-byte  "magic  number"  is combined with this value, and the
330       resulting 32-byte value is encrypted by one round of the Rijndael block
331       cipher  with the given key. The result is used as the seed and appended
332       to the beginning of the ciphertext. The use of the magic number  allows
333       ccrypt to detect non-matching keys before decryption.
334

SECURITY

336       ccrypt  is  believed  to  provide  very  strong cryptographic security,
337       equivalent to that of the Rijndael cipher with 256-bit block  size  and
338       256-bit  key  size.  Another  version  of  the  Rijndael cipher (with a
339       smaller block size) is used in the U.S. government's  Advanced  Encryp‐
340       tion  Standard  (AES,  see  http://www.nist.gov/aes).  Therefore,  this
341       cipher is very well studied and subject to intensive  public  scrutiny.
342       This  scrutiny  has a positive effect on the cipher's security. In par‐
343       ticular, if an exploitable weakness in this cipher  were  ever  discov‐
344       ered, this would become widely publicized.
345
346       In  practical  terms, the security of ccrypt means that, without knowl‐
347       edge of the encryption key, it is effectively impossible to obtain  any
348       information  about  the plaintext from a given ciphertext. This is true
349       even if a large number of plaintext-ciphertext pairs are already  known
350       for the same key. Moreover, because ccrypt uses a key size of 256 bits,
351       an exhaustive search of the key space is not feasible, at least as long
352       as  sufficiently  long keys are actually used in practice. No cipher is
353       secure if users choose insecure keywords.
354
355       On the other hand, ccrypt does not attempt to provide  data  integrity,
356       i.e., it will not attempt to detect whether the ciphertext was modified
357       after encryption. In particular, encrypted data can be truncated, leav‐
358       ing the corresponding decrypted data also truncated, but otherwise con‐
359       sistent. If one needs to ensure data integrity as well as secrecy, this
360       can  be achieved by other methods. The recommended method is to prepend
361       a cryptographic hash (for instance, an SHA-1 hash) to the  data  before
362       encryption.
363
364       ccrypt  does  not  claim  to  provide any particular safeguards against
365       information leaking via the local operating  system.  While  reasonable
366       precautions  are  taken, there is no guarantee that keywords and plain‐
367       texts have been physically erased after encryption in completed;  parts
368       of  such  data  might still exist in memory or on disk. ccrypt does not
369       currently use privileged memory pages.
370
371       When encrypting files, ccrypt by default accesses  them  in  read-write
372       mode. This normally causes the original file to be physically overwrit‐
373       ten, but on some file systems, this might not be the case.
374
375       Note that the use of the -K option is unsafe in  a  multiuser  environ‐
376       ment,  because  the command line of a process is visible to other users
377       running the ps command. The use of the -E option is potentially  unsafe
378       for  the same reason, although recent versions of ps don't tend to dis‐
379       play environment information to other users.  The use of the -T  option
380       is  unsafe for encryption because the original plaintext will remain in
381       unused sectors of the file system.
382

EMACS PACKAGE

384       There is an emacs package for  reading  and  writing  encrypted  files.
385       (Note  that  this  package  currently  only  works with emacs, not with
386       xemacs.)  This package hooks into the low-level file I/O  functions  of
387       emacs,  prompting  the  user  for  a  password where appropriate. It is
388       implemented in much the same way as support for  compressed  files;  in
389       fact, the package, whose name is jka-compr-ccrypt, is based directly on
390       the jka-compr package, which is part of  GNU  Emacs.  It  handles  both
391       encrypted  and  compressed files (although currently not encrypted com‐
392       pressed files).
393
394       To use the package, simply load jka-compr-ccrypt, then edit  as  usual.
395       When  you  open a file with the ".cpt" extension, emacs will prompt you
396       for a password for the file. It will remember the password for the buf‐
397       fer,  and  when  you  save  the  file  later,  it will be automatically
398       encrypted again (provided you save it with a ".cpt" extension).  Except
399       for  the password prompt, the operation of the package should be trans‐
400       parent to the user. The package also handles compressed ".gz",  ".bz2",
401       and  ".Z"  files, and it should be used instead of, not in addition to,
402       jka-compr. The command M-x ccrypt-set-buffer-password can  be  used  to
403       change the current password of a buffer.
404
405       The simplest way to use this package is to include the lines
406
407              (setq load-path (cons "path" load-path))
408              (require 'jka-compr-ccrypt "jka-compr-ccrypt.el")
409
410       in  your  .emacs  file, where path is the directory that holds the file
411       jka-compr-ccrypt.el. You may also need to disable loading  of  the  old
412       jka-compr  package, since the two packages are not compatible with each
413       other (and in any case, jka-compr-ccrypt contains all the functionality
414       of jka-compr).
415
416       Limitations  of  the  emacs  package:  there is no guarantee that unen‐
417       crypted information cannot leak to the file system; in fact, the  pack‐
418       age  sometimes  writes  unencrypted  data  to temporary files. However,
419       auto-saved files are normally treated correctly (i.e., encrypted).  For
420       details, see the comments in the file jka-compr-ccrypt.el.
421

EXIT STATUS

423       The  exit status is 0 on successful completion, and non-zero otherwise.
424       An exit status of 1 means illegal command line, 2 is out of  memory,  3
425       is  a  fatal i/o error, 4 is a non-matching key or wrong file format, 6
426       is interrupt, 7 is mistyped key in --timid mode, 8 is a  non-fatal  i/o
427       error,  and 9 means that no key was obtained because the user failed to
428       enter it, or because the  specified  keyfile  or  environment  variable
429       could  not  be read. An exit status of 10 means that the file specified
430       by the --keyref option  could  not  be  read,  or  did  not  match  the
431       requested encryption key.
432
433       Fatal  i/o  errors are those that occur while processing a file that is
434       already open. Such errors cause ccrypt to abort its  operation  immedi‐
435       ately  with  an  exit  status of 3. Non-fatal i/o errors are those that
436       occur while handling files that are not already open;  typically,  such
437       errors  are caused by files that are missing, not readable, or can't be
438       created.  When encountering a non-fatal i/o error, ccrypt  simply  con‐
439       tinues  to  process the next available input file. The exit status of 8
440       is delayed until after all the files have been processed.
441
442       Non-matching keys and wrong file formats are also considered  non-fatal
443       errors, and cause ccrypt to continue with processing the next available
444       input file. In this case, an exit status of 4 is given  after  all  the
445       files have been processed. If there is a conflict between exit status 4
446       and 8, then 8 is returned.
447
448       The former exit status 5 ("wrong file format") has been eliminated, and
449       is  now  covered  under  exit status 4 ("non-matching key or wrong file
450       format"). Note that ccrypt does not really have a "file format" in  the
451       proper  sense  of  the  word;  any  file of length at least 32 bytes is
452       potentially a valid encrypted file.
453

BUGS

455       While ccrypt can handle keywords of arbitrary  length,  some  operating
456       systems limit the length of an input line to 1024 characters.
457
458       The renaming of files (adding or removing the .cpt suffix) can go wrong
459       if a filename is repeated on the command line.  In this case, the  file
460       is  only  encrypted/decrypted  once,  but  the  suffix  may be added or
461       removed several times. This is because  ccrypt  thinks  it  encountered
462       different hardlinks for the same file.
463
464       The --strictsuffix option can behave in unexpected ways if one file has
465       several hardlinks, some of which have the  suffix  and  some  of  which
466       don't.  In  this  case,  the inode will be encrypted/decrypted, but the
467       suffix will be changed only for those filenames that  allow  it.  Simi‐
468       larly,  if  a  file  cannot be renamed because a file of the given name
469       already exists, the file may still be  encrypted/decrypted  if  it  has
470       another hardlink.
471

VERSION

473       1.9
474

AUTHOR

476       Peter Selinger <selinger at users.sourceforge.net>
477
479       Copyright (C) 2000-2009 Peter Selinger
480
481       This program is free software; you can redistribute it and/or modify it
482       under the terms of the GNU General Public License as published  by  the
483       Free  Software Foundation; either version 2 of the License, or (at your
484       option) any later version.
485
486       This program is distributed in the hope that it  will  be  useful,  but
487       WITHOUT  ANY  WARRANTY;  without  even  the  implied  warranty  of MER‐
488       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU  General
489       Public License for more details.
490
491       You should have received a copy of the GNU General Public License along
492       with this program; if not, write to the Free Software Foundation, Inc.,
493       59  Temple  Place,  Suite  330,  Boston,  MA  02111-1307, USA. See also
494       http://www.gnu.org/.
495
496
497
498Version 1.9                       August 2009                        CCRYPT(1)
Impressum