1CCRYPT(1) Encryption CCRYPT(1)
3
7 ccrypt - encrypt and decrypt files and streams
8
10 ccrypt [mode] [options] [file...]
11 ccencrypt [options] [file...]
12 ccdecrypt [options] [file...]
13 ccat [options] file...
14
16 ccrypt is a utility for encrypting and decrypting files and streams. It
17 was designed to replace the standard unix crypt utility, which is noto‐
18 rious for using a very weak encryption algorithm. ccrypt is based on
19 the Rijndael block cipher, a version of which was also chosen by the
20 U.S. government as the Advanced Encryption Standard (AES, see
21 http://www.nist.gov/aes). This cipher is believed to provide very
22 strong cryptographic security.
23 Unlike unix crypt, the algorithm provided by ccrypt is not symmetric,
25 i.e., one must specify whether to encrypt or decrypt. The most common
26 way to invoke ccrypt is via the commands ccencrypt and ccdecrypt.
27 Encryption and decryption depends on a keyword (or key phrase) supplied
29 by the user. By default, the user is prompted to enter a keyword from
30 the terminal. Keywords can consist of any number of characters, and all
31 characters are significant (although ccrypt internally hashes the key
32 to 256 bits). Longer keywords provide better security than short ones,
33 since they are less likely to be discovered by exhaustive search.
34
36 ccrypt can operate in five different modes. If more than one mode is
37 specified, the last one specified takes precedence. The aliases ccen‐
38 crypt, ccdecrypt, and ccat are provided as a convenience; they are
39 equivalent to ccrypt -e, ccrypt -d, and ccrypt -c, respectively.
40 -e, --encrypt Encrypt. This is the default mode. If filename arguments
42 are given, encrypt the files and append the suffix .cpt
43 to their names. Otherwise, run as a filter.
44 -d, --decrypt Decrypt. If filename arguments are given, decrypt the
46 files and strip the suffix .cpt from the filenames, if
47 present. Otherwise, run as a filter.
48 -c, --cat Decrypt one or more files to standard output. If no
50 filename arguments are given, decrypt as a filter.
51 Implies -l.
52 -x, --keychange
54 Change the key of encrypted data. In this mode, ccrypt
55 prompts for two passwords: the old one and the new one.
56 If filename arguments are given, modify the files. Oth‐
57 erwise, run as a filter.
58 -u, --unixcrypt
60 Simulate the old unix crypt command. Note: the cipher
61 used by unix crypt has been broken and is not secure.
62 Please use this option only to decrypt existing files.
63 If filename arguments are given, decrypt the files to
64 stdout. Otherwise, run as a filter. Note that for the
65 unix crypt format, there is no easy way to detect
66 whether a given key matches or not; thus, for safety,
67 this mode does not overwrite files.
68
70 The following options are supported in addition to the modes described
71 above:
72 -b, --brave When reading an encryption key from the terminal, ask
74 the user only once for the key. By default, ccrypt will
75 ask the user to enter such keys twice, as a safeguard
76 against accidentally destroying data due to a mistyped
77 key. Using the --brave option disables this safety
78 check. Never use it, unless you know what you are doing.
79 See also --timid.
80 -E var, --envvar var
82 Read the keyword from the environment variable var.
83 Note that this might be unsafe on certain systems,
84 namely where users can use the ps command to see the
85 environment of a process owner by another user. On most
86 modern systems, however, such behavior of ps is disabled
87 and the -E option should be safe there. Also, as an
88 added security measure, ccrypt erases the keyword from
89 its environment immediately after reading it.
90 -f, --force Overwrite existing files or operate on write-protected
92 files without asking any questions. Also, override
93 ccrypt's reluctance to write or read encrypted data to
94 or from a terminal.
95 -F var, --envvar2 var
97 Same as -E, except for second keyword (in keychange
98 mode).
99 -h, --help Help. Print usage information and exit.
101 -H key, --key2 key
103 Same as -K, except for second keyword (in keychange
104 mode).
105 -k file, --keyfile file
107 Read the keyword as the first line from the named file.
108 In keychange mode, two keywords are read as the first
109 two lines of the file. The filename "-" may be given for
110 reading keywords from standard input. Using the -k -
111 option and sending the keyword on stdin is probably the
112 safest way to pass a keyword to ccrypt from another pro‐
113 gram or script.
114 -K key, --key key
116 Specify the keyword on the command line. This is unsafe,
117 because any other user can see the command line by run‐
118 ning the ps command. Only use this option for testing
119 purposes, and never with a real keyword.
120 -y file, --keyref file
122 In encryption or keychange mode, check the encryption
123 key against the named file, which must have been previ‐
124 ously encrypted with the same key. Exit with an error
125 message if the key does not match. This option is useful
126 as an alternative to --timid, to guard against mistyped
127 keys in situations where several files are encrypted
128 with the same key. This option implies --brave, unless
129 the --timid option is explicitly given after the
130 --keyref option.
131 -l, --symlinks Force encryption/decryption of symbolic links. By
133 default, symbolic links are ignored except in cat or
134 unixcrypt mode. Note that with the -l option, encryp‐
135 tion/decryption of a symbolic link causes the suffix
136 .cpt to be added/removed from the name of the link, not
137 the name of the file pointed to.
138 -L, --license Print license info and exit.
140 -m, --mismatch Normally, ccrypt refuses to decrypt data with a key that
142 does not seem to match. The -m option overrides this
143 restriction. This can sometimes be useful in recovering
144 data from a corrupted file (see RECOVERING DATA FROM
145 CORRUPTED FILES). To avoid irretrievable loss of data
146 when decrypting with a wrong key, this option cannot be
147 used with modes that overwrite the input file.
148 -P prompt, --prompt prompt
150 Use prompt instead of the default prompt "Enter encryp‐
151 tion/decryption key: ". This may be useful in some
152 shell scripts.
153 -q, --quiet Suppress most warnings.
155 -Q prompt, --prompt2 prompt
157 Same as -P, except for second keyword (in keychange
158 mode).
159 -r, --recursive
161 Traverse subdirectories recursively.
162 -R, --rec-symlinks
164 Traverse subdirectories recursively, and also follow
165 symbolic links to subdirectories.
166 -s, --strictsuffix
168 Refuse to encrypt files that already have the .cpt suf‐
169 fix (or that selected with -S). This can be useful when
170 adding some files to a directory of already encrypted
171 files. This option has no effect in decryption or key‐
172 change mode.
173 -S .suf, --suffix .suf
175 Use the suffix .suf instead of the default suffix .cpt.
176 -t, --timid When reading an encryption key from the terminal, ask
178 the user to enter the key twice. If the two entered keys
179 are not identical, abort. This is a safeguard against
180 accidentally destroying data by encrypting it with a
181 mistyped key. Note: this behavior is now the default,
182 and can be overridden with the --brave option.
183 -T, --tmpfiles This option causes ccrypt to use temporary files during
185 encryption/decryption, rather than overwriting the file
186 contents destructively. This method leaves the original
187 file contents lying around in unused sectors of the file
188 system, and thus is less secure than the default behav‐
189 ior. However, in situations where this loss of security
190 is not important, the --tmpfiles option can provide a
191 measure of protection against data being corrupted due
192 to a system crash in the middle of overwriting a file.
193 -v, --verbose Print progress information to stderr.
195 -V, --version Print version info and exit.
197 -- End of options. Any remaining arguments are interpreted
199 as filenames. This also turns off filter mode, even if
200 zero filenames follow. This might be useful in the con‐
201 text of shell pattern expansion; ccrypt -- * will behave
202 correctly even if no files match the pattern *.
203
205 The user interface of ccrypt intentionally resembles that of GNU gzip,
206 although it is not identical. When invoked with filename arguments,
207 ccrypt normally modifies the files in place, overwriting their old con‐
208 tent. Unlike gzip, the output is not first written to a temporary file;
209 instead, the data is literally overwritten. For encryption, this is
210 usually the desired behavior, since one does not want copies of the
211 unencrypted data to remain in hidden places in the file system. The
212 disadvantage is that if ccrypt is interrupted in the middle of writing
213 to a file, the file will end up in a corrupted, partially encrypted
214 state. However, in such cases it is possible to recover most of the
215 data; see RECOVERING DATA FROM CORRUPTED FILES below. If you want to
216 force ccrypt to use temporary files, use the --tmpfiles option.
217 When ccrypt receives an interrupt signal (Ctrl-C) while updating a file
219 in place, it does not exit immediately, but rather delays the exit
220 until after it finishes writing to the current file. This is to prevent
221 files from being partially overwritten and thus corrupted. If you want
222 to force ccrypt to exit immediately, just press Ctrl-C twice quickly.
223 The encryption algorithm used by ccrypt uses a random seed that is dif‐
225 ferent each time. As a result, encrypting the same file twice will
226 never yield the same result. The advantage of this method is that simi‐
227 larities in plaintext do not lead to similarities in ciphertext; there
228 is no way of telling whether the content of two encrypted files is sim‐
229 ilar or not.
230 Because of the use of a random seed, decrypting and re-encrypting a
232 file with the same key will not lead to an identical file. It is pri‐
233 marily for this reason that ccrypt refuses to decrypt files with a non-
234 matching key; if this were allowed, there would be no way afterwards to
235 restore the original file, and the data would be irretrievably lost.
236 When overwriting files, special care is taken with hard links and sym‐
238 bolic links. Each physical file (i.e., each inode) is processed at most
239 once, no matter how many paths to it are encountered on the command
240 line or in subdirectories traversed recursively. For each file that has
241 multiple hard links, a warning is printed, to alert the user that not
242 all paths to the file might have been properly renamed. Symbolic links
243 are ignored except in cat mode, or unless the -l or -R option is given.
244 Unlike gzip, ccrypt does not complain about files that have improper
246 suffixes. It is legal to doubly encrypt a file. It is also legal to
247 decrypt a file that does not have the .cpt suffix, provided the file
248 contains valid data for the given decryption key. Use the --strictsuf‐
249 fix option if you want to prevent ccrypt from encrypting files that
250 already have a .cpt suffix.
251 Regarding encryption and compression: encrypted data is statistically
253 indistinguishable from random data, and thus it cannot be compressed.
254 But of course it is possible to compress the data first, then encrypt
255 it. Suggested file suffixes are .gz.cpt or .gzc.
256
258 Encrypted data might be corrupted for a number of reasons. For
259 instance, a file might have been partially encrypted or decrypted if
260 ccrypt was interrupted while processing the file. Or data might be cor‐
261 rupted by a software or hardware error, or during transmission over a
262 network. The encryption algorithm used by ccrypt is designed to allow
263 recovery from errors. In general, only a few bytes of data will be lost
264 near where the error occurred.
265 Data encrypted by ccrypt can be thought of as a sequence of 32-byte
267 blocks. To decrypt a particular block, ccrypt only needs to know the
268 decryption key, the data of the block itself, and the data of the block
269 immediately preceding it. ccrypt cannot tell whether a block is cor‐
270 rupted or not, except the very first block, which is special. Thus, if
271 the encrypted data has been altered in the middle or near the end of a
272 file, ccrypt can be run to decrypt it as usual, and most of the data
273 will be decrypted correctly, except near where the corruption occurred.
274 The very first block of encrypted data is special, because it does not
276 actually correspond to any plaintext data; this block holds the random
277 seed generated at encryption time. ccrypt also uses the very first
278 block to decide whether the given keyword matches the data or not. If
279 the first block has been corrupted, ccrypt will likely decide that the
280 keyword does not match; in such cases, the -m option can be used to
281 force ccrypt to decrypt the data anyway.
282 If a file contains some encrypted and some unencrypted data, or data
284 encrypted with two different keys, one should decrypt the entire file
285 with each applicable key, and then piece together the meaningful parts
286 manually.
287 Finally, decryption will only produce meaningful results if the data is
289 aligned correctly along block boundaries. If the block boundary infor‐
290 mation has been lost, one has to try all 32 possibilities.
291
293 Block ciphers operate on data segments of a fixed length. For
294 instance, the Rijndael block cipher used in ccrypt has a block length
295 of 32 bytes or 256 bits. Thus, this cipher encrypts 32 bytes at a time.
296 Stream ciphers operate on data streams of any length. There are several
298 standard modes for operating a block cipher as a stream cipher. One
299 such standard is Cipher Feedback (CFB), defined in NIST Special Publi‐
300 cation 800-38A and ANSI X3.106-1983. ccrypt implements a stream cipher
301 by operating the Rijndael block cipher in CFB mode.
302 Let P[i] and C[i] be the ith block of the plaintext and ciphertext,
304 respectively. CFB mode specifies that
305 C[i] = P[i] ^ E(k,C[i-1])
307 Here ^ denotes the bitwise exclusive or function, and E(k,x) denotes
309 the encryption of the block x under the key k using the block cipher.
310 Thus, each block of the ciphertext is calculated from the corresponding
311 block of plaintext and the previous block of ciphertext. Note that in
312 fact, each byte of P[i] can be calculated from the corresponding byte
313 of C[i], so that the stream cipher can be applied to one byte at a
314 time. In particular, the stream length need not be a multiple of the
315 block size.
316 Assuming that blocks are numbered starting from 0, a special "initial"
318 ciphertext block C[-1] is needed to provide the base case for the above
319 formula. This value C[-1] is called the initialization vector or seed.
320 The seed is chosen at encryption time and written as the first block of
321 the encrypted stream. It is important that the seed is unpredictable;
322 in particular, the same seed should never by used more than once. Oth‐
323 erwise, the two resulting ciphertext blocks C[0] could be related by a
324 simple xor to obtain information about the corresponding plaintext
325 blocks P[0]. If unpredictable seeds are used, CFB is provably as
326 secure as the underlying block cipher.
327 In ccrypt, the seed is constructed as follows: first, a nonce is con‐
329 tructed by hashing a combination of the host name, current time,
330 process id, and an internal counter into a 28-byte value, using a cryp‐
331 tographic hash function. The nonce is combined with a fixed four-byte
332 "magic number", and the resulting 32-byte value is encrypted by one
333 round of the Rijndael block cipher with the given key. This encrypted
334 block is used as the seed and appended to the beginning of the cipher‐
335 text. The use of the magic number allows ccrypt to detect non-matching
336 keys before decryption.
337
339 ccrypt is believed to provide very strong cryptographic security,
340 equivalent to that of the Rijndael cipher with 256-bit block size and
341 256-bit key size. Another version of the Rijndael cipher (with a
342 smaller block size) is used in the U.S. government's Advanced Encryp‐
343 tion Standard (AES, see http://www.nist.gov/aes). Therefore, this
344 cipher is very well studied and subject to intensive public scrutiny.
345 This scrutiny has a positive effect on the cipher's security. In par‐
346 ticular, if an exploitable weakness in this cipher were ever discov‐
347 ered, this would become widely publicized.
348 In practical terms, the security of ccrypt means that, without knowl‐
350 edge of the encryption key, it is effectively impossible to obtain any
351 information about the plaintext from a given ciphertext. This is true
352 even if a large number of plaintext-ciphertext pairs are already known
353 for the same key. Moreover, because ccrypt uses a key size of 256 bits,
354 an exhaustive search of the key space is not feasible, at least as long
355 as sufficiently long keys are actually used in practice. No cipher is
356 secure if users choose insecure keywords.
357 On the other hand, ccrypt does not attempt to provide data integrity,
359 i.e., it will not attempt to detect whether the ciphertext was modified
360 after encryption. In particular, encrypted data can be truncated, leav‐
361 ing the corresponding decrypted data also truncated, but otherwise con‐
362 sistent. If one needs to ensure data integrity as well as secrecy, this
363 can be achieved by other methods. The recommended method is to prepend
364 a cryptographic hash (for instance, an SHA-1 hash) to the data before
365 encryption.
366 ccrypt does not claim to provide any particular safeguards against
368 information leaking via the local operating system. While reasonable
369 precautions are taken, there is no guarantee that keywords and plain‐
370 texts have been physically erased after encryption in completed; parts
371 of such data might still exist in memory or on disk. ccrypt does not
372 currently use privileged memory pages.
373 When encrypting files, ccrypt by default accesses them in read-write
375 mode. This normally causes the original file to be physically overwrit‐
376 ten, but on some file systems, this might not be the case.
377 Note that the use of the -K option is unsafe in a multiuser environ‐
379 ment, because the command line of a process is visible to other users
380 running the ps command. The use of the -E option is potentially unsafe
381 for the same reason, although recent versions of ps don't tend to dis‐
382 play environment information to other users. The use of the -T option
383 is unsafe for encryption because the original plaintext will remain in
384 unused sectors of the file system.
385
387 There is an emacs package for reading and writing encrypted files.
388 (Note that this package currently only works with emacs, not with
389 xemacs.) This package hooks into the low-level file I/O functions of
390 emacs, prompting the user for a password where appropriate. It is
391 implemented in much the same way as support for compressed files. If
392 you have both the ps-ccrypt and jka-compr packages installed, emacs can
393 open encrypted files and compressed files; however, it does not cur‐
394 rently work for files that are encrypted and compressed.
395 To use the package, simply load ps-ccrypt, then edit as usual. When
397 you open a file with the ".cpt" extension, emacs will prompt you for a
398 password for the file. It will remember the password for the buffer,
399 and when you save the file later, it will be automatically encrypted
400 again (provided you save it with a ".cpt" extension). Except for the
401 password prompt, the operation of the package should be transparent to
402 the user. The command M-x ccrypt-set-buffer-password can be used to
403 change the current password of a buffer.
404 The simplest way to use this package is to include the lines
406 (setq load-path (cons "path" load-path))
408 (require 'ps-ccrypt "ps-ccrypt.el")
409 in your .emacs file, where path is the directory that holds the file
411 ps-ccrypt.el.
412 Limitations of the emacs package: there is no guarantee that unen‐
414 crypted information cannot leak to the file system; in fact, the pack‐
415 age sometimes writes unencrypted data to temporary files. However,
416 auto-saved files are normally treated correctly (i.e., encrypted). For
417 details, see the comments in the file ps-ccrypt.el.
418
420 The exit status is 0 on successful completion, and non-zero otherwise.
421 An exit status of 1 means illegal command line, 2 is out of memory or
422 another system error, 3 is a fatal i/o error, 4 is a non-matching key
423 or wrong file format, 6 is interrupt, 7 is mistyped key in --timid
424 mode, 8 is a non-fatal i/o error, and 9 means that no key was obtained
425 because the user failed to enter it, or because the specified keyfile
426 or environment variable could not be read. An exit status of 10 means
427 that the file specified by the --keyref option could not be read, or
428 did not match the requested encryption key.
429 Fatal i/o errors are those that occur while processing a file that is
431 already open. Such errors cause ccrypt to abort its operation immedi‐
432 ately with an exit status of 3. Non-fatal i/o errors are those that
433 occur while handling files that are not already open; typically, such
434 errors are caused by files that are missing, not readable, or can't be
435 created. When encountering a non-fatal i/o error, ccrypt simply con‐
436 tinues to process the next available input file. The exit status of 8
437 is delayed until after all the files have been processed.
438 Non-matching keys and wrong file formats are also considered non-fatal
440 errors, and cause ccrypt to continue with processing the next available
441 input file. In this case, an exit status of 4 is given after all the
442 files have been processed. If there is a conflict between exit status 4
443 and 8, then 8 is returned.
444 The former exit status 5 ("wrong file format") has been eliminated, and
446 is now covered under exit status 4 ("non-matching key or wrong file
447 format"). Note that ccrypt does not really have a "file format" in the
448 proper sense of the word; any file of length at least 32 bytes is
449 potentially a valid encrypted file.
450
452 While ccrypt can handle keywords of arbitrary length, some operating
453 systems limit the length of an input line to 1024 characters.
454 The renaming of files (adding or removing the .cpt suffix) can go wrong
456 if a filename is repeated on the command line. In this case, the file
457 is only encrypted/decrypted once, but the suffix may be added or
458 removed several times. This is because ccrypt thinks it encountered
459 different hardlinks for the same file.
460 The --strictsuffix option can behave in unexpected ways if one file has
462 several hardlinks, some of which have the suffix and some of which
463 don't. In this case, the inode will be encrypted/decrypted, but the
464 suffix will be changed only for those filenames that allow it. Simi‐
465 larly, if a file cannot be renamed because a file of the given name
466 already exists, the file may still be encrypted/decrypted if it has
467 another hardlink.
468
470 1.10
471
473 Peter Selinger <selinger at users.sourceforge.net>
474
476 Copyright (C) 2000-2012 Peter Selinger
477 This program is free software; you can redistribute it and/or modify it
479 under the terms of the GNU General Public License as published by the
480 Free Software Foundation; either version 2 of the License, or (at your
481 option) any later version.
482 This program is distributed in the hope that it will be useful, but
484 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
485 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
486 Public License for more details.
487 You should have received a copy of the GNU General Public License along
489 with this program; if not, write to the Free Software Foundation, Inc.,
490 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. See also
491 http://www.gnu.org/.
492Version 1.10 October 2012 CCRYPT(1)