decrypt(1) - osol9

1encrypt(1)                       User Commands                      encrypt(1)
2
3
4

NAME

6       encrypt, decrypt - encrypt or decrypt files
7

SYNOPSIS

9       /usr/bin/encrypt -l
10
11
12       /usr/bin/encrypt -a algorithm [-v]
13            [-k key_file | -K key_label [-T token_spec]]
14            [-i input_file] [-o output_file]
15
16
17       /usr/bin/decrypt -l
18
19
20       /usr/bin/decrypt -a algorithm [-v]
21            [-k key_file | -K key_label [-T token_spec]]
22            [-i input_file] [-o output_file]
23
24

DESCRIPTION

26       This  utility  encrypts  or  decrypts the given file or stdin using the
27       algorithm specified. If no output file is specified, output is to stan‐
28       dard  out.  If input and output are the same file, the encrypted output
29       is written to a temporary work file in the  same  filesystem  and  then
30       used to replace the original file.
31
32
33       On decryption, if the input and output are the same file, the cleartext
34       replaces the ciphertext file.
35
36
37       The output file of encrypt and the input file for decrypt contains  the
38       following information:
39
40           o      Output format version number, 4 bytes in network byte order.
41                  The current version is 1.
42
43           o      Iterations used in key generation function, 4 bytes in  net‐
44                  work byte order.
45
46           o      IV  (ivlen  bytes)[1].  iv data is generated by random bytes
47                  equal to one block size.
48
49           o      Salt data used in key generation (16 bytes).
50
51           o      Cipher text data.
52

OPTIONS

54       The following options are supported:
55
56       -a algorithm      Specify the name of the algorithm to use  during  the
57                         encryption  or  decryption  process. See USAGE, Algo‐
58                         rithms for details.
59
60
61       -i input_file     Specify  the  input  file.  Default   is   stdin   if
62                         input_file is not specified.
63
64
65       -k key_file       Specify  the  file  containing  the key value for the
66                         encryption algorithm. Each algorithm has specific key
67                         material requirements, as stated in the PKCS#11 spec‐
68                         ification. If -k is not  specified,  encrypt  prompts
69                         for key material using getpassphrase(3C). The size of
70                         the  key  file  determines  the   key   length,   and
71                         passphrases  set from the terminal are always used to
72                         generate 128 bit long keys for ciphers with  a  vari‐
73                         able key length.
74
75                         For  information  on  generating  a key file, see the
76                         genkey subcommand in pktool(1). Alternatively, dd(1M)
77                         can be used.
78
79
80       -K key_label      Specify  the  label  of  a  symmetric  token key in a
81                         PKCS#11 token.
82
83
84       -l                Display the list of algorithms available on the  sys‐
85                         tem. This list can change depending on the configura‐
86                         tion of the cryptographic framework. The keysizes are
87                         displayed in bits.
88
89
90       -o output_file    Specify output file. Default is stdout if output_file
91                         is not specified. If stdout is used without redirect‐
92                         ing to a file, the terminal window can appear to hang
93                         because the raw encrypted or decrypted data has  dis‐
94                         rupted  the  terminal  emulation, much like viewing a
95                         binary file can do at times.
96
97
98       -T token_spec     Specify a PKCS#11 token other than the  default  soft
99                         token object store when the -K is specified.
100
101                         token_spec has the format of:
102
103                           token_name [:manuf_id [:serial_no]]
104
105
106                         When  a  token  label  contains trailing spaces, this
107                         option does not require them to be typed as a  conve‐
108                         nience to the user.
109
110                         Colon  separates  token identification string. If any
111                         of the parts have a literal colon (:)  character,  it
112                         must be escaped by a backslash (\). If a colon (:) is
113                         not found, the entire string (up to 32 characters) is
114                         taken  as  the  token label. If only one colon (:) is
115                         found, the string is the token label and the manufac‐
116                         turer.
117
118
119       -v                Display verbose information. See Verbose.
120
121

USAGE

123   Algorithms
124       The  supported  algorithms are displayed with their minimum and maximum
125       key sizes in the -l option. These algorithms are provided by the  cryp‐
126       tographic  framework.  Each supported algorithm is an alias of the PKCS
127       #11 mechanism that is the most commonly used and least restricted  ver‐
128       sion  of  a  particular algorithm type. For example, des is an alias to
129       CKM_DES_CBC_PAD and arcfour is an alias to CKM_RC4. Algorithm  variants
130       with no padding or ECB are not supported.
131
132
133       These aliases are used with the -a option and are case-sensitive.
134
135   Passphrase
136       When  the -k option is not used during encryption and decryption tasks,
137       the user is prompted for a passphrase. The  passphrase  is  manipulated
138       into a more secure key using the PBKDF2 algorithm specified in PKCS #5.
139
140
141       When  a  passphrase  is used with encrypt and decrypt, the user entered
142       passphrase is turned into an encryption key using the PBKDF2  algorithm
143       as defined defined in http://www.rsasecurity.com, PKCS #5 v2.0.
144
145   Verbose
146       If  an  input file is provided to the command, a progress bar spans the
147       screen. The progress bar denotes every 25% completed with a  pipe  sign
148       (|).  If  the  input  is from standard input, a period (.) is displayed
149       each time 40KB is read. Upon completion of both input methods, Done  is
150       printed.
151

EXAMPLES

153       Example 1 Listing Available Algorithms
154
155
156       The following example lists available algorithms:
157
158
159         example$ encrypt -l
160              Algorithm       Keysize:  Min   Max
161              -----------------------------------
162              aes                       128   128
163              arcfour                     8   128
164              des                        64    64
165              3des                      192   192
166
167
168
169       Example 2 Encrypting Using AES
170
171
172       The following example encrypts using AES and prompts for the encryption
173       key:
174
175
176         example$ encrypt -a aes -i myfile.txt -o secretstuff
177
178
179
180       Example 3 Encrypting Using AES with a Key File
181
182
183       The following example encrypts using AES after the key  file  has  been
184       created:
185
186
187         example$ pktool genkey keystore=file keytype=aes keylen=128 \
188                     outkey=key
189         example$ encrypt -a aes -k key -i myfile.txt -o secretstuff
190
191
192
193       Example 4 Using an In Pipe to Provide Encrypted Tape Backup
194
195
196       The following example uses an in pipe to provide encrypted tape backup:
197
198
199         example$ ufsdump 0f - /var | encrypt -a arcfour \
200              -k /etc/mykeys/backup.k | dd of=/dev/rmt/0
201
202
203
204       Example 5 Using an In Pipe to Restore Tape Backup
205
206
207       The following example uses and in pipe to restore a tape backup:
208
209
210         example$ decrypt -a arcfour -k /etc/mykeys/backup.k \
211              -i /dev/rmt/0 | ufsrestore xvf -
212
213
214
215       Example 6 Encrypting an Input File Using the 3DES Algorithm
216
217
218       The  following example encrypts the inputfile file with the 192-bit key
219       stored in the des3key file:
220
221
222         example$ encrypt -a 3des -k des3key -i inputfile -o outputfile
223
224
225
226       Example 7 Encrypting an Input File with a DES token key
227
228
229       The following example encrypts the input file file with a DES token key
230       in  the  soft  token  keystore. The DES token key can be generated with
231       pktool(1):
232
233
234         example$ encrypt -a des -K mydeskey \
235              -T "Sun Software PKCS#11 softtoken" -i inputfile \
236              -o outputfile
237
238
239

EXIT STATUS

241       The following exit values are returned:
242
243       0     Successful completion.
244
245
246       >0    An error occurred.
247
248

ATTRIBUTES

250       See attributes(5) for descriptions of the following attributes:
251
252
253
254
255       ┌─────────────────────────────┬─────────────────────────────┐
256       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
257       ├─────────────────────────────┼─────────────────────────────┤
258       │Availability                 │SUNWcsu                      │
259       ├─────────────────────────────┼─────────────────────────────┤
260       │Interface Stability          │Committed                    │
261       └─────────────────────────────┴─────────────────────────────┘
262