ENCRYPT man page on SmartOS

Man page or keyword search:  
man Server   16655 pages
apropos Keyword Search (all sections)
Output format
SmartOS logo
[printable version]

ENCRYPT(1)							    ENCRYPT(1)

NAME
       encrypt, decrypt - encrypt or decrypt files

SYNOPSIS
       /usr/bin/encrypt -l

       /usr/bin/encrypt -a algorithm [-v]
	    [-k key_file | -K key_label [-T token_spec]]
	    [-i input_file] [-o output_file]

       /usr/bin/decrypt -l

       /usr/bin/decrypt -a algorithm [-v]
	    [-k key_file | -K key_label [-T token_spec]]
	    [-i input_file] [-o output_file]

DESCRIPTION
       This  utility  encrypts	or  decrypts the given file or stdin using the
       algorithm specified. If no output file is specified, output is to stan‐
       dard  out.  If input and output are the same file, the encrypted output
       is written to a temporary work file in the  same	 filesystem  and  then
       used to replace the original file.

       On decryption, if the input and output are the same file, the cleartext
       replaces the ciphertext file.

       The output file of encrypt and the input file for decrypt contains  the
       following information:

	   o	  Output format version number, 4 bytes in network byte order.
		  The current version is 1.

	   o	  Iterations used in key generation function, 4 bytes in  net‐
		  work byte order.

	   o	  IV  (ivlen  bytes)[1].  iv data is generated by random bytes
		  equal to one block size.

	   o	  Salt data used in key generation (16 bytes).

	   o	  Cipher text data.

OPTIONS
       The following options are supported:

       -a algorithm
			 Specify the name of the algorithm to use  during  the
			 encryption  or	 decryption  process. See USAGE, Algo‐
			 rithms for details.

       -i input_file
			 Specify  the  input  file.  Default   is   stdin   if
			 input_file is not specified.

       -k key_file
			 Specify  the  file  containing	 the key value for the
			 encryption algorithm. Each algorithm has specific key
			 material requirements, as stated in the PKCS#11 spec‐
			 ification. If -k is not  specified,  encrypt  prompts
			 for key material using getpassphrase(3C). The size of
			 the  key  file	 determines  the   key	 length,   and
			 passphrases  set from the terminal are always used to
			 generate 128 bit long keys for ciphers with  a	 vari‐
			 able key length.

			 For  information  on  generating  a key file, see the
			 genkey subcommand in pktool(1). Alternatively, dd(1M)
			 can be used.

       -K key_label
			 Specify  the  label  of  a  symmetric	token key in a
			 PKCS#11 token.

       -l
			 Display the list of algorithms available on the  sys‐
			 tem. This list can change depending on the configura‐
			 tion of the cryptographic framework. The keysizes are
			 displayed in bits.

       -o output_file
			 Specify output file. Default is stdout if output_file
			 is not specified.  If stdout is  used	without	 redi‐
			 recting  to a file, the terminal window can appear to
			 hang because the raw encrypted or decrypted data  has
			 disrupted the terminal emulation, much like viewing a
			 binary file can do at times.

       -T token_spec
			 Specify a PKCS#11 token other than the	 default  soft
			 token object store when the -K is specified.

			 token_spec has the format of:

			   token_name [:manuf_id [:serial_no]]

			 When  a  token	 label	contains trailing spaces, this
			 option does not require them to be typed as a	conve‐
			 nience to the user.

			 Colon	separates  token identification string. If any
			 of the parts have a literal colon (:)	character,  it
			 must be escaped by a backslash (\). If a colon (:) is
			 not found, the entire string (up to 32 characters) is
			 taken	as  the	 token label. If only one colon (:) is
			 found, the string is the token label and the manufac‐
			 turer.

       -v
			 Display verbose information. See Verbose.

USAGE
   Algorithms
       The  supported  algorithms are displayed with their minimum and maximum
       key sizes in the -l option. These algorithms are provided by the	 cryp‐
       tographic  framework.  Each supported algorithm is an alias of the PKCS
       #11 mechanism that is the most commonly used and least restricted  ver‐
       sion  of	 a  particular algorithm type. For example, des is an alias to
       CKM_DES_CBC_PAD and arcfour is an alias to CKM_RC4. Algorithm  variants
       with no padding or ECB are not supported.

       These aliases are used with the -a option and are case-sensitive.

   Passphrase
       When  the -k option is not used during encryption and decryption tasks,
       the user is prompted for a passphrase. The  passphrase  is  manipulated
       into a more secure key using the PBKDF2 algorithm specified in PKCS #5.

       When  a	passphrase  is used with encrypt and decrypt, the user entered
       passphrase is turned into an encryption key using the PBKDF2  algorithm
       as defined defined in http://www.rsasecurity.com, PKCS #5 v2.0.

   Verbose
       If  an  input file is provided to the command, a progress bar spans the
       screen.	The progress bar denotes every 25% completed with a pipe  sign
       (|).  If	 the  input  is from standard input, a period (.) is displayed
       each time 40KB is read. Upon completion of both input methods, Done  is
       printed.

EXAMPLES
       Example 1 Listing Available Algorithms

       The following example lists available algorithms:

	 example$ encrypt -l
	      Algorithm	      Keysize:	Min   Max
	      -----------------------------------
	      aes			128   128
	      arcfour			  8   128
	      des			 64    64
	      3des			192   192

       Example 2 Encrypting Using AES

       The following example encrypts using AES and prompts for the encryption
       key:

	 example$ encrypt -a aes -i myfile.txt -o secretstuff

       Example 3 Encrypting Using AES with a Key File

       The following example encrypts using AES after the key  file  has  been
       created:

	 example$ pktool genkey keystore=file keytype=aes keylen=128 \
		     outkey=key
	 example$ encrypt -a aes -k key -i myfile.txt -o secretstuff

       Example 4 Using an In Pipe to Provide Encrypted Tape Backup

       The following example uses an in pipe to provide encrypted tape backup:

	 example$ ufsdump 0f - /var | encrypt -a arcfour \
	      -k /etc/mykeys/backup.k | dd of=/dev/rmt/0

       Example 5 Using an In Pipe to Restore Tape Backup

       The following example uses and in pipe to restore a tape backup:

	 example$ decrypt -a arcfour -k /etc/mykeys/backup.k \
	      -i /dev/rmt/0 | ufsrestore xvf -

       Example 6 Encrypting an Input File Using the 3DES Algorithm

       The  following example encrypts the inputfile file with the 192-bit key
       stored in the des3key file:

	 example$ encrypt -a 3des -k des3key -i inputfile -o outputfile

       Example 7 Encrypting an Input File with a DES token key

       The following example encrypts the input file file with a DES token key
       in  the	soft  token  keystore. The DES token key can be generated with
       pktool(1):

	 example$ encrypt -a des -K mydeskey \
	      -T "Sun Software PKCS#11 softtoken" -i inputfile \
	      -o outputfile

EXIT STATUS
       The following exit values are returned:

       0
	     Successful completion.

       >0
	     An error occurred.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌────────────────────┬─────────────────┐
       │  ATTRIBUTE TYPE    │ ATTRIBUTE VALUE │
       ├────────────────────┼─────────────────┤
       │Interface Stability │ Committed	      │
       └────────────────────┴─────────────────┘

SEE ALSO
       digest(1),  pktool(1),	mac(1),	  dd(1M),   getpassphrase(3C),	 libp‐
       kcs11(3LIB), attributes(5), pkcs11_softtoken(5)

       System Administration Guide: Security Services

       RSA PKCS#11 v2.11: http://www.rsasecurity.com

       RSA PKCS#5 v2.0: http://www.rsasecurity.com

				 Dec 17, 2008			    ENCRYPT(1)
[top]

List of man pages available for SmartOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net