svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
encrypt(1)
encrypt(1) User Commands encrypt(1)
NAME
encrypt, decrypt - encrypt or decrypt files
SYNOPSIS
/usr/bin/encrypt -l
/usr/bin/encrypt -a algorithm [-v]
[-k key_file | -K key_label [-T token_spec]]
[-i input_file] [-o output_file]
/usr/bin/decrypt -l
/usr/bin/decrypt -a algorithm [-v]
[-k key_file | -K key_label [-T token_spec]]
[-i input_file] [-o output_file]
DESCRIPTION
These utilities encrypt or decrypt the given input file using the algo‐
rithm specified. If no input file is specified, input is read from
standard input. If no output file is specified, output is printed to
standard output.
If the -i and -o options specify the same file, the output is written
to a temporary work file in the same file system and then renamed to
replace the original input file.
The output file of encrypt and the input file for decrypt contains the
following information:
o Output format version number, 4 bytes in network byte order.
The current version is 1.
o Iterations used in key generation function, 4 bytes in net‐
work byte order.
o IV (ivlen bytes)[1]. IV data is generated by random bytes
equal to one block size.
o Salt data used in key generation (16 bytes).
o Cipher text data.
OPTIONS
The following options are supported:
-a algorithm Specify the name of the algorithm to use during the
encryption or decryption process. Note that some weak
algorithms may be available for use with the decrypt
command only and not for encryption. See USAGE, Algo‐
rithms for details.
-i input_file Specify the input file. The default is standard input
if -i is not specified.
-k key_file Specify the file containing the key value for the
encryption algorithm. Each algorithm has specific key
material requirements, as stated in the PKCS#11 spec‐
ification. If -k is not specified, encrypt prompts
for key material using getpassphrase(3C). The size of
the key file determines the key length, and
passphrases set from the terminal are always used to
generate 128 bit long keys for ciphers with a vari‐
able key length.
For information on generating a key file, see the
genkey subcommand in pktool(1). Alternatively, dd(8)
can be used to read data from the random(4D) device
to generate a key file.
-K key_label Specify the label of a symmetric token key in a
PKCS#11 token.
-l Display the list of algorithms available on the sys‐
tem. This list can change depending on the configura‐
tion of the cryptographic framework. The list is also
likely to be different for the encrypt and decrypt
commands, as some algorithms such as arcfour and des
can no longer be used for encryption, but only for
decryption. The keysizes are displayed in bits.
-o output_file Specify output file. The default is standard output
if -o is not specified. If standard output is used
without redirecting to a file, the terminal window
can appear to hang because the raw encrypted or
decrypted data has disrupted the terminal emulation,
much like viewing a binary file can do at times.
-T token_spec Specify a PKCS#11 token other than the default soft
token object store when the -K is specified.
token_spec has the format of:
token_name [:manuf_id [:serial_no]]
When a token label contains trailing spaces, this
option does not require them to be typed as a conve‐
nience to the user.
Colon separated token identification string. If any
of the parts have a literal colon (:) character, it
must be escaped by a backslash (\). If a colon (:) is
not found, the entire string (up to 32 characters) is
taken as the token label. If only one colon (:) is
found, the string is the token label and the manufac‐
turer.
-v Display verbose information. See Verbose section.
USAGE
Algorithms
The supported algorithms are displayed with their minimum and maximum
key sizes by the -l option. These algorithms are provided by the cryp‐
tographic framework. Each supported algorithm is an alias of the PKCS
#11 mechanism that is the most commonly used and least restricted ver‐
sion of a particular algorithm type. For example, aes is an alias to
CKM_AES_CBC_PAD and 3des is an alias to CKM_DES3_CBC_PAD. Algorithm
variants with no padding or ECB are not supported.
These aliases are used with the -a option and are case-sensitive.
Passphrase
When the -k option is not used during encryption and decryption tasks,
the user is prompted for a passphrase. The passphrase is manipulated
into a more secure key using the PBKDF2 algorithm specified in PKCS #5.
When a passphrase is used with encrypt and decrypt, the user entered
passphrase is turned into an encryption key using the PBKDF2 algorithm
as defined in PKCS #5 v2.0.
Verbose
If an input file is provided to the command, a progress bar spans the
screen. The progress bar denotes every 25% completed with a pipe sign
(|). If the input is from standard input, a period (.) is displayed
each time 40KB is read. Upon completion of both input methods, Done is
printed.
EXAMPLES
Example 1 Listing Algorithms Available For Use With encrypt
The following example lists available algorithms:
example$ encrypt -l
Algorithm Keysize: Min Max (bits)
-----------------------------------
aes 128 256
3des 128 192
camellia 128 256
Example 2 Encrypting Using AES
The following example encrypts using AES and prompts for a passphrase:
example$ encrypt -a aes -i myfile.txt -o secretstuff
Example 3 Encrypting Using AES with a Key File
The following example encrypts using AES after the key file has been
created:
example$ pktool genkey keystore=file keytype=aes keylen=128 \
outkey=key
example$ encrypt -a aes -k key -i myfile.txt -o secretstuff
Example 4 Using Pipes to Provide Encrypted Tape Backup
The following example uses pipes to provide encrypted tape backup:
example$ tar xcf - mydata | encrypt -a aes \
-k ./backup.key | dd of=/dev/rmt/0
Example 5 Using Pipes to Restore Tape Backup
The following example uses pipes to restore a tape backup:
example$ decrypt -a aes -k ./backup.key \
-i /dev/rmt/0 | tar zxvf -
Example 6 Encrypting an Input File Using the 3DES Algorithm
The following example encrypts the inputfile file with the 192-bit key
stored in the des3key file:
example$ encrypt -a 3des -k des3key -i inputfile -o outputfile
Example 7 Encrypting an Input File with an AES token key
The following example encrypts the input file with an AES token key in
the soft token keystore. The AES token key can be generated with
pktool(1):
example$ encrypt -a aes -K myaeskey \
-T "Sun Software PKCS#11 softtoken" -i inputfile \
-o outputfile
Example 8 Listing Algorithms Available For Use With decrypt
The following example lists algorithms available for use with decrypt
command:
$ decrypt -l
Algorithm Keysize: Min Max (bits)
------------------------------------------
aes 128 256
arcfour 8 2048
des 64 64
3des 128 192
camellia 128 256
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilityCommit‐
ted
SEE ALSO
digest(1), mac(1), pktool(1), getpassphrase(3C), libpkcs11(3LIB),
attributes(7), pkcs11_softtoken(7), dd(8)
Kaliski, B., RFC 2898, PKCS #5: Password-Based Cryptography Specifica‐
tion, Version 2.0, September 2000. https://tools.ietf.org/html/rfc2898
https://www.oasis-open.org/committees/pkcs11/
HISTORY
The -K and -T options were added in Oracle Solaris 11.0.
The encrypt and decrypt commands, and all other options, were added in
Solaris 10 3/05.
Oracle Solaris 11.4 21 Jun 2021 encrypt(1)