encrypt(1) 맨 페이지 - 윈디하나의 솔라나라


맨 페이지 이름


encrypt(1)                       User Commands                      encrypt(1)

       encrypt, decrypt - encrypt or decrypt files

       /usr/bin/encrypt -l

       /usr/bin/encrypt -a algorithm [-v]
            [-k key_file | -K key_label [-T token_spec]]
            [-i input_file] [-o output_file]

       /usr/bin/decrypt -l

       /usr/bin/decrypt -a algorithm [-v]
            [-k key_file | -K key_label [-T token_spec]]
            [-i input_file] [-o output_file]

       These utilities encrypt or decrypt the given input file using the algo‐
       rithm specified. If no input file is  specified,  input  is  read  from
       standard  input.  If  no output file is specified, output is printed to
       standard output.

       If the -i and -o options specify the same file, the output  is  written
       to  a  temporary  work file in the same file system and then renamed to
       replace the original input file.

       The output file of encrypt and the input file for decrypt contains  the
       following information:

           o      Output format version number, 4 bytes in network byte order.
                  The current version is 1.

           o      Iterations used in key generation function, 4 bytes in  net‐
                  work byte order.

           o      IV  (ivlen  bytes)[1].  IV data is generated by random bytes
                  equal to one block size.

           o      Salt data used in key generation (16 bytes).

           o      Cipher text data.

       The following options are supported:

       -a algorithm      Specify the name of the algorithm to use  during  the
                         encryption or decryption process. Note that some weak
                         algorithms may be available for use with the  decrypt
                         command only and not for encryption. See USAGE, Algo‐
                         rithms for details.

       -i input_file     Specify the input file. The default is standard input
                         if -i is not specified.

       -k key_file       Specify  the  file  containing  the key value for the
                         encryption algorithm. Each algorithm has specific key
                         material requirements, as stated in the PKCS#11 spec‐
                         ification. If -k is not  specified,  encrypt  prompts
                         for key material using getpassphrase(3C). The size of
                         the  key  file  determines  the   key   length,   and
                         passphrases  set from the terminal are always used to
                         generate 128 bit long keys for ciphers with  a  vari‐
                         able key length.

                         For  information  on  generating  a key file, see the
                         genkey subcommand in pktool(1). Alternatively,  dd(8)
                         can  be  used to read data from the random(4D) device
                         to generate a key file.

       -K key_label      Specify the label of  a  symmetric  token  key  in  a
                         PKCS#11 token.

       -l                Display  the list of algorithms available on the sys‐
                         tem. This list can change depending on the configura‐
                         tion of the cryptographic framework. The list is also
                         likely to be different for the  encrypt  and  decrypt
                         commands,  as some algorithms such as arcfour and des
                         can no longer be used for encryption,  but  only  for
                         decryption. The keysizes are displayed in bits.

       -o output_file    Specify  output  file. The default is standard output
                         if -o is not specified. If standard  output  is  used
                         without  redirecting  to  a file, the terminal window
                         can appear to  hang  because  the  raw  encrypted  or
                         decrypted  data has disrupted the terminal emulation,
                         much like viewing a binary file can do at times.

       -T token_spec     Specify a PKCS#11 token other than the  default  soft
                         token object store when the -K is specified.

                         token_spec has the format of:

                           token_name [:manuf_id [:serial_no]]

                         When  a  token  label  contains trailing spaces, this
                         option does not require them to be typed as a  conve‐
                         nience to the user.

                         Colon  separated  token identification string. If any
                         of the parts have a literal colon (:)  character,  it
                         must be escaped by a backslash (\). If a colon (:) is
                         not found, the entire string (up to 32 characters) is
                         taken  as  the  token label. If only one colon (:) is
                         found, the string is the token label and the manufac‐

       -v                Display verbose information. See Verbose section.

       The  supported  algorithms are displayed with their minimum and maximum
       key sizes by the -l option. These algorithms are provided by the  cryp‐
       tographic  framework.  Each supported algorithm is an alias of the PKCS
       #11 mechanism that is the most commonly used and least restricted  ver‐
       sion  of  a  particular algorithm type. For example, aes is an alias to
       CKM_AES_CBC_PAD and 3des is an  alias  to  CKM_DES3_CBC_PAD.  Algorithm
       variants with no padding or ECB are not supported.

       These aliases are used with the -a option and are case-sensitive.

       When  the -k option is not used during encryption and decryption tasks,
       the user is prompted for a passphrase. The  passphrase  is  manipulated
       into a more secure key using the PBKDF2 algorithm specified in PKCS #5.

       When  a  passphrase  is used with encrypt and decrypt, the user entered
       passphrase is turned into an encryption key using the PBKDF2  algorithm
       as defined in PKCS #5 v2.0.

       If  an  input file is provided to the command, a progress bar spans the
       screen. The progress bar denotes every 25% completed with a  pipe  sign
       (|).  If  the  input  is from standard input, a period (.) is displayed
       each time 40KB is read. Upon completion of both input methods, Done  is

       Example 1 Listing Algorithms Available For Use With encrypt

       The following example lists available algorithms:

         example$ encrypt -l
              Algorithm       Keysize:  Min   Max (bits)
              aes                       128   256
              3des                      128   192
              camellia                  128   256

       Example 2 Encrypting Using AES

       The following example encrypts using AES and prompts for a passphrase:

         example$ encrypt -a aes -i myfile.txt -o secretstuff

       Example 3 Encrypting Using AES with a Key File

       The  following  example  encrypts using AES after the key file has been

         example$ pktool genkey keystore=file keytype=aes keylen=128 \
         example$ encrypt -a aes -k key -i myfile.txt -o secretstuff

       Example 4 Using Pipes to Provide Encrypted Tape Backup

       The following example uses pipes to provide encrypted tape backup:

         example$ tar xcf - mydata | encrypt -a aes \
              -k ./backup.key | dd of=/dev/rmt/0

       Example 5 Using Pipes to Restore Tape Backup

       The following example uses pipes to restore a tape backup:

         example$ decrypt -a aes -k ./backup.key \
              -i /dev/rmt/0 | tar zxvf -

       Example 6 Encrypting an Input File Using the 3DES Algorithm

       The following example encrypts the inputfile file with the 192-bit  key
       stored in the des3key file:

         example$ encrypt -a 3des -k des3key -i inputfile -o outputfile

       Example 7 Encrypting an Input File with an AES token key

       The  following example encrypts the input file with an AES token key in
       the soft token keystore. The  AES  token  key  can  be  generated  with

         example$ encrypt -a aes -K myaeskey \
              -T "Sun Software PKCS#11 softtoken" -i inputfile \
              -o outputfile

       Example 8 Listing Algorithms Available For Use With decrypt

       The  following  example lists algorithms available for use with decrypt

         $ decrypt -l
         Algorithm       Keysize:         Min   Max (bits)
         aes                       128   256
         arcfour                     8  2048
         des                        64    64
         3des                      128   192
         camellia                  128   256

       The following exit values are returned:

       0     Successful completion.

       >0    An error occurred.

       See attributes(7) for descriptions of the following attributes:

       tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE  TYPEAT‐
       TRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilityCommit‐

       digest(1),  mac(1),  pktool(1),   getpassphrase(3C),   libpkcs11(3LIB),
       attributes(7), pkcs11_softtoken(7), dd(8)

       Kaliski,  B., RFC 2898, PKCS #5: Password-Based Cryptography Specifica‐
       tion, Version 2.0, September 2000. https://tools.ietf.org/html/rfc2898


       The -K and -T options were added in Oracle Solaris 11.0.

       The encrypt and decrypt commands, and all other options, were added  in
       Solaris 10 3/05.

Oracle Solaris 11.4               21 Jun 2021                       encrypt(1)
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.