|
NAMEmcrypt, mdecrypt - encrypt or decrypt filesSYNOPSISmcrypt [ -dLFubhvrzp ] [-a algorithm] [-c config_file] [-m mode] [-s keysize] [-o keymode] [-k key1 key2 ...] [-f keyfile] [ filename ... ]mdecrypt [ -LFusbhvzp ] [-a algorithm] [-c config_file] [-m mode] [-s keysize] [-o keymode] [-k key1 key2 ...] [-f keyfile] [ filename ... ] DESCRIPTIONMcrypt is a simple crypting program, a replacement for the old unix crypt(1). When encrypting or decrypting a file, a new file is created with the extension .nc and mode 0600. The new file keeps the modification date of the original. The original file may be deleted by specifying the -u parameter. If no files are specified, the standard input is encrypted to the standard output.Mcrypt uses all the symmetric algorithms included in libmcrypt. HINTSBy default, mcrypt , when one of these algorithms is specified, prompts something like: Enter passphrase: ... You should then enter a passphrase long enough (512 characters is the maximum length). Now in order to encrypt the file, The passphrase is transformed using the specified (or the default) key generation algorithm, and a random salt. The produced value is then used as the key, which is fed to the algorithm.Algorithm Vulnerability: Most algorithms today are designed to resist in specific attacks. None of them is proved not to be vulnerable to some kind of attack not as yet known. Compression: By compressing your data before encryption you gain both in efficiency (faster encryption) and safety of your data (language redundancy is removed). A drawback is that most compression programs will add specific headers in the compressed file, thus making known plaintext attacks easier. Compression after encryption is useless and may result to compressed files with longer size than the original. Error Recovery: There is some error recovery in mcrypt. If bytes are removed or lost from the file or stream in ECB, CBC and OFB modes, are impossible to recover, although CFB mode will recover. If some bytes are altered then a full block of plaintext is affected in ECB mode, two blocks in CBC and CFB modes, but only the corresponding byte in OFB mode. Mcrypt uses a 32 bit CRC to check for errors in the encrypted files. Extra security: For the very paranoid, if mcrypt is executed with superuser priviledges it ensures that no important data (keys etc.) are written to disk, as swap etc. Keep in mind that mcrypt was not designed to be a setuid program, so you shouldn't make it one. Do not rely on the fact that an algorithm has a large key size, try to use long passphrases and try to make them unpredictable. All the block algorithms above support these modes of encryption: ECB: The Electronic CodeBook mode. It is the simplest mode to use with a block cipher. Encrypts each block independently. CBC: The Cipher Block Chaining mode. It is better than ECB since the plaintext is XOR'ed with the previous ciphertext. A random block is placed as the first block so the same block or messages always encrypt to something different. (This is the default mode) CFB: The Cipher-Feedback Mode (in 8bit). This is a self-synchronizing stream cipher implemented from a block cipher. OFB: The Output-Feedback Mode (in 8bit). This is a synchronous stream cipher implemented from a block cipher. It is intended for use in noisy lines, because corrupted ciphertext blocks do not corrupt the plaintext blocks that follow. Insecure when used to encrypt large amounts of data, so I recommend against using it. nOFB: The Output-Feedback Mode (in nbit). n Is the size of the block of the algorithm. This is a synchronous stream cipher implemented from a block cipher. It is intended for use in noisy lines, because corrupted ciphertext blocks do not corrupt the plaintext blocks that follow. Encrypted files can be restored to their original form using mcrypt -d or mdecrypt mdecrypt takes a list of files on its command line and creates a new file for each file whose name ends with .nc by removing the ".nc" or by adding ".dc" to the end of the file name if .nc is not in the encrypted file's name. OPTIONS
EXAMPLESFor mcrypt to be compatible with the solaris des(1), the following parameters are needed: "mcrypt -a des --keymode pkdes --bare --noiv filename".For mcrypt to be compatible with the unix crypt(1), the following parameters are needed: "mcrypt -a enigma --keymode scrypt --bare filename". To encrypt a file using a stream algorithm (eg. Arcfour), the following parameters are needed: "mcrypt -a arcfour --mode stream filename". ENVIRONMENTMcrypt uses the following environment variables:MCRYPT_KEY: to specify the key MCRYPT_ALGO: to specify the algorithm MCRYPT_MODE: to specify the algorithm's mode MCRYPT_KEY_MODE: to specify the key mode You can use these instead of using the command line (which is insecure), but note that only one key should be used in MCRYPT_KEY. SEE ALSOcrypt(1), des(1) mcrypt(3)DIAGNOSTICSExit status is normally 0; if an error occurs, exit status is something other than 0.Usage: mcrypt [-dLFubhvrzp] [-f keyfile] [-k key1 key2 ...] [-m
mode] [-o keymode] [-a algorithm] [-c config_file] [filename ...]
AUTHORSVersion 2.6.0 Copyright (C) 1998,1999,2000,2001,2002 Nikos Mavroyanopoulos (nmav@gnutls.org).Thanks to all the people who reported problems and suggested various improvements for mcrypt; who are too numerous to cite here.
Visit the GSP FreeBSD Man Page Interface. |