Man Linux: Main Page and Category List

NAME

       ccrypt - encrypt and decrypt files and streams

SYNOPSIS

       ccrypt [mode] [options] [file...]
       ccencrypt [options] [file...]
       ccdecrypt [options] [file...]
       ccat [options] file...

DESCRIPTION

       ccrypt is a utility for encrypting and decrypting files and streams. It
       was designed to replace the  standard  unix  crypt  utility,  which  is
       notorious  for using a very weak encryption algorithm.  ccrypt is based
       on the Rijndael block  cipher,  which  was  also  chosen  by  the  U.S.
       government    as   the   Advanced   Encryption   Standard   (AES,   see
       http://www.nist.gov/aes/). This cipher  is  believed  to  provide  very
       strong cryptographic security.

       Unlike  unix  crypt, the algorithm provided by ccrypt is not symmetric,
       i.e., one must specify whether to encrypt or decrypt. The  most  common
       way to invoke ccrypt is via the commands ccencrypt and ccdecrypt.

       Encryption and decryption depends on a keyword (or key phrase) supplied
       by the user. By default, the user is prompted to enter a  keyword  from
       the terminal. Keywords can consist of any number of characters, and all
       characters are significant (although ccrypt internally hashes  the  key
       to  256 bits). Longer keywords provide better security than short ones,
       since they are less likely to be discovered by exhaustive search.

MODES

       ccrypt can operate in five different modes.  If more than one  mode  is
       specified,  the  last  one  specified  takes  precedence.  The  aliases
       ccencrypt, ccdecrypt, and ccat are provided as a convenience; they  are
       equivalent to ccrypt -e, ccrypt -d, and ccrypt -c, respectively.

       -e, --encrypt  Encrypt. This is the default mode. If filename arguments
                      are given, encrypt the files and append the suffix  .cpt
                      to their names. Otherwise, run as a filter.

       -d, --decrypt  Decrypt.  If  filename  arguments are given, decrypt the
                      files and strip the suffix .cpt from the  filenames,  if
                      present. Otherwise, run as a filter.

       -c, --cat      Decrypt  one  or  more  files  to standard output. If no
                      filename arguments  are  given,  decrypt  as  a  filter.
                      Implies -l.

       -x, --keychange
                      Change  the  key of encrypted data. In this mode, ccrypt
                      prompts for two passwords: the old one and the new  one.
                      If  filename  arguments  are  given,  modify  the files.
                      Otherwise, run as a filter.

       -u, --unixcrypt
                      Simulate the old unix crypt command.  Note:  the  cipher
                      used  by  unix  crypt has been broken and is not secure.
                      Please use this option only to decrypt  existing  files.
                      If  filename  arguments  are given, decrypt the files to
                      stdout. Otherwise, run as a filter. Note  that  for  the
                      unix  crypt  format,  there  is  no  easy  way to detect
                      whether a given key matches or not;  thus,  for  safety,
                      this mode does not overwrite files.

OPTIONS

       The  following options are supported in addition to the modes described
       above:

       -b, --brave    When reading an encryption key from  the  terminal,  ask
                      the  user only once for the key. By default, ccrypt will
                      ask the user to enter such keys twice,  as  a  safeguard
                      against  accidentally  destroying data due to a mistyped
                      key. Using  the  --brave  option  disables  this  safety
                      check. Never use it, unless you know what you are doing.
                      See also --timid.

       -E var, --envvar var
                      Read the keyword  from  the  environment  variable  var.
                      Note  that  this  might  be  unsafe  on certain systems,
                      namely where users can use the ps  command  to  see  the
                      environment  of a process owner by another user. On most
                      modern systems, however, such behavior of ps is disabled
                      and  the  -E  option  should be safe there.  Also, as an
                      added security measure, ccrypt erases the  keyword  from
                      its environment immediately after reading it.

       -f, --force    Overwrite  existing  files or operate on write-protected
                      files  without  asking  any  questions.  Also,  override
                      ccrypt’s  reluctance  to write or read encrypted data to
                      or from a terminal.

       -F var, --envvar2 var
                      Same as -E, except  for  second  keyword  (in  keychange
                      mode).

       -h, --help     Help. Print usage information and exit.

       -H key, --key2 key
                      Same  as  -K,  except  for  second keyword (in keychange
                      mode).

       -k file, --keyfile file
                      Read the keyword as the first line from the named  file.
                      In  keychange  mode,  two keywords are read as the first
                      two lines of the file. The filename "-" may be given for
                      reading  keywords  from  standard input.  Using the -k -
                      option and sending the keyword on stdin is probably  the
                      safest  way  to  pass  a  keyword to ccrypt from another
                      program or script.

       -K key, --key key
                      Specify the keyword on the command line. This is unsafe,
                      because  any  other  user  can  see  the command line by
                      running the  ps  command.   Only  use  this  option  for
                      testing purposes, and never with a real keyword.

       -l, --symlinks Force   encryption/decryption   of  symbolic  links.  By
                      default, symbolic links are ignored  except  in  cat  or
                      unixcrypt   mode.   Note   that   with  the  -l  option,
                      encryption/decryption of  a  symbolic  link  causes  the
                      suffix  .cpt  to  be  added/removed from the name of the
                      link, not the name of the file pointed to.

       -L, --license  Print license info and exit.

       -m, --mismatch Normally, ccrypt refuses to decrypt data with a key that
                      does  not  seem  to  match. The -m option overrides this
                      restriction. This can sometimes be useful in  recovering
                      data  from  a  corrupted  file (see RECOVERING DATA FROM
                      CORRUPTED FILES). To avoid irretrievable  loss  of  data
                      when  decrypting with a wrong key, this option cannot be
                      used with modes that overwrite the input file.

       -P prompt, --prompt prompt
                      Use  prompt  instead  of  the  default   prompt   "Enter
                      encryption/decryption  key:  ".   This  may be useful in
                      some shell scripts.

       -q, --quiet    Suppress most warnings.

       -Q prompt, --prompt2 prompt
                      Same as -P, except  for  second  keyword  (in  keychange
                      mode).

       -r, --recursive
                      Traverse subdirectories recursively.

       -R, --rec-symlinks
                      Traverse  subdirectories  recursively,  and  also follow
                      symbolic links to subdirectories.

       -s, --strictsuffix
                      Refuse to encrypt files  which  already  have  the  .cpt
                      suffix  (or  that  selected with -S). This can be useful
                      when  adding  some  files  to  a  directory  of  already
                      encrypted files. This option has no effect in decryption
                      or keychange mode.

       -S .suf, --suffix .suf
                      Use the suffix .suf instead of the default suffix  .cpt.

       -t, --timid    When  reading  an  encryption key from the terminal, ask
                      the user to enter the key twice. If the two entered keys
                      are  not  identical, abort.  This is a safeguard against
                      accidentally destroying data by  encrypting  it  with  a
                      mistyped  key.  Note:  this behavior is now the default,
                      and can be overridden with the --brave option.

       -T, --tmpfiles This option causes ccrypt to use temporary files  during
                      encryption/decryption,  rather than overwriting the file
                      contents destructively. This method leaves the  original
                      file contents lying around in unused sectors of the file
                      system,  and  thus  is  less  secure  than  the  default
                      behavior.  However,  in  situations  where  this loss of
                      security is not important,  the  --tmpfiles  option  can
                      provide  a  measure  of  protection  against  data being
                      corrupted due  to  a  system  crash  in  the  middle  of
                      overwriting a file.

       -v, --verbose  Print progress information to stderr.

       -V, --version  Print version info and exit.

       --             End  of options. Any remaining arguments are interpreted
                      as filenames.  This also turns off filter mode, even  if
                      zero  filenames  follow.  This  might  be  useful in the
                      context of shell pattern expansion;  ccrypt  --  *  will
                      behave correctly even if no files match the pattern *.

NOTES ON USAGE

       The  user interface of ccrypt intentionally resembles that of GNU gzip,
       although it is not identical. When  invoked  with  filename  arguments,
       ccrypt  normally  modifies  the  files  in place, overwriting their old
       content. Unlike gzip, the output is not first written  to  a  temporary
       file;  instead, the data is literally overwritten. For encryption, this
       is usually the desired behavior, since one does not want copies of  the
       unencrypted  data  to  remain  in hidden places in the file system. The
       disadvantage is that if ccrypt is interrupted in the middle of  writing
       to  a  file,  the  file will end up in a corrupted, partially encrypted
       state.  However, in such cases it is possible to recover  most  of  the
       data;  see  RECOVERING  DATA FROM CORRUPTED FILES below. If you want to
       force ccrypt to use temporary files, use the --tmpfiles option.

       When ccrypt receives an interrupt signal (Ctrl-C) while updating a file
       in  place,  it  does  not  exit immediately, but rather delays the exit
       until after it finishes writing to the current file. This is to prevent
       files  from being partially overwritten and thus corrupted. If you want
       to force ccrypt to exit immediately, just press Ctrl-C twice quickly.

       The encryption algorithm used by ccrypt uses a  random  seed  which  is
       different  each  time. As a result, encrypting the same file twice will
       never yield the same result. The  advantage  of  this  method  is  that
       similarities  in  plaintext  do not lead to similarities in ciphertext;
       there is no way of telling whether the content of two  encrypted  files
       is similar or not.

       Because  of  the  use  of a random seed, decrypting and re-encrypting a
       file with the same key will not  lead  to  an  identical  file.  It  is
       primarily  for  this reason that ccrypt refuses to decrypt files with a
       non-matching  key;  if  this  were  allowed,  there  would  be  no  way
       afterwards  to  restore  the  original  file,  and  the  data  would be
       irretrievably lost.

       When overwriting files, special care  is  taken  with  hard  links  and
       symbolic  links.  Each physical file (i.e., each inode) is processed at
       most once, no matter how many  paths  to  it  are  encountered  on  the
       command  line or in subdirectories traversed recursively. For each file
       which has multiple hard links, a warning is printed, to alert the  user
       that  not  all  paths  to  the  file  might have been properly renamed.
       Symbolic links are ignored except in cat mode, or unless the -l  or  -R
       option is given.

       Unlike  gzip,  ccrypt  does not complain about files that have improper
       suffixes. It is legal to doubly encrypt a file. It  is  also  legal  to
       decrypt  a  file which does not have the .cpt suffix, provided the file
       contains  valid  data  for  the   given   decryption   key.   Use   the
       --strictsuffix  option  if  you  want to prevent ccrypt from encrypting
       files which already have a .cpt suffix.

       Regarding encryption and compression: encrypted data  is  statistically
       indistinguishable  from  random data, and thus it cannot be compressed.
       But of course it is possible to compress the data first,  then  encrypt
       it. Suggested file suffixes are .gz.cpt or .gzc.

RECOVERING DATA FROM CORRUPTED FILES

       Encrypted  data  might  be  corrupted  for  a  number  of  reasons. For
       instance, a file might have been partially encrypted  or  decrypted  if
       ccrypt  was  interrupted  while  processing  the file. Or data might be
       corrupted by a software or hardware error, or during transmission  over
       a network. The encryption algorithm used by ccrypt is designed to allow
       recovery from errors. In general, only a few bytes of data will be lost
       near where the error occurred.

       Data  encrypted  by  ccrypt  can be thought of as a sequence of 32-byte
       blocks. To decrypt a particular block, ccrypt only needs  to  know  the
       decryption key, the data of the block itself, and the data of the block
       immediately preceding  it.  ccrypt  cannot  tell  whether  a  block  is
       corrupted  or not, except the very first block, which is special. Thus,
       if the encrypted data has been altered in the middle or near the end of
       a  file, ccrypt can be run to decrypt it as usual, and most of the data
       will be decrypted correctly, except near where the corruption occurred.

       The  very first block of encrypted data is special, because it does not
       actually correspond to any plaintext data; this block holds the  random
       seed  generated  at  encryption  time.  ccrypt also uses the very first
       block to decide whether the given keyword matches the data or  not.  If
       the  first block has been corrupted, ccrypt will likely decide that the
       keyword does not match; in such cases, the -m option  can  be  used  to
       force ccrypt to decrypt the data anyway.

       If  a  file  contains some encrypted and some unencrypted data, or data
       encrypted with two different keys, one should decrypt the  entire  file
       with  each applicable key, and then piece together the meaningful parts
       manually.

       Finally, decryption will only produce meaningful results if the data is
       aligned  correctly  along  block  boundaries.  If  the  block  boundary
       information has been lost, one has to try all 32 possibilities.

DESCRIPTION OF THE CIPHER

       Block ciphers  operate  on  data  segments  of  a  fixed  length.   For
       instance,  the  Rijndael block cipher used in ccrypt has a block length
       of 32 bytes or 256 bits. Thus, this cipher encrypts 32 bytes at a time.

       Stream ciphers operate on data streams of any length. There are several
       standard modes for operating a block cipher as  a  stream  cipher.  One
       such  standard  is  Cipher  Feedback (CFB), defined in FIPS 81 and ANSI
       X3.106-1983.  ccrypt  implements  a  stream  cipher  by  operating  the
       Rijndael block cipher in CFB mode.

       Let  P[i]  and  C[i]  be the ith block of the plaintext and ciphertext,
       respectively. CFB mode specifies that

              C[i] = P[i] ^ E(k,C[i-1])

       Here ^ denotes the bitwise exclusive or function,  and  E(k,x)  denotes
       the  encryption  of the block x under the key k using the block cipher.
       Thus, each block of the ciphertext is calculated from the corresponding
       block  of  plaintext and the previous block of ciphertext. Note that in
       fact, each byte of P[i] can be calculated from the  corresponding  byte
       of  C[i],  so  that  the  stream cipher can be applied to one byte at a
       time. In particular, the stream length need not be a  multiple  of  the
       block size.

       Assuming  that blocks are numbered starting from 0, a special "initial"
       ciphertext block C[-1] is needed to provide the base case for the above
       formula.  This value C[-1] is called the initialization vector or seed.
       The seed is chosen at encryption time and written as the first block of
       the  encrypted  stream. It is important never to use the same seed more
       than once; otherwise, the two resulting ciphertext blocks C[0] could be
       related  by  a simple xor to obtain information about the corresponding
       plaintext blocks P[0].  If the  same  seed  is  never  reused,  CFB  is
       provably as secure as the underlying block cipher.

       In  ccrypt, the seed is constructed as follows: first, a combination of
       the host name, current time, process id, and an  internal  counter  are
       hashed  into  a  28-byte  value, using a cryptographic hash function. A
       fixed four-byte "magic number" is combined with  this  value,  and  the
       resulting 32-byte value is encrypted by one round of the Rijndael block
       cipher with the given key. The result is used as the seed and  appended
       to  the beginning of the ciphertext. The use of the magic number allows
       ccrypt to detect non-matching keys before decryption.

SECURITY

       ccrypt is believed  to  provide  very  strong  cryptographic  security,
       equivalent  to  that of the Rijndael cipher with 256-bit block size and
       256-bit key size. Another  version  of  the  Rijndael  cipher  (with  a
       smaller   block  size)  is  used  in  the  U.S.  government’s  Advanced
       Encryption Standard  (AES,  see  http://www.nist.gov/aes/).  Therefore,
       this  cipher  is  very  well  studied  and  subject to intensive public
       scrutiny.   This  scrutiny  has  a  positive  effect  on  the  cipher’s
       security. In particular, if an exploitable weakness in this cipher were
       ever discovered, this would become widely publicized.

       In  practical  terms,  the  security  of  ccrypt  means  that,  without
       knowledge of the encryption key, it is effectively impossible to obtain
       any information about the plaintext from a given  ciphertext.  This  is
       true  even  if a large number of plaintext-ciphertext pairs are already
       known for the same key. Moreover, because ccrypt uses a key size of 256
       bits,  an  exhaustive search of the key space is not feasible, at least
       as long as sufficiently long keys are actually  used  in  practice.  No
       cipher is secure if users choose insecure keywords.

       On  the  other hand, ccrypt does not attempt to provide data integrity,
       i.e., it will not attempt to detect whether the ciphertext was modified
       after  encryption.  In  particular,  encrypted  data  can be truncated,
       leaving the corresponding decrypted data also truncated, but  otherwise
       consistent.  If  one needs to ensure data integrity as well as secrecy,
       this can be achieved by other methods. The  recommended  method  is  to
       prepend  a  cryptographic  hash (for instance, an MD5 or SHA-1 hash) to
       the data before encryption.

       ccrypt does not claim to  provide  any  particular  safeguards  against
       information  leaking  via  the local operating system. While reasonable
       precautions  are  taken,  there  is  no  guarantee  that  keywords  and
       plaintexts  have  been physically erased after encryption in completed;
       parts of such data might still exist in memory or on disk. ccrypt  does
       not currently use priviledged memory pages.

       When  encrypting  files,  ccrypt by default accesses them in read-write
       mode.  This  normally  causes  the  original  file  to  be   physically
       overwritten, but on some file systems, this might not be the case.

       Note  that  the  use  of  the  -K  option  is  unsafe  in  a  multiuser
       environment, because the command line of a process is visible to  other
       users  running  the ps command. The use of the -E option is potentially
       unsafe for the same reason, although recent versions of ps  don’t  tend
       to  display  environment information to other users.  The use of the -T
       option is unsafe for encryption because  the  original  plaintext  will
       remain in unused sectors of the file system.

EMACS PACKAGE

       There  is  an  emacs  package  for reading and writing encrypted files.
       (Note that this package currently  only  works  with  emacs,  not  with
       xemacs.)   This  package hooks into the low-level file I/O functions of
       emacs, prompting the user for  a  password  where  appropriate.  It  is
       implemented  in  much  the same way as support for compressed files; in
       fact, the package, whose name is jka-compr-ccrypt, is based directly on
       the  jka-compr  package  which  is  part  of GNU Emacs. It handles both
       encrypted  and  compressed  files  (although  currently  not  encrypted
       compressed files).

       To  use  the package, simply load jka-compr-ccrypt, then edit as usual.
       When you open a file with the ".cpt" extension, emacs will  prompt  you
       for  a  password  for  the  file. It will remember the password for the
       buffer, and when you save the file  later,  it  will  be  automatically
       encrypted  again (provided you save it with a ".cpt" extension). Except
       for the password  prompt,  the  operation  of  the  package  should  be
       transparent  to  the  user.  The package also handles compressed ".gz",
       ".bz2", and ".Z" files, and it  should  be  used  instead  of,  not  in
       addition  to, jka-compr. The command M-x ccrypt-set-buffer-password can
       be used to change the current password of a buffer.

       The simplest way to use this package is to include the lines

              (setq load-path (cons "path" load-path))
              (require ’jka-compr-ccrypt "jka-compr-ccrypt.el")

       in your .emacs file, where path is the directory which holds  the  file
       jka-compr-ccrypt.el.  You  may  also need to disable loading of the old
       jka-compr package, since the two packages are not compatible with  each
       other (and in any case, jka-compr-ccrypt contains all the functionality
       of jka-compr).

       Limitations  of  the  emacs  package:  there  is  no   guarantee   that
       unencrypted  information  cannot  leak to the file system; in fact, the
       package sometimes writes unencrypted data to temporary files.  However,
       auto-saved files are normally treated correctly (i.e., encrypted).  For
       details, see the comments in the file jka-compr-ccrypt.el.

EXIT STATUS

       The exit status is 0 on successful completion, and non-zero  otherwise.
       An  exit  status of 1 means illegal command line, 2 is out of memory, 3
       is a fatal i/o error, 4 is a non-matching key or wrong file  format,  6
       is  interrupt,  7 is mistyped key in --timid mode, and 8 is a non-fatal
       i/o error.

       Fatal i/o errors are those which occur while processing a file which is
       already   open.  Such  errors  cause  ccrypt  to  abort  its  operation
       immediately with an exit status of 3. Non-fatal i/o  errors  are  those
       which occur while handling files which are not already open; typically,
       such errors are caused by files that  are  missing,  not  readable,  or
       can’t  be  created.   When  encountering  a non-fatal i/o error, ccrypt
       simply continues to process the next available  input  file.  The  exit
       status of 8 is delayed until after all the files have been processed.

       Non-matching  keys and wrong file formats are also considered non-fatal
       errors, and cause ccrypt to continue with processing the next available
       input  file.  In  this case, an exit status of 4 is given after all the
       files have been processed. If there is a conflict between exit status 4
       and 8, then 8 is returned.

       The former exit status 5 ("wrong file format") has been eliminated, and
       is now covered under exit status 4 ("non-matching  key  or  wrong  file
       format").  Note that ccrypt does not really have a "file format" in the
       proper sense of the word; any file of  length  at  least  32  bytes  is
       potentially a valid encrypted file.

BUGS

       While  ccrypt  can  handle keywords of arbitrary length, some operating
       systems limit the length of an input line to 1024 characters.

       The renaming of files (adding or removing the .cpt suffix) can go wrong
       if  a filename is repeated on the command line.  In this case, the file
       is only encrypted/decrypted once,  but  the  suffix  may  be  added  or
       removed  several  times.  This  is because ccrypt thinks it encountered
       different hardlinks for the same file.

       The --strictsuffix option can behave in unexpected ways if one file has
       several hardlinks of which some have the suffix and some don’t. In this
       case, the inode will be encrypted/decrypted, but  the  suffix  will  be
       changed  only  for  those filenames that allow it. Similarly, if a file
       cannot be renamed because a file of the given name already exists,  the
       file may still be encrypted/decrypted if it has another hardlink.

VERSION

       1.7

AUTHOR

       Peter Selinger <selinger at users.sourceforge.net>

COPYRIGHT

       Copyright (C) 2000-2004 Peter Selinger

       This program is free software; you can redistribute it and/or modify it
       under the terms of the GNU General Public License as published  by  the
       Free  Software Foundation; either version 2 of the License, or (at your
       option) any later version.

       This program is distributed in the hope that it  will  be  useful,  but
       WITHOUT   ANY   WARRANTY;   without   even   the  implied  warranty  of
       MERCHANTABILITY or FITNESS FOR  A  PARTICULAR  PURPOSE.   See  the  GNU
       General Public License for more details.

       You should have received a copy of the GNU General Public License along
       with this program; if not, write to the Free Software Foundation, Inc.,
       59  Temple  Place,  Suite  330,  Boston,  MA  02111-1307, USA. See also
       http://www.gnu.org/.