How to Encrypt and Decrypt a File

When you encrypt a file, the original file is not removed or changed. The output file is encrypted.

For solutions to common errors from the encrypt command, see the section that follows the examples.

1. Create a symmetric key of the appropriate length.

   You have two options. You can provide a passphrase from which a key will be generated. Or you can provide a key.

   • If you provide a passphrase, you must store or remember the passphrase. If you store the passphrase online, the passphrase file should be readable only by you.

   • If you provide a key, it must be the correct size for the mechanism. For the procedure, see How to Generate a Symmetric Key by Using the dd Command. You can also use the pktool command. For the procedure and some examples, see How to Generate a Symmetric Key by Using the pktool Command.

2. Encrypt a file.

   Provide a key and use a symmetric key algorithm with the encrypt command.

   % encrypt -a algorithm [-v] \ [-k keyfile | -K key-label [-T token]] [-i input-file] [-o output-file]

   -a algorithm

   Is the algorithm to use to encrypt the file. Type the algorithm as the algorithm appears in the output of the encrypt -l command.

   -k keyfile

   Is the file that contains a key of algorithm-specified length. The key length for each algorithm is listed, in bits, in the output of the encrypt -l command.

   -K key-label

   Is the label of a key in the PKCS #11 keystore.

   -T token

   Is the token name. By default, the token is Sun Software PKCS#11 softtoken. Is used only when the -K key-label option is used.

   -i input-file

   Is the input file that you want to encrypt. This file is left unchanged by the command.

   -o output-file

   Is the output file that is the encrypted form of the input file.

Example 14–14 Creating an AES Key for Encrypting Your Files

In the following example, a user creates and stores an AES key in an existing PKCS #11 keystore for use in encryption and decryption. The user can verify that the key exists and can use the key, but cannot view the key itself.

% pktool genkey label=MyAESkeynumber1 keytype=aes keylen=256
Enter PIN for Sun Software PKCS#11 softtoken  :Type password

% pktool list objtype=key
Enter PIN for Sun Software PKCS#11 softtoken  :<Type password>
Found 1 key
Key #1 - Sun Software PKCS#11 softtoken: MyAESkeynumber1 (256)

To use the key to encrypt a file, the user retrieves the key by its label.

% encrypt -a aes -K MyAESkeynumber1 -i encryptthisfile -o encryptedthisfile

To decrypt the encryptedthisfile file, the user retrieves the key by its label.

% decrypt -a aes -K MyAESkeynumber1 -i encryptedthisfile -o sameasencryptthisfile

Example 14–15 Encrypting and Decrypting With AES and a Passphrase

In the following example, a file is encrypted with the AES algorithm. The key is generated from the passphrase. If the passphrase is stored in a file, the file should not be readable by anyone but the user.

% encrypt -a aes -i ticket.to.ride -o ~/enc/e.ticket.to.ride
Enter passphrase: <Type passphrase>
Re-enter passphrase: Type passphrase again

The input file, ticket.to.ride, still exists in its original form.

To decrypt the output file, the user uses the same passphrase and encryption mechanism that encrypted the file.

% decrypt -a aes -i ~/enc/e.ticket.to.ride -o ~/d.ticket.to.ride
Enter passphrase: <Type passphrase>

Example 14–16 Encrypting and Decrypting With AES and a Key File

In the following example, a file is encrypted with the AES algorithm. AES mechanisms use a key of 128 bits, or 16 bytes.

% encrypt -a aes -k ~/keyf/05.07.aes16 \
-i ticket.to.ride -o ~/enc/e.ticket.to.ride 

The input file, ticket.to.ride, still exists in its original form.

To decrypt the output file, the user uses the same key and encryption mechanism that encrypted the file.

% decrypt -a aes -k ~/keyf/05.07.aes16  \
-i ~/enc/e.ticket.to.ride -o ~/d.ticket.to.ride

Example 14–17 Encrypting and Decrypting With ARCFOUR and a Key File

In the following example, a file is encrypted with the ARCFOUR algorithm. The ARCFOUR algorithm accepts a key of 8 bits (1 byte), 64 bits (8 bytes), or 128 bits (16 bytes).

% encrypt -a arcfour -i personal.txt \
-k ~/keyf/05.07.rc4.8 -o ~/enc/e.personal.txt

To decrypt the output file, the user uses the same key and encryption mechanism that encrypted the file.

% decrypt -a arcfour -i ~/enc/e.personal.txt \
-k ~/keyf/05.07.rc4.8 -o ~/personal.txt

Example 14–18 Encrypting and Decrypting With 3DES and a Key File

In the following example, a file is encrypted with the 3DES algorithm. The 3DES algorithm requires a key of 192 bits, or 24 bytes.

% encrypt -a 3des -k ~/keyf/05.07.des24 \
-i ~/personal2.txt -o ~/enc/e.personal2.txt

To decrypt the output file, the user uses the same key and encryption mechanism that encrypted the file.

% decrypt -a 3des -k ~/keyf/05.07.des24 \
-i ~/enc/e.personal2.txt -o ~/personal2.txt

Troubleshooting

The following messages indicate that the key that you provided to the encrypt command is not permitted by the algorithm that you are using.

• encrypt: unable to create key for crypto operation: CKR_ATTRIBUTE_VALUE_INVALID

• encrypt: failed to initialize crypto operation: CKR_KEY_SIZE_RANGE

If you pass a key that does not meet the requirements of the algorithm, you must supply a better key.

• One option is to use a passphrase. The framework then provides a key that meets the requirements.

• The second option is to pass a key size that the algorithm accepts. For example, the DES algorithm requires a key of 64 bits. The 3DES algorithm requires a key of 192 bits.