Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021
 
 

How to Encrypt and Decrypt a File

When you encrypt a file, the original file is not removed or changed. The output file is encrypted.

For solutions to common errors related to the encrypt command, see the section that follows the examples.


Note - When encrypting and decrypting files, try to use FIPS 140-2 approved algorithms with approved key lengths whenever possible. See FIPS 140-2 Algorithms in the Cryptographic Framework in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4. Run the encrypt -l command to view available algorithms and their key lengths.
  1. Create a symmetric key of the appropriate length.

      You can provide either a passphrase from which a key will be generated or you can provide a key.

    • If you provide a passphrase, you must store or remember the passphrase. If you store the passphrase online, the passphrase file should be readable only by you.

    • If you provide a key, it must be the correct size for the mechanism. You can use the pktool command. For the procedure and some examples, see How to Generate a Symmetric Key by Using the pktool Command.

  2. (Optional) List the encryption algorithms.
    $ encrypt -l
    Algorithm       Keysize:  Min   Max (bits)
    ------------------------------------------
    aes                       128   256
    arcfour                     8  2048
    des                        64    64
    3des                      128   192
    camellia                  128   256
  3. Encrypt a file.

    Provide a key and use a symmetric key algorithm with the encrypt command.

    $ encrypt -a algorithm [-v] \
    [-k keyfile | -K key-label [-T token]] [-i input-file] [-o output-file]
    –a algorithm

    The algorithm to use to encrypt the file. Type the algorithm as the algorithm appears in the output of the encrypt -l command. Whenever possible, select a FIPS 140-2 approved algorithm. See FIPS 140-2 Algorithms in the Cryptographic Framework in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4.

    –k keyfile

    The file that contains a key of algorithm-specified length. The key length for each algorithm is listed, in bits, in the output of the encrypt -l command.

    –K key-label

    The label of a key in the PKCS #11 keystore.

    –T token

    The token name. By default, it is Sun Software PKCS#11 softtoken. It is used only when the –K key-label option is used.

    –i input-file

    The input file that you want to encrypt. This file is left unchanged by the command.

    –o output-file

    The output file that is the encrypted form of the input file.

Example 10  Creating an AES Key for Encrypting Your Files

In the following example, a user creates and stores an AES key in an existing PKCS #11 keystore for use in encryption and decryption. The user can verify that the key exists and can use the key, but cannot view the key itself.

$ pktool genkey label=MyAESkeynumber1 keytype=aes keylen=256
Enter PIN for Sun Software PKCS#11 softtoken  :xxxxxxxx

$ pktool list objtype=key
Enter PIN for Sun Software PKCS#11 softtoken  :xxxxxxxx
No.      Key Type      Key Len.      Key Label
----------------------------------------------------
Symmetric keys:
1        AES           256           MyAESkeynumber1

To use the key to encrypt a file, the user retrieves the key by its label.

$ encrypt -a aes -K MyAESkeynumber1 -i encryptthisfile -o encryptedthisfile

To decrypt the encryptedthisfile file, the user retrieves the key by its label.

$ decrypt -a aes -K MyAESkeynumber1 -i encryptedthisfile -o sameasencryptthisfile
Example 11  Encrypting and Decrypting With AES and a Passphrase

In this example, a file is encrypted with the AES algorithm. The key is generated from the passphrase. If the passphrase is stored in a file, the file should not be readable by anyone but the user.

$ encrypt -a aes -i ticket.to.ride -o ~/enc/e.ticket.to.ride
Enter passphrase:    xxxxxxxx
Re-enter passphrase: xxxxxxxx

The input file, ticket.to.ride, still exists in its original form.

To decrypt the output file, the user uses the same passphrase and encryption mechanism that encrypted the file.

$ decrypt -a aes -i ~/enc/e.ticket.to.ride -o ~/d.ticket.to.ride
Enter passphrase: xxxxxxxx
Example 12  Encrypting and Decrypting With AES and a Key File

In this example, a file is encrypted with the AES algorithm. AES mechanisms use a key of 128 bits, or 16 bytes.

$ encrypt -a aes -k ~/keyf/05.07.aes128 \
-i ticket.to.ride -o ~/enc/e.ticket.to.ride 

The input file, ticket.to.ride, still exists in its original form.

To decrypt the output file, the user uses the same key and encryption mechanism that encrypted the file.

$ decrypt -a aes -k ~/keyf/05.07.aes128  \
-i ~/enc/e.ticket.to.ride -o ~/d.ticket.to.ride

Troubleshooting

    The following messages indicate that the key that you provided to the encrypt command is not permitted by the algorithm that you are using.

  • encrypt: unable to create key for crypto operation: CKR_ATTRIBUTE_VALUE_INVALID

  • encrypt: failed to initialize crypto operation: CKR_KEY_SIZE_RANGE

    If you pass a key that does not meet the requirements of the algorithm, you must supply a better key by using one of the following methods:

  • Use a passphrase. The framework then provides a key that meets the requirements.

  • Pass a key size that the algorithm accepts. For example, the DES algorithm requires a key of 64 bits. The 3DES algorithm requires a key of 192 bits.