Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Wednesday, July 27, 2022



encrypt, decrypt - encrypt or decrypt files


/usr/bin/encrypt -l
/usr/bin/encrypt -a algorithm [-v]
     [-k key_file | -K key_label [-T token_spec]]
     [-i input_file] [-o output_file]
/usr/bin/decrypt -l
/usr/bin/decrypt -a algorithm [-v]
     [-k key_file | -K key_label [-T token_spec]]
     [-i input_file] [-o output_file]


These utilities encrypt or decrypt the given input file using the algorithm specified. If no input file is specified, input is read from standard input. If no output file is specified, output is printed to standard output.

If the –i and –o options specify the same file, the output is written to a temporary work file in the same file system and then renamed to replace the original input file.

The output file of encrypt and the input file for decrypt contains the following information:

  • Output format version number, 4 bytes in network byte order. The current version is 1.

  • Iterations used in key generation function, 4 bytes in network byte order.

  • IV (ivlen bytes)[1]. IV data is generated by random bytes equal to one block size.

  • Salt data used in key generation (16 bytes).

  • Cipher text data.


The following options are supported:

–a algorithm

Specify the name of the algorithm to use during the encryption or decryption process. Note that some weak algorithms may be available for use with the decrypt command only and not for encryption. See USAGE, Algorithms for details.

–i input_file

Specify the input file. The default is standard input if –i is not specified.

–k key_file

Specify the file containing the key value for the encryption algorithm. Each algorithm has specific key material requirements, as stated in the PKCS#11 specification. If –k is not specified, encrypt prompts for key material using getpassphrase(3C). The size of the key file determines the key length, and passphrases set from the terminal are always used to generate 128 bit long keys for ciphers with a variable key length.

For information on generating a key file, see the genkey subcommand in pktool(1). Alternatively, dd(8) can be used to read data from the random(4D) device to generate a key file.

–K key_label

Specify the label of a symmetric token key in a PKCS#11 token.


Display the list of algorithms available on the system. This list can change depending on the configuration of the cryptographic framework. The list is also likely to be different for the encrypt and decrypt commands, as some algorithms such as arcfour and des can no longer be used for encryption, but only for decryption. The keysizes are displayed in bits.

–o output_file

Specify output file. The default is standard output if –o is not specified. If standard output is used without redirecting to a file, the terminal window can appear to hang because the raw encrypted or decrypted data has disrupted the terminal emulation, much like viewing a binary file can do at times.

–T token_spec

Specify a PKCS#11 token other than the default soft token object store when the –K is specified.

token_spec has the format of:

token_name [:manuf_id [:serial_no]]

When a token label contains trailing spaces, this option does not require them to be typed as a convenience to the user.

Colon separated token identification string. If any of the parts have a literal colon (:) character, it must be escaped by a backslash (\). If a colon (:) is not found, the entire string (up to 32 characters) is taken as the token label. If only one colon (:) is found, the string is the token label and the manufacturer.


Display verbose information. See Verbose section.



The supported algorithms are displayed with their minimum and maximum key sizes by the –l option. These algorithms are provided by the cryptographic framework. Each supported algorithm is an alias of the PKCS #11 mechanism that is the most commonly used and least restricted version of a particular algorithm type. For example, aes is an alias to CKM_AES_CBC_PAD and 3des is an alias to CKM_DES3_CBC_PAD. Algorithm variants with no padding or ECB are not supported.

These aliases are used with the –a option and are case-sensitive.


When the –k option is not used during encryption and decryption tasks, the user is prompted for a passphrase. The passphrase is manipulated into a more secure key using the PBKDF2 algorithm specified in PKCS #5.

When a passphrase is used with encrypt and decrypt, the user entered passphrase is turned into an encryption key using the PBKDF2 algorithm as defined in PKCS #5 v2.0.


If an input file is provided to the command, a progress bar spans the screen. The progress bar denotes every 25% completed with a pipe sign (|). If the input is from standard input, a period (.) is displayed each time 40KB is read. Upon completion of both input methods, Done is printed.


Example 1 Listing Algorithms Available For Use With encrypt

The following example lists available algorithms:

example$ encrypt -l
     Algorithm       Keysize:  Min   Max (bits)
     aes                       128   256
     3des                      128   192
     camellia                  128   256
Example 2 Encrypting Using AES

The following example encrypts using AES and prompts for a passphrase:

example$ encrypt -a aes -i myfile.txt -o secretstuff
Example 3 Encrypting Using AES with a Key File

The following example encrypts using AES after the key file has been created:

example$ pktool genkey keystore=file keytype=aes keylen=128 \
example$ encrypt -a aes -k key -i myfile.txt -o secretstuff
Example 4 Using Pipes to Provide Encrypted Tape Backup

The following example uses pipes to provide encrypted tape backup:

example$ tar xcf - mydata | encrypt -a aes \
     -k ./backup.key | dd of=/dev/rmt/0
Example 5 Using Pipes to Restore Tape Backup

The following example uses pipes to restore a tape backup:

example$ decrypt -a aes -k ./backup.key \
     -i /dev/rmt/0 | tar zxvf -
Example 6 Encrypting an Input File Using the 3DES Algorithm

The following example encrypts the inputfile file with the 192-bit key stored in the des3key file:

example$ encrypt -a 3des -k des3key -i inputfile -o outputfile
Example 7 Encrypting an Input File with an AES token key

The following example encrypts the input file with an AES token key in the soft token keystore. The AES token key can be generated with pktool(1):

example$ encrypt -a aes -K myaeskey \
     -T "Sun Software PKCS#11 softtoken" -i inputfile \
     -o outputfile
Example 8 Listing Algorithms Available For Use With decrypt

The following example lists algorithms available for use with decrypt command:

$ decrypt -l
Algorithm       Keysize:         Min   Max (bits)
aes                       128   256
arcfour                     8  2048
des                        64    64
3des                      128   192
camellia                  128   256

Exit Status

The following exit values are returned:


Successful completion.


An error occurred.


See attributes(7) for descriptions of the following attributes:

Interface Stability

See Also

digest(1), mac(1), pktool(1), getpassphrase(3C), libpkcs11(3LIB), attributes(7), pkcs11_softtoken(7), dd(8)

Kaliski, B., RFC 2898, PKCS #5: Password-Based Cryptography Specification, Version 2.0, September 2000. https://tools.ietf.org/html/rfc2898



The –K and –T options were added in Oracle Solaris 11.0.

The encrypt and decrypt commands, and all other options, were added in Solaris 10 3/05.