diff --git a/include/pcp/crypto.h b/include/pcp/crypto.h index 50afe5b..a369be5 100644 --- a/include/pcp/crypto.h +++ b/include/pcp/crypto.h @@ -53,10 +53,12 @@ unsigned char *pcp_box_decrypt(pcp_key_t *secret, pcp_pubkey_t *pub, unsigned char *cipher, size_t ciphersize, size_t *dsize); -size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int self); +size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p); -size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s); +size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s, unsigned char *symkey); +size_t pcp_encrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey, int havehead); +size_t pcp_decrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey); #endif // _HAVE_PCP_CRYPTO_H diff --git a/include/pcp/defines.h b/include/pcp/defines.h index 24856c9..741fe83 100644 --- a/include/pcp/defines.h +++ b/include/pcp/defines.h @@ -67,12 +67,16 @@ typedef unsigned int qbyte; // Quad byte = 32 bits // crypto file format stuff #define PCP_ASYM_CIPHER 5 -#define PCP_BLOCK_CIPHER 23 +#define PCP_SYM_CIPHER 23 #define PCP_BLOCK_SIZE 32 * 1024 #define PCP_BLOCK_SIZE_IN (PCP_BLOCK_SIZE) + 16 + crypto_secretbox_NONCEBYTES -#define PCP_ASYM_RECIPIENT_SIZE ((crypto_secretbox_KEYBYTES + crypto_box_ZEROBYTES) - crypto_box_BOXZEROBYTES) + crypto_secretbox_NONCEBYTES +#define PCP_CRYPTO_ADD (crypto_box_ZEROBYTES - crypto_box_BOXZEROBYTES) +#define PCP_ASYM_RECIPIENT_SIZE crypto_secretbox_KEYBYTES + PCP_CRYPTO_ADD + crypto_secretbox_NONCEBYTES //#define PCP_ASYM_ADD_SENDER_PUB +// used for self encryption only +#define PBP_COMPAT_SALT "qa~t](84z<1t<1oz:ik.@IRNyhG=8q(on9}4#!/_h#a7wqK{Nt$T?W>,mt8NqYq&6U,rSYI2GRDd:Bcm" + // error handling extern char *PCP_ERR; extern byte PCP_ERRSET; diff --git a/libpcp/crypto.c b/libpcp/crypto.c index 8f32acf..05063c9 100644 --- a/libpcp/crypto.c +++ b/libpcp/crypto.c @@ -149,7 +149,7 @@ unsigned char *pcp_box_decrypt(pcp_key_t *secret, pcp_pubkey_t *pub, // resulting size: // ciphersize - crypto_secretbox_ZEROBYTES - *dsize = ciphersize - crypto_secretbox_NONCEBYTES - 16; + *dsize = ciphersize - crypto_secretbox_NONCEBYTES - PCP_CRYPTO_ADD; return message; errbed: @@ -162,31 +162,47 @@ unsigned char *pcp_box_decrypt(pcp_key_t *secret, pcp_pubkey_t *pub, } -size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s) { - unsigned char *symkey = NULL; +size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s, unsigned char *symkey) { pcp_pubkey_t *cur, *sender; - size_t es; int nrec, recmatch; uint32_t lenrec; uint8_t head; - size_t cur_bufsize, rec_size, out_size; - size_t ciphersize = (PCP_BLOCK_SIZE_IN) - crypto_secretbox_NONCEBYTES; - unsigned char in_buf[PCP_BLOCK_SIZE_IN]; + size_t cur_bufsize, rec_size; + unsigned char rec_buf[PCP_ASYM_RECIPIENT_SIZE]; - unsigned char *buf_nonce; - unsigned char *buf_cipher; - unsigned char *buf_clear; + #ifdef PCP_ASYM_ADD_SENDER_PUB unsigned char *senderpub; #endif + int self = 0; - // step 1, check header - cur_bufsize = fread(&head, 1, 1, in); - if(cur_bufsize != 1 && !feof(in) && !ferror(in)) - if(head != PCP_ASYM_CIPHER) { - fatal("Error: input file is not asymetrically encrypted\n"); // FIXME: check for sym - goto errdef1; + if(ftell(in) == 1) { + // header has already been determined outside the lib + if(symkey != NULL) + self = 1; + } + else { + // step 1, check header + cur_bufsize = fread(&head, 1, 1, in); + if(cur_bufsize != 1 && !feof(in) && !ferror(in)) { + if(head == PCP_SYM_CIPHER) { + if(symkey != NULL) + self = 1; + else { + fatal("Input is symetrically encrypted but no key have been specified (lib usage failure)\n"); + goto errdef1; + } + } + else if(head == PCP_ASYM_CIPHER) { + self = 0; + } } + } + + if(self) { + // just decrypt symetrically and go outa here + return pcp_decrypt_file_sym(in, out, symkey); + } #ifdef PCP_ASYM_ADD_SENDER_PUB // step 2, sender's pubkey @@ -233,47 +249,14 @@ size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s) { } // step 5, actually decrypt the file, finally - buf_nonce = ucmalloc(crypto_secretbox_NONCEBYTES); - buf_cipher = ucmalloc(ciphersize); - out_size = 0; - while(!feof(in)) { - cur_bufsize = fread(&in_buf, 1, PCP_BLOCK_SIZE_IN, in); - if(cur_bufsize <= 16) - break; // no valid cipher block - ciphersize = cur_bufsize - crypto_secretbox_NONCEBYTES; - memcpy(buf_nonce, in_buf, crypto_secretbox_NONCEBYTES); - memcpy(buf_cipher, &in_buf[crypto_secretbox_NONCEBYTES], ciphersize); + return pcp_decrypt_file_sym(in, out, symkey); - es = pcp_sodium_verify_mac(&buf_clear, buf_cipher, ciphersize, buf_nonce, symkey); - if(es == 0) { - fwrite(buf_clear, ciphersize - 16, 1, out); - if(ferror(out) != 0) { - fatal("Failed to write decrypted output!\n"); - goto errdef2; - } - } - else { - fatal("Failed to decrypt file content!\n"); - goto errdef2; - } - out_size += ciphersize - 16; - } - - fclose(in); - fclose(out); // FIXME: check for stdin/stdout - - return out_size; - - errdef2: - free(buf_nonce); - free(buf_cipher); - free(symkey); errdef1: return 0; } -size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int self) { +size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p) { unsigned char *symkey; int recipient_count; unsigned char *recipients_cipher; @@ -281,10 +264,9 @@ size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int size_t es; int nrec; uint32_t lenrec; - size_t cur_bufsize, rec_size, out_size; - unsigned char in_buf[PCP_BLOCK_SIZE]; - unsigned char *buf_nonce; - unsigned char *buf_cipher; + size_t rec_size, out_size; + + /* Correct format should be: @@ -350,7 +332,51 @@ size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int out_size = 5 + (rec_size * recipient_count) + crypto_box_PUBLICKEYBYTES; // step 5, actual encrypted data - cur_bufsize = 0; + size_t sym_size = pcp_encrypt_file_sym(in, out, symkey, 1); + if(sym_size == 0) + goto errec1; + + + return out_size + sym_size; + + + + errec1: + memset(symkey, 0, crypto_secretbox_KEYBYTES); + free(symkey); + free(recipients_cipher); + + if(fileno(in) != 0) + fclose(in); + if(fileno(out) != 1) + fclose(out); + + return 0; +} + +size_t pcp_encrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey, int havehead) { + /* + havehead = 0: write the whole thing from here + havehead = 1: no header, being called from asym... + */ + + unsigned char *buf_nonce; + unsigned char *buf_cipher; + unsigned char in_buf[PCP_BLOCK_SIZE]; + size_t cur_bufsize = 0; + size_t out_size = 0; + size_t es; + + if(havehead == 0) { + uint8_t head = PCP_SYM_CIPHER; + fwrite(&head, 1, 1, out); + if(ferror(out) != 0) { + fatal("Failed to write encrypted output!\n"); + return 0; + } + } + + while(!feof(in)) { cur_bufsize = fread(&in_buf, 1, PCP_BLOCK_SIZE, in); @@ -369,25 +395,67 @@ size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int if(ferror(out) != 0) { fatal("Failed to write encrypted output!\n"); - goto errec2; + return 0; } - fclose(in); - fclose(out); // FIXME: check for stdin/stdout + if(fileno(in) != 0) + fclose(in); + if(fileno(out) != 1) + fclose(out); + + return out_size; +} + +size_t pcp_decrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey) { + unsigned char *buf_nonce; + unsigned char *buf_cipher; + unsigned char *buf_clear; + size_t out_size, cur_bufsize, es; + size_t ciphersize = (PCP_BLOCK_SIZE_IN) - crypto_secretbox_NONCEBYTES; + unsigned char in_buf[PCP_BLOCK_SIZE_IN]; + + buf_nonce = ucmalloc(crypto_secretbox_NONCEBYTES); + buf_cipher = ucmalloc(ciphersize); + out_size = 0; + + while(!feof(in)) { + cur_bufsize = fread(&in_buf, 1, PCP_BLOCK_SIZE_IN, in); + if(cur_bufsize <= PCP_CRYPTO_ADD) + break; // no valid cipher block + + ciphersize = cur_bufsize - crypto_secretbox_NONCEBYTES; + memcpy(buf_nonce, in_buf, crypto_secretbox_NONCEBYTES); + memcpy(buf_cipher, &in_buf[crypto_secretbox_NONCEBYTES], ciphersize); + + es = pcp_sodium_verify_mac(&buf_clear, buf_cipher, ciphersize, buf_nonce, symkey); + out_size += ciphersize - PCP_CRYPTO_ADD; + + if(es == 0) { + fwrite(buf_clear, ciphersize - PCP_CRYPTO_ADD, 1, out); + free(buf_clear); + if(ferror(out) != 0) { + fatal("Failed to write decrypted output!\n"); + out_size = 0; + break; + } + } + else { + fatal("Failed to decrypt file content!\n"); + free(buf_clear); + out_size = 0; + break; + } + } + + free(buf_nonce); + free(buf_cipher); + + if(fileno(in) != 0) + fclose(in); + if(fileno(out) != 1) + fclose(out); return out_size; - errec2: - - errec1: - memset(symkey, 0, crypto_secretbox_KEYBYTES); - free(symkey); - free(recipients_cipher); - - - fclose(in); - fclose(out); - return 0; } - diff --git a/src/encryption.c b/src/encryption.c index 3a3a852..b25b766 100644 --- a/src/encryption.c +++ b/src/encryption.c @@ -26,22 +26,11 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd) { FILE *in = NULL; FILE *out = NULL; pcp_key_t *secret = NULL; + unsigned char *symkey = NULL; + size_t dlen; + uint8_t head; + - if(useid) { - HASH_FIND_STR(pcpkey_hash, id, secret); - if(secret == NULL) { - fatal("Could not find a secret key with id 0x%s in vault %s!\n", - id, vault->filename); - goto errde3; - } - } - else { - secret = pcp_find_primary_secret(); - if(secret == NULL) { - fatal("Could not find a secret key in vault %s!\n", id, vault->filename); - goto errde3; - } - } if(infile == NULL) in = stdin; @@ -61,24 +50,72 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd) { } } - if(secret->secret[0] == 0) { - // encrypted, decrypt it - char *passphrase; - if(passwd == NULL) { - pcp_readpass(&passphrase, - "Enter passphrase to decrypt your secret key", NULL, 1); + // determine crypt mode + fread(&head, 1, 1, in); + if(!feof(in) && !ferror(in)) { + if(head == PCP_SYM_CIPHER) { + // symetric mode + unsigned char *salt = ucmalloc(90); + char stsalt[] = PBP_COMPAT_SALT; + memcpy(salt, stsalt, 90); + + char *passphrase; + if(passwd == NULL) { + pcp_readpass(&passphrase, + "Enter passphrase for symetric decryption", NULL, 1); + } + else { + passphrase = ucmalloc(strlen(passwd)+1); + strncpy(passphrase, passwd, strlen(passwd)+1); + } + + symkey = pcp_scrypt(passphrase, crypto_secretbox_KEYBYTES, salt); + free(salt); } else { - passphrase = ucmalloc(strlen(passwd)+1); - strncpy(passphrase, passwd, strlen(passwd)+1); - } + // asymetric mode + if(useid) { + HASH_FIND_STR(pcpkey_hash, id, secret); + if(secret == NULL) { + fatal("Could not find a secret key with id 0x%s in vault %s!\n", + id, vault->filename); + goto errde3; + } + } + else { + secret = pcp_find_primary_secret(); + if(secret == NULL) { + fatal("Could not find a secret key in vault %s!\n", id, vault->filename); + goto errde3; + } + } + if(secret->secret[0] == 0) { + // encrypted, decrypt it + char *passphrase; + if(passwd == NULL) { + pcp_readpass(&passphrase, + "Enter passphrase to decrypt your secret key", NULL, 1); + } + else { + passphrase = ucmalloc(strlen(passwd)+1); + strncpy(passphrase, passwd, strlen(passwd)+1); + } - secret = pcpkey_decrypt(secret, passphrase); - if(secret == NULL) - goto errde3; + secret = pcpkey_decrypt(secret, passphrase); + if(secret == NULL) + goto errde3; + } + } + } + else { + fatal("Could not determine input file type\n"); + goto errde3; } - size_t dlen = pcp_decrypt_file(in, out, secret); + if(symkey == NULL) + dlen = pcp_decrypt_file(in, out, secret, NULL); + else + dlen = pcp_decrypt_file(in, out, NULL, symkey); if(dlen > 0) { fprintf(stderr, "Decrypted %d bytes successfully\n", @@ -100,14 +137,32 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec pcp_pubkey_t *tmp = NULL; pcp_pubkey_t *pub = NULL; pcp_key_t *secret = NULL; + unsigned char *symkey; int self = 0; + if(id == NULL && recipient == NULL) { + // self mode + self = 1; + char *passphrase; + if(passwd == NULL) { + pcp_readpass(&passphrase, + "Enter passphrase for symetric encryption", "Repeat passphrase", 1); + } + else { + passphrase = ucmalloc(strlen(passwd)+1); + strncpy(passphrase, passwd, strlen(passwd)+1); + } + unsigned char *salt = ucmalloc(90); + char stsalt[] = PBP_COMPAT_SALT; + memcpy(salt, stsalt, 90); + symkey = pcp_scrypt(passphrase, crypto_secretbox_KEYBYTES, salt); + free(salt); + } + else if(id != NULL) { // FIXME: mk id a plist_t with loop as well - if(id != NULL) { // lookup by id HASH_FIND_STR(pcppubkey_hash, id, tmp); if(tmp == NULL) { - // FIXME: use recipient to lookup by name or email // self-encryption: look if its a secret one pcp_key_t *s = NULL; HASH_FIND_STR(pcpkey_hash, id, s); @@ -152,38 +207,36 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec goto erren3; } } - else { - fatal("id or recipient list required!\n"); - goto erren3; - } + if(self != 1) { // we're using a random secret keypair on our side #ifdef PCP_ASYM_ADD_SENDER_PUB - secret = pcpkey_new(); + secret = pcpkey_new(); #else - secret = pcp_find_primary_secret(); - if(secret == NULL) { - fatal("Could not find a secret key in vault %s!\n", id, vault->filename); - goto erren2; - } - - if(secret->secret[0] == 0) { - // encrypted, decrypt it - char *passphrase; - if(passwd == NULL) { - pcp_readpass(&passphrase, - "Enter passphrase to decrypt your secret key", NULL, 1); - } - else { - passphrase = ucmalloc(strlen(passwd)+1); - strncpy(passphrase, passwd, strlen(passwd)+1); - } - secret = pcpkey_decrypt(secret, passphrase); - if(secret == NULL) + secret = pcp_find_primary_secret(); + if(secret == NULL) { + fatal("Could not find a secret key in vault %s!\n", id, vault->filename); goto erren2; - } + } + + if(secret->secret[0] == 0) { + // encrypted, decrypt it + char *passphrase; + if(passwd == NULL) { + pcp_readpass(&passphrase, + "Enter passphrase to decrypt your secret key", NULL, 1); + } + else { + passphrase = ucmalloc(strlen(passwd)+1); + strncpy(passphrase, passwd, strlen(passwd)+1); + } + secret = pcpkey_decrypt(secret, passphrase); + if(secret == NULL) + goto erren2; + } #endif + } if(infile == NULL) in = stdin; @@ -203,13 +256,20 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec } } - size_t clen = pcp_encrypt_file(in, out, secret, pubhash, self); + size_t clen; + + if(self == 1) + pcp_encrypt_file_sym(in, out, symkey, 0); + else + clen = pcp_encrypt_file(in, out, secret, pubhash); if(clen > 0) { - if(id != NULL) - fprintf(stderr, "Encrypted %d bytes for 0x%s successfully\n", (int)clen, id); + if(id == NULL && recipient == NULL) + fprintf(stderr, "Encrypted %ld bytes symetrically\n", clen); + else if(id != NULL) + fprintf(stderr, "Encrypted %ld bytes for 0x%s successfully\n", clen, id); else { - fprintf(stderr, "Encrypted %d bytes for:\n", (int)clen); + fprintf(stderr, "Encrypted %ld bytes for:\n", clen); pcp_pubkey_t *cur, *t; HASH_ITER(hh, pubhash, cur, t) { fprintf(stderr, "%s <%s>\n", cur->owner, cur->mail); diff --git a/src/pcp.c b/src/pcp.c index ba54854..660830a 100644 --- a/src/pcp.c +++ b/src/pcp.c @@ -63,6 +63,7 @@ int main (int argc, char **argv) { useid = 0; userec = 0; lo = 0; + static struct option longopts[] = { // generics { "vault", required_argument, NULL, 'V' }, @@ -86,6 +87,7 @@ int main (int argc, char **argv) { // crypto { "encrypt", no_argument, NULL, 'e' }, + { "encrypt-me", no_argument, NULL, 'm' }, { "decrypt", no_argument, NULL, 'd' }, // encoding @@ -103,7 +105,7 @@ int main (int argc, char **argv) { { NULL, 0, NULL, 0 } }; - while ((opt = getopt_long(argc, argv, "klV:vdehsO:i:I:pSPRtEx:DzZr:gc:y", + while ((opt = getopt_long(argc, argv, "klV:vdehsO:i:I:pSPRtEx:DzZr:gc:ym", longopts, NULL)) != -1) { switch (opt) { @@ -156,6 +158,9 @@ int main (int argc, char **argv) { mode += PCP_MODE_ENCRYPT; usevault = 1; break; + case 'm': + mode += PCP_MODE_ENCRYPT_ME; + break; case 'd': mode += PCP_MODE_DECRYPT; usevault = 1; @@ -336,11 +341,8 @@ int main (int argc, char **argv) { pcpencrypt(NULL, infile, outfile, xpass, recipient); } else if(useid == 0 && userec == 0) { - // self mode - pcp_key_t *k = pcp_find_primary_secret(); - id = ucmalloc(17); - memcpy(id, k->id, 17); - pcpencrypt(id, infile, outfile, xpass, NULL); + // self mode, same as -m + pcpencrypt(NULL, infile, outfile, xpass, NULL); } else { // -i and -r specified @@ -403,28 +405,32 @@ int main (int argc, char **argv) { pcpz85_decode(infile, outfile); break; - case PCP_MODE_TEXT: - if(infile != NULL) { - pcptext_infile(infile); + case PCP_MODE_ENCRYPT_ME: + pcpencrypt(NULL, infile, outfile, xpass, NULL); + break; + + case PCP_MODE_TEXT: + if(infile != NULL) { + pcptext_infile(infile); + } + else { + pcphash_init(); + vault = pcpvault_init(vaultfile); + if(! useid && infile == NULL) { + pcptext_vault(vault); } else { - pcphash_init(); - vault = pcpvault_init(vaultfile); - if(! useid && infile == NULL) { - pcptext_vault(vault); + id = pcp_normalize_id(keyid); + if(id != NULL) { + pcptext_key(id); + free(id); } - else { - id = pcp_normalize_id(keyid); - if(id != NULL) { - pcptext_key(id); - free(id); - } - } - pcpvault_close(vault); - pcphash_clean(); - ucfree(vaultfile); } - break; + pcpvault_close(vault); + pcphash_clean(); + ucfree(vaultfile); + } + break; default: // mode params mixed diff --git a/src/pcp.h b/src/pcp.h index 87249d8..c4ef384 100644 --- a/src/pcp.h +++ b/src/pcp.h @@ -65,7 +65,8 @@ #define PCP_MODE_ZDECODE 0x00000962 #define PCP_MODE_SIGN 0x00000FF6 #define PCP_MODE_VERIFY 0x00001B25 -#define PCP_MODE_YAML 0x00002E25 +#define PCP_MODE_YAML 0x00002E27 +#define PCP_MODE_ENCRYPT_ME 0x00004E77 /* 0x00001B25 diff --git a/src/usage.h b/src/usage.h index a00a506..41e1f76 100644 --- a/src/usage.h +++ b/src/usage.h @@ -60,14 +60,22 @@ " as YAML formatted text. Use -O to put\n" \ " the export into a file.\n" \ "Encryption Options:\n" \ -"-e --encrypt Encrypt a message. Read from stdin or\n" \ -" specified via -I. If a keyid (-i) has been\n" \ +"-e --encrypt Asym-Encrypt a message. Read from stdin or\n" \ +" specified via -I. Output will be written\n" \ +" to stdout or the file given with -O.\n" \ +" If a keyid (-i) has been\n" \ " given, use that public key for encryption.\n" \ -" If a recipient (-r) has been given, use\n" \ -" a derived public key. If none of -i or\n" \ -" -r has been given, use the primary\n" \ -" secret key and the public part of it\n" \ -" for encrytion (self-encryption mode).\n" \ +" If one or more recipient (-r) has been given,\n" \ +" encrypt the message for all recipients\n" \ +" asymetrically, given there are matching\n" \ +" public keys installed in the vault for them.\n" \ +" If none of -i or -r has been given, encrypt\n" \ +" the message symetrically. This is the same\n" \ +" as -m (self-encryption mode).\n" \ +"-m --encrypt-me Sym-Encrypt a message. Specify -I and/or\n" \ +" -O for input/output file. You will be asked\n" \ +" for a passphrase. No key material will\n" \ +" be used. Same as -e without -r and -i.\n" \ "-d --decrypt Decrypt a message. Read from stdin or\n" \ " specified via -I. Output to stdout or\n" \ " written to the file specified via -O.\n" \ @@ -76,6 +84,10 @@ " just one secret key in the vault, this\n" \ " one will be used. Otherwise you'll have\n" \ " to specify the keyid (-i) of the key.\n" \ +" You need to have the public key of the\n" \ +" sender installed in your vault.\n" \ +" If the input is self-encrypted (symetrically)\n" \ +" a passphrase will be requested.\n" \ "\n" \ "Signature Options:\n" \ "-g --sign Create a signature of file specified with\n" \ diff --git a/src/usage.txt b/src/usage.txt index cf9fa34..5321b0c 100644 --- a/src/usage.txt +++ b/src/usage.txt @@ -58,14 +58,22 @@ Keymanagement Options: as YAML formatted text. Use -O to put the export into a file. Encryption Options: --e --encrypt Encrypt a message. Read from stdin or - specified via -I. If a keyid (-i) has been +-e --encrypt Asym-Encrypt a message. Read from stdin or + specified via -I. Output will be written + to stdout or the file given with -O. + If a keyid (-i) has been given, use that public key for encryption. - If a recipient (-r) has been given, use - a derived public key. If none of -i or - -r has been given, use the primary - secret key and the public part of it - for encrytion (self-encryption mode). + If one or more recipient (-r) has been given, + encrypt the message for all recipients + asymetrically, given there are matching + public keys installed in the vault for them. + If none of -i or -r has been given, encrypt + the message symetrically. This is the same + as -m (self-encryption mode). +-m --encrypt-me Sym-Encrypt a message. Specify -I and/or + -O for input/output file. You will be asked + for a passphrase. No key material will + be used. Same as -e without -r and -i. -d --decrypt Decrypt a message. Read from stdin or specified via -I. Output to stdout or written to the file specified via -O. @@ -74,6 +82,10 @@ Encryption Options: just one secret key in the vault, this one will be used. Otherwise you'll have to specify the keyid (-i) of the key. + You need to have the public key of the + sender installed in your vault. + If the input is self-encrypted (symetrically) + a passphrase will be requested. Signature Options: -g --sign Create a signature of file specified with