implemented pbp-compatible self encryption mode (symetrical encryption using scrypt(passphrase, static nonce), no pk)

include/pcp/crypto.h

@@ -53,10 +53,12 @@ unsigned char *pcp_box_decrypt(pcp_key_t *secret, pcp_pubkey_t *pub,
                                unsigned char *cipher, size_t ciphersize,
 			       size_t *dsize);
 
-size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int self);
+size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p);
 
-size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s);
+size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s, unsigned char *symkey);
 
+size_t pcp_encrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey, int havehead);
 
+size_t pcp_decrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey);
 
 #endif // _HAVE_PCP_CRYPTO_H

include/pcp/defines.h

@@ -67,12 +67,16 @@ typedef unsigned int    qbyte;          //  Quad byte = 32 bits
 
 // crypto file format stuff
 #define PCP_ASYM_CIPHER         5
-#define PCP_BLOCK_CIPHER        23
+#define PCP_SYM_CIPHER          23
 #define PCP_BLOCK_SIZE          32 * 1024
 #define PCP_BLOCK_SIZE_IN       (PCP_BLOCK_SIZE) + 16 + crypto_secretbox_NONCEBYTES
-#define PCP_ASYM_RECIPIENT_SIZE ((crypto_secretbox_KEYBYTES + crypto_box_ZEROBYTES) - crypto_box_BOXZEROBYTES) +  crypto_secretbox_NONCEBYTES
+#define PCP_CRYPTO_ADD          (crypto_box_ZEROBYTES - crypto_box_BOXZEROBYTES)
+#define PCP_ASYM_RECIPIENT_SIZE crypto_secretbox_KEYBYTES + PCP_CRYPTO_ADD +  crypto_secretbox_NONCEBYTES
 //#define PCP_ASYM_ADD_SENDER_PUB
 
+// used for self encryption only
+#define PBP_COMPAT_SALT "qa~t](84z<1t<1oz:ik.@IRNyhG=8q(on9}4#!/_h#a7wqK{Nt$T?W>,mt8NqYq&6U<GB1$,<$j>,rSYI2GRDd:Bcm"
+
 // error handling
 extern char *PCP_ERR;
 extern byte PCP_ERRSET;

libpcp/crypto.c

@@ -149,7 +149,7 @@ unsigned char *pcp_box_decrypt(pcp_key_t *secret, pcp_pubkey_t *pub,
 
   // resulting size:
   // ciphersize - crypto_secretbox_ZEROBYTES
-  *dsize = ciphersize - crypto_secretbox_NONCEBYTES - 16;
+  *dsize = ciphersize - crypto_secretbox_NONCEBYTES - PCP_CRYPTO_ADD;
   return message;
 
  errbed:
@@ -162,31 +162,47 @@ unsigned char *pcp_box_decrypt(pcp_key_t *secret, pcp_pubkey_t *pub,
 }
 
 
-size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s) {
+size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s, unsigned char *symkey) {
-  unsigned char *symkey = NULL;
   pcp_pubkey_t *cur, *sender;
-  size_t es;
   int nrec, recmatch;
   uint32_t lenrec;
   uint8_t head;
-  size_t cur_bufsize, rec_size, out_size;
+  size_t cur_bufsize, rec_size;
-  size_t ciphersize = (PCP_BLOCK_SIZE_IN) - crypto_secretbox_NONCEBYTES;
+  
-  unsigned char in_buf[PCP_BLOCK_SIZE_IN];
   unsigned char rec_buf[PCP_ASYM_RECIPIENT_SIZE];
-  unsigned char *buf_nonce;
+
-  unsigned char *buf_cipher;
-  unsigned char *buf_clear;
 #ifdef PCP_ASYM_ADD_SENDER_PUB
   unsigned char *senderpub;
 #endif
+  int self = 0;
 
-  // step 1, check header
+  if(ftell(in) == 1) {
-  cur_bufsize = fread(&head, 1, 1, in);
+    // header has already been determined outside the lib
-  if(cur_bufsize != 1 && !feof(in) && !ferror(in))
+    if(symkey != NULL)
-    if(head !=  PCP_ASYM_CIPHER) {
+      self = 1;
-      fatal("Error: input file is not asymetrically encrypted\n"); // FIXME: check for sym
+  }
-      goto errdef1;
+  else {
+    // step 1, check header
+    cur_bufsize = fread(&head, 1, 1, in);
+    if(cur_bufsize != 1 && !feof(in) && !ferror(in)) {
+      if(head == PCP_SYM_CIPHER) {
+	if(symkey != NULL)
+	  self = 1;
+	else {
+	  fatal("Input is symetrically encrypted but no key have been specified (lib usage failure)\n");
+	  goto errdef1;
+	}
+      }
+      else if(head == PCP_ASYM_CIPHER) {
+	self = 0;
+      }
     }
+  }
+
+  if(self) {
+    // just decrypt symetrically and go outa here
+    return pcp_decrypt_file_sym(in, out, symkey);
+  }
 
 #ifdef PCP_ASYM_ADD_SENDER_PUB
   // step 2, sender's pubkey
@@ -233,47 +249,14 @@ size_t pcp_decrypt_file(FILE *in, FILE* out, pcp_key_t *s) {
   }
   
   // step 5, actually decrypt the file, finally
-  buf_nonce  = ucmalloc(crypto_secretbox_NONCEBYTES);
+  return pcp_decrypt_file_sym(in, out, symkey);
-  buf_cipher = ucmalloc(ciphersize);
-  out_size = 0;
-  while(!feof(in)) {
-    cur_bufsize = fread(&in_buf, 1, PCP_BLOCK_SIZE_IN, in);
-    if(cur_bufsize <= 16)
-      break; // no valid cipher block
-    ciphersize = cur_bufsize - crypto_secretbox_NONCEBYTES;
-    memcpy(buf_nonce, in_buf, crypto_secretbox_NONCEBYTES);
-    memcpy(buf_cipher, &in_buf[crypto_secretbox_NONCEBYTES], ciphersize);
 
-    es = pcp_sodium_verify_mac(&buf_clear, buf_cipher, ciphersize, buf_nonce, symkey);
-    if(es == 0) {
-      fwrite(buf_clear, ciphersize - 16, 1, out);
-      if(ferror(out) != 0) {
-	fatal("Failed to write decrypted output!\n");
-	goto errdef2;
-      }
-    }
-    else {
-      fatal("Failed to decrypt file content!\n");
-      goto errdef2;
-    }
-    out_size += ciphersize - 16;
-  }
-
-  fclose(in);
-  fclose(out); // FIXME: check for stdin/stdout
-
-  return out_size;
-
- errdef2:
-  free(buf_nonce);
-  free(buf_cipher);
-  free(symkey);
 
  errdef1:
   return 0;
 }
 
-size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int self) {
+size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p) {
   unsigned char *symkey;
   int recipient_count;
   unsigned char *recipients_cipher;
@@ -281,10 +264,9 @@ size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int
   size_t es;
   int nrec;
   uint32_t lenrec;
-  size_t cur_bufsize, rec_size, out_size;
+  size_t rec_size, out_size;
-  unsigned char in_buf[PCP_BLOCK_SIZE];
+ 
-  unsigned char *buf_nonce;
+ 
-  unsigned char *buf_cipher;
 
   /*
     Correct format should be:
@@ -350,7 +332,51 @@ size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int
   out_size = 5 + (rec_size * recipient_count) + crypto_box_PUBLICKEYBYTES;
 
   // step 5, actual encrypted data
-  cur_bufsize = 0;
+  size_t sym_size = pcp_encrypt_file_sym(in, out, symkey, 1);
+  if(sym_size == 0)
+    goto errec1;
+
+
+  return out_size + sym_size;
+
+  
+
+ errec1:
+  memset(symkey, 0, crypto_secretbox_KEYBYTES);
+  free(symkey);
+  free(recipients_cipher);
+
+  if(fileno(in) != 0)
+    fclose(in);
+  if(fileno(out) != 1)
+    fclose(out);
+
+  return 0;
+}
+
+size_t pcp_encrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey, int havehead) {
+  /*
+    havehead = 0: write the whole thing from here
+    havehead = 1: no header, being called from asym...
+  */
+
+  unsigned char *buf_nonce;
+  unsigned char *buf_cipher;
+  unsigned char in_buf[PCP_BLOCK_SIZE];
+  size_t cur_bufsize = 0;
+  size_t out_size = 0;
+  size_t es;
+
+  if(havehead == 0) {
+    uint8_t head = PCP_SYM_CIPHER;
+    fwrite(&head, 1, 1, out);
+    if(ferror(out) != 0) {
+      fatal("Failed to write encrypted output!\n");
+      return 0;
+    }
+  }
+
+
 
   while(!feof(in)) {
     cur_bufsize = fread(&in_buf, 1, PCP_BLOCK_SIZE, in);
@@ -369,25 +395,67 @@ size_t pcp_encrypt_file(FILE *in, FILE* out, pcp_key_t *s, pcp_pubkey_t *p, int
 
   if(ferror(out) != 0) {
     fatal("Failed to write encrypted output!\n");
-    goto errec2;
+    return 0;
   }
 
-  fclose(in);
+  if(fileno(in) != 0)
-  fclose(out); // FIXME: check for stdin/stdout
+    fclose(in);
+  if(fileno(out) != 1)
+    fclose(out);
+
+  return out_size;
+}
+
+size_t pcp_decrypt_file_sym(FILE *in, FILE* out, unsigned char *symkey) {
+  unsigned char *buf_nonce;
+  unsigned char *buf_cipher;
+  unsigned char *buf_clear;
+  size_t out_size, cur_bufsize, es;
+  size_t ciphersize = (PCP_BLOCK_SIZE_IN) - crypto_secretbox_NONCEBYTES;
+  unsigned char in_buf[PCP_BLOCK_SIZE_IN];
+
+  buf_nonce  = ucmalloc(crypto_secretbox_NONCEBYTES);
+  buf_cipher = ucmalloc(ciphersize);
+  out_size = 0;
+
+  while(!feof(in)) {
+    cur_bufsize = fread(&in_buf, 1, PCP_BLOCK_SIZE_IN, in);
+    if(cur_bufsize <= PCP_CRYPTO_ADD)
+      break; // no valid cipher block
+
+    ciphersize = cur_bufsize - crypto_secretbox_NONCEBYTES;
+    memcpy(buf_nonce, in_buf, crypto_secretbox_NONCEBYTES);
+    memcpy(buf_cipher, &in_buf[crypto_secretbox_NONCEBYTES], ciphersize);
+
+    es = pcp_sodium_verify_mac(&buf_clear, buf_cipher, ciphersize, buf_nonce, symkey);
+    out_size += ciphersize - PCP_CRYPTO_ADD;
+
+    if(es == 0) {
+      fwrite(buf_clear, ciphersize - PCP_CRYPTO_ADD, 1, out);
+      free(buf_clear);
+      if(ferror(out) != 0) {
+	fatal("Failed to write decrypted output!\n");
+	out_size = 0;
+	break;
+      }
+    }
+    else {
+      fatal("Failed to decrypt file content!\n");
+      free(buf_clear);
+      out_size = 0;
+      break;
+    }
+  }
+
+  free(buf_nonce);
+  free(buf_cipher);
+
+  if(fileno(in) != 0)
+    fclose(in);
+  if(fileno(out) != 1)
+    fclose(out);
 
   return out_size;
 
- errec2:
   
-
- errec1:
-  memset(symkey, 0, crypto_secretbox_KEYBYTES);
-  free(symkey);
-  free(recipients_cipher);
-
-
-  fclose(in);
-  fclose(out);
-  return 0;
 }
-

src/encryption.c

@@ -26,22 +26,11 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd) {
   FILE *in = NULL;
   FILE *out = NULL;
   pcp_key_t *secret = NULL;
+  unsigned char *symkey = NULL;
+  size_t dlen;
+  uint8_t head;
+
 
-  if(useid) {
-    HASH_FIND_STR(pcpkey_hash, id, secret);
-    if(secret == NULL) {
-      fatal("Could not find a secret key with id 0x%s in vault %s!\n",
-	    id, vault->filename);
-      goto errde3;
-    }
-  }
-  else {
-    secret = pcp_find_primary_secret();
-    if(secret == NULL) {
-      fatal("Could not find a secret key in vault %s!\n", id, vault->filename);
-      goto errde3;
-    }
-  }
 
   if(infile == NULL)
     in = stdin;
@@ -61,24 +50,72 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd) {
     }
   }
 
-  if(secret->secret[0] == 0) {
+  // determine crypt mode
-    // encrypted, decrypt it
+  fread(&head, 1, 1, in);
-    char *passphrase;
+  if(!feof(in) && !ferror(in)) {
-    if(passwd == NULL) {
+    if(head == PCP_SYM_CIPHER) {
-      pcp_readpass(&passphrase,
+      // symetric mode
-		   "Enter passphrase to decrypt your secret key", NULL, 1);
+      unsigned char *salt = ucmalloc(90);
+      char stsalt[] = PBP_COMPAT_SALT;
+      memcpy(salt, stsalt, 90);
+
+      char *passphrase;
+      if(passwd == NULL) {
+	pcp_readpass(&passphrase,
+		     "Enter passphrase for symetric decryption", NULL, 1);
+      }
+      else {
+	passphrase = ucmalloc(strlen(passwd)+1);
+	strncpy(passphrase, passwd, strlen(passwd)+1);
+      }
+
+      symkey = pcp_scrypt(passphrase, crypto_secretbox_KEYBYTES, salt);
+      free(salt);
     }
     else {
-      passphrase = ucmalloc(strlen(passwd)+1);
+      // asymetric mode
-      strncpy(passphrase, passwd, strlen(passwd)+1);
+      if(useid) {
-    }
+	HASH_FIND_STR(pcpkey_hash, id, secret);
+	if(secret == NULL) {
+	  fatal("Could not find a secret key with id 0x%s in vault %s!\n",
+		id, vault->filename);
+	  goto errde3;
+	}
+      }
+      else {
+	secret = pcp_find_primary_secret();
+	if(secret == NULL) {
+	  fatal("Could not find a secret key in vault %s!\n", id, vault->filename);
+	  goto errde3;
+	}
+      }
+      if(secret->secret[0] == 0) {
+	// encrypted, decrypt it
+	char *passphrase;
+	if(passwd == NULL) {
+	  pcp_readpass(&passphrase,
+		       "Enter passphrase to decrypt your secret key", NULL, 1);
+	}
+	else {
+	  passphrase = ucmalloc(strlen(passwd)+1);
+	  strncpy(passphrase, passwd, strlen(passwd)+1);
+	}
 
-    secret = pcpkey_decrypt(secret, passphrase);
+	secret = pcpkey_decrypt(secret, passphrase);
-    if(secret == NULL)
+	if(secret == NULL)
-      goto errde3;
+	  goto errde3;
+      }
+    }
+  }
+  else {
+    fatal("Could not determine input file type\n");
+    goto errde3;
   }
 
-  size_t dlen = pcp_decrypt_file(in, out, secret);
+  if(symkey == NULL)
+    dlen = pcp_decrypt_file(in, out, secret, NULL);
+  else
+    dlen = pcp_decrypt_file(in, out, NULL, symkey);
 
   if(dlen > 0) {
     fprintf(stderr, "Decrypted %d bytes successfully\n",
@@ -100,14 +137,32 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
   pcp_pubkey_t *tmp = NULL;
   pcp_pubkey_t *pub = NULL;
   pcp_key_t *secret = NULL;
+  unsigned char *symkey;
   int self = 0;
 
+  if(id == NULL && recipient == NULL) {
+    // self mode
+    self = 1;
+    char *passphrase;
+    if(passwd == NULL) {
+      pcp_readpass(&passphrase,
+                   "Enter passphrase for symetric encryption", "Repeat passphrase", 1);
+    }
+    else {
+      passphrase = ucmalloc(strlen(passwd)+1);
+      strncpy(passphrase, passwd, strlen(passwd)+1);
+    }
+    unsigned char *salt = ucmalloc(90);
+    char stsalt[] = PBP_COMPAT_SALT;
+    memcpy(salt, stsalt, 90);
+    symkey = pcp_scrypt(passphrase, crypto_secretbox_KEYBYTES, salt);
+    free(salt);
+  }
+  else if(id != NULL) {
   // FIXME: mk id a plist_t with loop as well
-  if(id != NULL) {
     // lookup by id
     HASH_FIND_STR(pcppubkey_hash, id, tmp);
     if(tmp == NULL) {
-      // FIXME: use recipient to lookup by name or email
       // self-encryption: look if its a secret one
       pcp_key_t *s = NULL;
       HASH_FIND_STR(pcpkey_hash, id, s);
@@ -152,38 +207,36 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
       goto erren3;
     }
   }
-  else {
-    fatal("id or recipient list required!\n");
-    goto erren3;
-  }
 
 
+  if(self != 1) {
   // we're using a random secret keypair on our side
 #ifdef PCP_ASYM_ADD_SENDER_PUB
-  secret = pcpkey_new();
+    secret = pcpkey_new();
 #else
-  secret = pcp_find_primary_secret();
+    secret = pcp_find_primary_secret();
-  if(secret == NULL) {
+    if(secret == NULL) {
-    fatal("Could not find a secret key in vault %s!\n", id, vault->filename);
+      fatal("Could not find a secret key in vault %s!\n", id, vault->filename);
-    goto erren2;
-  }
-
-  if(secret->secret[0] == 0) {
-    // encrypted, decrypt it
-    char *passphrase;
-    if(passwd == NULL) {
-      pcp_readpass(&passphrase,
-                   "Enter passphrase to decrypt your secret key", NULL, 1);
-    }
-    else {
-      passphrase = ucmalloc(strlen(passwd)+1);
-      strncpy(passphrase, passwd, strlen(passwd)+1);
-    }
-    secret = pcpkey_decrypt(secret, passphrase);
-    if(secret == NULL)
       goto erren2;
-  }
+    }
+
+    if(secret->secret[0] == 0) {
+      // encrypted, decrypt it
+      char *passphrase;
+      if(passwd == NULL) {
+	pcp_readpass(&passphrase,
+		     "Enter passphrase to decrypt your secret key", NULL, 1);
+      }
+      else {
+	passphrase = ucmalloc(strlen(passwd)+1);
+	strncpy(passphrase, passwd, strlen(passwd)+1);
+      }
+      secret = pcpkey_decrypt(secret, passphrase);
+      if(secret == NULL)
+	goto erren2;
+    }
 #endif
+  }
 
   if(infile == NULL)
     in = stdin;
@@ -203,13 +256,20 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
     }
   }
 
-  size_t clen = pcp_encrypt_file(in, out, secret, pubhash, self);
+  size_t clen;
+
+  if(self == 1)
+    pcp_encrypt_file_sym(in, out, symkey, 0);
+  else
+    clen = pcp_encrypt_file(in, out, secret, pubhash);
 
   if(clen > 0) {
-    if(id != NULL)
+    if(id == NULL && recipient == NULL)
-      fprintf(stderr, "Encrypted %d bytes for 0x%s successfully\n", (int)clen, id);
+      fprintf(stderr, "Encrypted %ld bytes symetrically\n", clen);
+    else if(id != NULL)
+      fprintf(stderr, "Encrypted %ld bytes for 0x%s successfully\n", clen, id);
     else {
-      fprintf(stderr, "Encrypted %d bytes for:\n", (int)clen);
+      fprintf(stderr, "Encrypted %ld bytes for:\n", clen);
       pcp_pubkey_t *cur, *t;
       HASH_ITER(hh, pubhash, cur, t) {
 	fprintf(stderr, "%s <%s>\n", cur->owner, cur->mail);

src/pcp.c

@@ -63,6 +63,7 @@ int main (int argc, char **argv)  {
   useid = 0;
   userec = 0;
   lo = 0;
+
   static struct option longopts[] = {
     // generics
     { "vault",           required_argument, NULL,           'V' },
@@ -86,6 +87,7 @@ int main (int argc, char **argv)  {
 
     // crypto
     {  "encrypt",        no_argument,       NULL,           'e' },
+    {  "encrypt-me",     no_argument,       NULL,           'm' },
     {  "decrypt",        no_argument,       NULL,           'd' },
 
     // encoding
@@ -103,7 +105,7 @@ int main (int argc, char **argv)  {
     { NULL,              0,                 NULL,            0 }
   };
 
-  while ((opt = getopt_long(argc, argv, "klV:vdehsO:i:I:pSPRtEx:DzZr:gc:y",
+  while ((opt = getopt_long(argc, argv, "klV:vdehsO:i:I:pSPRtEx:DzZr:gc:ym",
 			    longopts, NULL)) != -1) {
   
     switch (opt)  {
@@ -156,6 +158,9 @@ int main (int argc, char **argv)  {
 	mode += PCP_MODE_ENCRYPT;
 	usevault = 1;
 	break;
+      case 'm':
+	mode += PCP_MODE_ENCRYPT_ME;
+	break;
       case 'd':
 	mode += PCP_MODE_DECRYPT;
 	usevault = 1;
@@ -336,11 +341,8 @@ int main (int argc, char **argv)  {
 	  pcpencrypt(NULL, infile, outfile, xpass, recipient);
 	}
         else if(useid == 0 && userec == 0) {
-	  // self mode
+	  // self mode, same as -m
-          pcp_key_t *k = pcp_find_primary_secret();
+	  pcpencrypt(NULL, infile, outfile, xpass, NULL);
-	  id = ucmalloc(17);
-          memcpy(id, k->id, 17);
-	  pcpencrypt(id, infile, outfile, xpass, NULL);
         }
 	else {
 	  // -i and -r specified
@@ -403,28 +405,32 @@ int main (int argc, char **argv)  {
       pcpz85_decode(infile, outfile);
       break;
 
-      case PCP_MODE_TEXT:
+    case PCP_MODE_ENCRYPT_ME:
-	if(infile != NULL) {
+      pcpencrypt(NULL, infile, outfile, xpass, NULL);
-	  pcptext_infile(infile);
+      break;
+
+    case PCP_MODE_TEXT:
+      if(infile != NULL) {
+	pcptext_infile(infile);
+      }
+      else {
+	pcphash_init();
+	vault = pcpvault_init(vaultfile);
+	if(! useid && infile == NULL) {
+	  pcptext_vault(vault);
 	}
 	else {
-	  pcphash_init();
+	  id = pcp_normalize_id(keyid);
-	  vault = pcpvault_init(vaultfile);
+	  if(id != NULL) {
-	  if(! useid && infile == NULL) {
+	    pcptext_key(id);
-	    pcptext_vault(vault);
+	    free(id);
 	  }
-	  else {
-	    id = pcp_normalize_id(keyid);
-	    if(id != NULL) {
-	      pcptext_key(id);
-	      free(id);
-	    }
-	  }
-	  pcpvault_close(vault);
-	  pcphash_clean();
-	  ucfree(vaultfile);
 	}
-	break;
+	pcpvault_close(vault);
+	pcphash_clean();
+	ucfree(vaultfile);
+      }
+      break;
 
     default:
       // mode params mixed

src/pcp.h

@@ -65,7 +65,8 @@
 #define PCP_MODE_ZDECODE       0x00000962
 #define PCP_MODE_SIGN          0x00000FF6
 #define PCP_MODE_VERIFY        0x00001B25
-#define PCP_MODE_YAML          0x00002E25
+#define PCP_MODE_YAML          0x00002E27
+#define PCP_MODE_ENCRYPT_ME    0x00004E77
 
 /*
 0x00001B25

src/usage.h

@@ -60,14 +60,22 @@
 "                          as YAML formatted text. Use -O to put\n" \
 "                          the export into a file.\n" \
 "Encryption Options:\n" \
-"-e --encrypt              Encrypt a message. Read from stdin or\n" \
+"-e --encrypt              Asym-Encrypt a message. Read from stdin or\n" \
-"                          specified via -I. If a keyid (-i) has been\n" \
+"                          specified via -I. Output will be written\n" \
+"                          to stdout or the file given with -O.\n" \
+"                          If a keyid (-i) has been\n" \
 "                          given, use that public key for encryption.\n" \
-"                          If a recipient (-r) has been given, use\n" \
+"                          If one or more recipient (-r) has been given,\n" \
-"                          a derived public key. If none of -i or\n" \
+"                          encrypt the message for all recipients\n" \
-"                          -r has been given, use the primary\n" \
+"                          asymetrically, given there are matching\n" \
-"                          secret key and the public part of it\n" \
+"                          public keys installed in the vault for them.\n" \
-"                          for encrytion (self-encryption mode).\n" \
+"                          If none of -i or -r has been given, encrypt\n" \
+"                          the message symetrically. This is the same\n" \
+"                          as -m (self-encryption mode).\n" \
+"-m --encrypt-me           Sym-Encrypt a message. Specify -I and/or\n" \
+"                          -O for input/output file. You will be asked\n" \
+"                          for a passphrase. No key material will\n" \
+"                          be used. Same as -e without -r and -i.\n" \
 "-d --decrypt              Decrypt a message. Read from stdin or\n" \
 "                          specified via -I. Output to stdout or\n" \
 "                          written to the file specified via -O.\n" \
@@ -76,6 +84,10 @@
 "                          just one secret key in the vault, this\n" \
 "                          one will be used. Otherwise you'll have\n" \
 "                          to specify the keyid (-i) of the key.\n" \
+"                          You need to have the public key of the\n" \
+"                          sender installed in your vault.\n" \
+"                          If the input is self-encrypted (symetrically)\n" \
+"                          a passphrase will be requested.\n" \
 "\n" \
 "Signature Options:\n" \
 "-g --sign                 Create a signature of file specified with\n" \

src/usage.txt

@@ -58,14 +58,22 @@ Keymanagement Options:
                           as YAML formatted text. Use -O to put
                           the export into a file.
 Encryption Options:
--e --encrypt              Encrypt a message. Read from stdin or
+-e --encrypt              Asym-Encrypt a message. Read from stdin or
-                          specified via -I. If a keyid (-i) has been
+                          specified via -I. Output will be written
+                          to stdout or the file given with -O.
+                          If a keyid (-i) has been
                           given, use that public key for encryption.
-                          If a recipient (-r) has been given, use
+                          If one or more recipient (-r) has been given,
-                          a derived public key. If none of -i or
+                          encrypt the message for all recipients
-                          -r has been given, use the primary
+                          asymetrically, given there are matching
-                          secret key and the public part of it
+                          public keys installed in the vault for them.
-                          for encrytion (self-encryption mode).
+                          If none of -i or -r has been given, encrypt
+                          the message symetrically. This is the same
+                          as -m (self-encryption mode).
+-m --encrypt-me           Sym-Encrypt a message. Specify -I and/or
+                          -O for input/output file. You will be asked
+                          for a passphrase. No key material will
+                          be used. Same as -e without -r and -i.
 -d --decrypt              Decrypt a message. Read from stdin or
                           specified via -I. Output to stdout or
                           written to the file specified via -O.
@@ -74,6 +82,10 @@ Encryption Options:
                           just one secret key in the vault, this
                           one will be used. Otherwise you'll have
                           to specify the keyid (-i) of the key.
+                          You need to have the public key of the
+                          sender installed in your vault.
+                          If the input is self-encrypted (symetrically)
+                          a passphrase will be requested.
 
 Signature Options:
 -g --sign                 Create a signature of file specified with