Scroll to navigation

SECRECY(1) User's Manual SECRECY(1)

NAME

secrecy - libsecrecy encryption and key management tool

SYNOPSIS

secrecy createKey cipher gpgid keyname

secrecy encrypt [keyhash|keyname]

secrecy decrypt

secrecy exportKey [keyhash|keyname] gpgid

secrecy importKey gpgid

secrecy listKeys

secrecy setDefaultKey keyname

DESCRIPTION

The libsecrecy distribution comes with a command line tool called secrecy. This tool currently has seven subcommands: createKey, encrypt, decrypt, exportKey, importKey, listKeys and setDefaultKey.

The program secrecy accepts several subcommands. It is to be noted that, currently, secrecy has no arguments for reading and writing any file. One has to rely on the shell capabilities to read and write plain files, encrypted files, and key exports, using pipes and redirection operators. Subcommands are the following:

create keys for the libsecrecy, where cipher can currently take the values AES128, AES192 or AES256, gpgid needs to be a valid id (normally an email address) present as a secret key in gpg(1)'s keyring, which can be used for securely storing the AES key for use by libsecrecy, and keyname can be chosen as a human readable name for the key created, for instance "mykey". The program outputs a key hash in the form of a hexadecimal encoded string. Either this key hash or the key name given can to be provided to the encrypt command of secrecy for encrypting files using the newly created key.
This subcommand allows one to encrypt files. keyhash/keyname is either the hexadecimal string which was printed by createKey when creating the key, or the name given to createKey when creating the key. If the string provided is empty, then the default key name is used if any has been set; see setDefaultKey. Note that this command needs to decrypt the key from it's gpg(1) encoded form, so you will need to provide the respective passphrase in some form.
This subcommand allows one to decrypt files. It needs to decrypt the key from it's gpg(1) encoded form, so you will need to provide the respective passphrase in some form. Note that you do not need to provide the keyhash for decryption as this information is provided inside the encrypted file.
Export to an encrypted transfer format, for passing data on to third parties, via the exportKey command of secrecy. keyname or keyhash are valid key name or hash respectively, and gpgid is a string identifying the recipient of the key. The public key of gpgid needs to be available in gpg's key database.
Import a key from the format produced by the exportKey command using the importKey command, where gpgid designates the gpg key which will be used to locally encrypt the key for storing it in libsecrecy's database.
List installed keys. It prints a tabulation separated table such that the first column contains the key names and the second the respective key hash values.
Change the default key. The default key is used when an empty keyname is used for running any command accepting a key name, with the obvious exceptions of createKey and setDefaultKey.

FILES

AES keys are stored encrypted using gpg(1) via gpgme. Each key is assigned a hash H value at creation time. H is computed as the SHA256 checksum of a randomly generated sequence. Keys are stored and searched for in the directory set in the environment variable LIBSECRECY_KEYDIR. If this variable is not set, then the subdirectory .libsecrecy inside the current users home directory, designated by the environment variable HOME, is used. Inside this directory the key for hash H is stored in the file hash/H, otherwise said: hash/3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E, where the respective files are encrypted using gpgme. The secret key used for this encryption can be set at key creation time.

EXAMPLES

Create an AES256 key using your GPG ID, for instance foo@example.org, and call it mykey:



        $ secrecy createKey AES256 foo@example.org mykey


        3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E

List available keys:



        $ secrecy listKeys


        mykey	3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E

Set mykey as default key:



        $ secrecy setDefaultKey mykey

Encrypt file into file.encrypted, using the default key:



        $ secrecy encrypt < file > file.encrypted

Decrypt file.encrypted into file.decrypted, using the default key:



        $ secrecy decrypt < file.encrypted > file.decrypted

Prepare an export of mykey for use by the person behind GPG ID bar@example.org, whose public key should be accessible in the user's gpg(1) keyring. The key will be exported into the file export.key:



        $ secrecy exportKey mykey bar@example.org > export.key

AUTHORS

secrecy is a program part of the libsecrecy, written by German Tischler-Höhle <germant@miltenyibiotec.de>.

The present manual page is written by Étienne Mollier <emollier@debian.org> for the Debian project.

SEE ALSO

See the GnuPG documentation relative to key management for creating and handling gpg(1) keys.

2020-11-13 GNU