.TH "gdcmanon" 1 "Tue Feb 5 2013" "Version 2.2.0" "GDCM" \" -*- nroff -*-
.ad l
.nh
.SH NAME
gdcmanon \- Tool to anonymize a DICOM file\&. 
.SH "SYNOPSIS"
.PP
.PP
.nf
gdcmanon [options] file-in file-out
gdcmanon [options] dir-in  dir-out
.fi
.PP
.SH "DESCRIPTION"
.PP
The \fBgdcmanon\fP tool is an implementation of PS 3\&.15 / E\&.1 / Basic Application Level Confidentiality Profile (Implementation of E\&.1\&.1 De-identify & E\&.1\&.2 Re-identify)
.PP
This tool is split into two very different operating mode: 
.PD 0

.IP "\(bu" 2
An implementation of PS 3\&.15, see -e and -d flags 
.IP "\(bu" 2
A dumb mode, see --dumb
.PP
Dumb mode and PS 3\&.15 do not work well together, you should really only use one type of anonymization\&. In case of doubt, avoid using --dumb\&.
.PP
In order to use the PS 3\&.15 implementation (-d & -e flag), you'll need a certificate to do de-identification operations, and the associated private key to do the re-identification operation\&. If you are only doing a one-shot anonymization and do not need to properly re-identify the DICOM file, you can safely discard the private key and only keep the certificate\&. See OpenSSL section below for an example on how to generate the private key/certificate pair\&.
.PP
gdcmanon will exit early if OpenSSL was not configured/build properly into the library (see GDCM_USE_SYSTEM_OPENSSL in cmake)\&.
.SH "PARAMETERS"
.PP
.PP
.nf
file-in   DICOM input filename

file-out  DICOM output filename
.fi
.PP
.PP
or
.PP
.PP
.nf
file-in   DICOM input directory

file-out  DICOM output directory
.fi
.PP
.SH "options"
.PP
You need to specify at least one operating mode, from the following list (and only one):
.SS "Required parameters"
.PP
.nf
  -e --de-identify            De-identify DICOM (default)
  -d --re-identify            Re-identify DICOM
     --dumb                   Dumb mode anonymizer
.fi
.PP
.PP
Warning when operating in dumb mode, you need to also specify an operation to do, such as 'remove' or 'empty' a tag, see below the dumb mode options\&.
.SS "options"
.PP
.nf
  -i --input                  DICOM filename / directory
  -o --output                 DICOM filename / directory
  -r --recursive              recursively process (sub-)directories.
     --continue               Do not stop when file found is not DICOM.
     --root-uid               Root UID.
     --resources-path         Resources path.
  -k --key                    Path to RSA Private Key.
  -c --certificate            Path to Certificate.
.fi
.PP
.SS "encryption options"
.PP
.nf
     --des            DES.
     --des3           Triple DES.
     --aes128         AES 128.
     --aes192         AES 192.
     --aes256         AES 256.
.fi
.PP
.SS "dumb mode options"
.PP
.nf
     --empty   %d,%d           DICOM tag(s) to empty
     --remove  %d,%d           DICOM tag(s) to remove
     --replace %d,%d,%s        DICOM tag(s) to replace
.fi
.PP
.SS "general options"
.PP
.nf
  -h   --help
         print this help text and exit

  -v   --version
         print version information and exit

  -V   --verbose
         verbose mode (warning+error).

  -W   --warning
         warning mode, print warning information

  -E   --error
         error mode, print error information

  -D   --debug
         debug mode, print debug information
.fi
.PP
.SS "environment variable"
.PP
.nf
  GDCM_ROOT_UID Root UID
  GDCM_RESOURCES_PATH path pointing to resources files (Part3.xml, ...)
.fi
.PP
.SH "Typical usage"
.PP
.SS "De-identification (anonymization, encrypt)"
The only thing required for this operation is a certificate file (in PEM format)\&.
.PP
.PP
.nf
$ gdcmanon --certificate certificate.pem -e original.dcm original_anonymized.dcm
.fi
.PP
.SS "Re-identification (de-anonymization,decrypt)"
The only thing required for this operation is a private key (in PEM format)\&. It is required that the private key used for the re-identification process, was the actual private key used to generate the certificate file (certificate\&.pem) used during the de-identification step\&.
.PP
.PP
.nf
$ gdcmanon --key privatekey.pem -d original_anonymized.dcm original_copy.dcm
.fi
.PP
.PP
You can then check that original\&.dcm and original_copy\&.dcm are identical\&.
.SS "Multiple files caveat"
It is very important to understand the following section, when anonymizing more than one single file\&. When anonymizing multiple DICOM files, you are required to use the directory input\&. You cannot call multiple time the gdcmanon command line tool\&. Indeed the tool stores in memory during the process only a hash table of conversion so that each time a particular value is found it get always replaced by the same de-identified value (think: consistent Series Instance UID)\&.
.SS "Dumb mode"
This functionality is not described in the DICOM standard\&. Users are advised that improper use of that mode is not recommended, meaning that important tag can be empty/remove/replace resulting in illegal/invalid DICOM file\&. Only use when you know what you are doing\&. If you delete a Type 1 attribute, chance is that your DICOM file will be not accepted in most DICOM third party viewer\&. Unfortunately this is often this mode that is implemented in popular DICOM Viewer, always prefer what the DICOM standard describes, and avoid the dumb mode\&.
.PP
The following example shows how to use dumb mode and achieve 5 operations at the same time: 
.PD 0

.IP "\(bu" 2
Empty the tag (0010,0010) Patient's Name, 
.IP "\(bu" 2
Empty the tag (0010,0020) Patient ID, 
.IP "\(bu" 2
Remove the tag (0010,0040) Patient's Sex 
.IP "\(bu" 2
Remove the tag (0010,1010) Patient's Age 
.IP "\(bu" 2
Replace the tag (0010,1030) Patient's Weight with the value '10'
.PP
You are required to check which DICOM attribute is Type 1 and Type 1C, before trying to \fB'Empty'\fP or \fB'Remove'\fP a particular DICOM attribute\&. For the same reason, you are required to check what are valid value in a replace operation\&.
.PP
.PP
.nf
$ gdcmanon --dumb --empty 10,10 --empty 10,20 --remove 10,40 --remove 10,1010 --replace 10,1030,10 012345.002.050.dcm out.dcm
.fi
.PP
.PP
Multiple operation of --dumb mode can take place, just reuse the output of the previous operation\&. Always use gdcmdump on the input and output file to check what was actually achieved\&. You can use a diff program to check only what changed (see \fBdiff\fP(1) for example)\&.
.SS "Irreversible Anonymization"
In some very case, one would want to anonymize using the PS 3\&.15 mode so as to take benefit of the automatic conversion of all content that could contain Patient related information\&.
.PP
In the end all Patient related information has been removed and has been secretely stored in the 0400,0500 DICOM attribute\&. However to make sure that no-one ever try to break that security using brute-force algorithm, one want want to remove completely this DICOM attribute\&. This will make the DICOM:
.PP
.PD 0
.IP "\(bu" 2
Completely free of any Patient related information (as per PS 3\&.15 specification) 
.IP "\(bu" 2
Remove any mean of people to brute force attack the file to find out the identity of the Patient
.PP
In this case one could simply do, as a first step execute the reversible anonymizer:
.PP
.PP
.nf
$ gdcmanon -c certificate.pem input.dcm anonymized_reversible.dcm
.fi
.PP
.PP
and now completely remove the DICOM attribute containing the secretly encrypted Patient related information:
.PP
.PP
.nf
$ gdcmanon --dumb --remove 400,500 --remove 12,62 --remove 12,63 anonymized_reversible.dcm anonymized_irreversible.dcm
.fi
.PP
.SH "OpenSSL"
.PP
On most system you can have access to OpenSSL to generate the Private Key/Certificate pair\&.
.SS "Generating a Private Key"
Command line to generate a rsa key (512bit)
.PP
.PP
.nf
$ openssl genrsa -out CA_key.pem
.fi
.PP
.PP
Command line to generate a rsa key (2048bit)
.PP
.PP
.nf
$ openssl genrsa -out CA_key.pem 2048
.fi
.PP
.PP
Command line to generate a rsa key (2048bit) + passphrase
.PP
.PP
.nf
$ openssl genrsa -des3 -out CA_key.pem 2048
.fi
.PP
.SS "Generating a Certificate"
From your previously generated Private Key, you can now generate a certificate in PEM (DER format is currently not supported)\&.
.PP
.PP
.nf
$ openssl req -new -key CA_key.pem -x509 -days 365 -out CA_cert.cer
.fi
.PP
.SH "DICOM Standard:"
.PP
Page to the DICOM Standard:
.PP
http://dicom.nema.org/
.PP
The DICOM Standard at the time of releasing gdcmanon is:
.PP
ftp://medical.nema.org/medical/dicom/2008/
.PP
Direct link to PS 3\&.15-2008:
.PP
ftp://medical.nema.org/medical/dicom/2008/08_15pu.pdf
.SH "Warnings"
.PP
Certains attributes may still contains Protected Health Information (PHI) after an anonymization step\&. This is typically the case for Patient's Address (0010,1040)\&. The reason is that this particular attribute is not supposed to be in the composite IODs in the first place\&. DICOM Supp 142 includes it (however gdcmanon does not implement it)\&.
.SH "SEE ALSO"
.PP
\fBgdcmconv\fP(1), \fBgdcmdump\fP(1), \fBgdcminfo\fP(1), \fBopenssl\fP(1)
.SH "COPYRIGHT"
.PP
Copyright (c) 2006-2011 Mathieu Malaterre