Ubuntu Manpage: secrecy - libsecrecy encryption and key management tool

NAME

       secrecy - libsecrecy encryption and key management tool

SYNOPSIS

       secrecy createKey cipher gpgid keyname

       secrecy encrypt [keyhash|keyname]

       secrecy decrypt

       secrecy exportKey [keyhash|keyname] gpgid

       secrecy importKey gpgid

       secrecy listKeys

       secrecy setDefaultKey keyname

DESCRIPTION

The libsecrecy distribution comes with a command line tool called secrecy. This tool
currently has seven subcommands: createKey, encrypt, decrypt, exportKey, importKey,
listKeys and setDefaultKey.

The program secrecy accepts several subcommands. It is to be noted that, currently,
secrecy has no arguments for reading and writing any file. One has to rely on the shell
capabilities to read and write plain files, encrypted files, and key exports, using pipes
and redirection operators. Subcommands are the following:

secrecy createKey cipher gpgid keyname
create keys for the libsecrecy, where cipher can currently take the values AES128,
AES192 or AES256, gpgid needs to be a valid id (normally an email address) present
as a secret key in gpg(1)'s keyring, which can be used for securely storing the AES
key for use by libsecrecy, and keyname can be chosen as a human readable name for
the key created, for instance "mykey". The program outputs a key hash in the form
of a hexadecimal encoded string. Either this key hash or the key name given can to
be provided to the encrypt command of secrecy for encrypting files using the newly
created key.

secrecy encrypt [keyhash|keyname]
This subcommand allows one to encrypt files. keyhash/keyname is either the
hexadecimal string which was printed by createKey when creating the key, or the
name given to createKey when creating the key. If the string provided is empty,
then the default key name is used if any has been set; see setDefaultKey. Note
that this command needs to decrypt the key from it's gpg(1) encoded form, so you
will need to provide the respective passphrase in some form.

secrecy decrypt
This subcommand allows one to decrypt files. It needs to decrypt the key from it's
gpg(1) encoded form, so you will need to provide the respective passphrase in some
form. Note that you do not need to provide the keyhash for decryption as this
information is provided inside the encrypted file.

secrecy exportKey [keyname|keyhash] gpgid
Export to an encrypted transfer format, for passing data on to third parties, via
the exportKey command of secrecy. keyname or keyhash are valid key name or hash
respectively, and gpgid is a string identifying the recipient of the key. The
public key of gpgid needs to be available in gpg's key database.

secrecry importKey gpgid
Import a key from the format produced by the exportKey command using the importKey
command, where gpgid designates the gpg key which will be used to locally encrypt
the key for storing it in libsecrecy's database.

secrecy listKeys
List installed keys. It prints a tabulation separated table such that the first
column contains the key names and the second the respective key hash values.

secrecy setDefaultKey keyname
Change the default key. The default key is used when an empty keyname is used for
running any command accepting a key name, with the obvious exceptions of createKey
and setDefaultKey.

FILES

       AES keys are stored encrypted using gpg(1) via gpgme.  Each key is assigned a hash H value
       at creation time.  H is computed as the SHA256 checksum of a randomly generated  sequence.
       Keys  are  stored  and  searched  for  in  the  directory  set in the environment variable
       LIBSECRECY_KEYDIR.  If this variable is not set, then the subdirectory .libsecrecy  inside
       the  current  users  home directory, designated by the environment variable HOME, is used.
       Inside this directory the key for hash H is stored in the  file  hash/H,  otherwise  said:
       hash/3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E,      where      the
       respective files are encrypted using gpgme.  The secret key used for this  encryption  can
       be set at key creation time.

EXAMPLES

       Create an AES256 key using your GPG ID, for instance foo@example.org, and call it mykey:

               $ secrecy createKey AES256 foo@example.org mykey
               3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E

       List available keys:

               $ secrecy listKeys
               mykey  3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E

       Set mykey as default key:

               $ secrecy setDefaultKey mykey

       Encrypt file into file.encrypted, using the default key:

               $ secrecy encrypt < file > file.encrypted

       Decrypt file.encrypted into file.decrypted, using the default key:

               $ secrecy decrypt < file.encrypted > file.decrypted

       Prepare  an  export  of  mykey  for use by the person behind GPG ID bar@example.org, whose
       public key should be accessible in the user's gpg(1) keyring.  The key  will  be  exported
       into the file export.key:

               $ secrecy exportKey mykey bar@example.org > export.key

AUTHORS