Provided by: secrecy_0.0.5+ds-3_amd64
NAME
secrecy - libsecrecy encryption and key management tool
SYNOPSIS
secrecy createKey cipher gpgid keyname secrecy encrypt [keyhash|keyname] secrecy decrypt secrecy exportKey [keyhash|keyname] gpgid secrecy importKey gpgid secrecy listKeys secrecy setDefaultKey keyname
DESCRIPTION
The libsecrecy distribution comes with a command line tool called secrecy. This tool currently has seven subcommands: createKey, encrypt, decrypt, exportKey, importKey, listKeys and setDefaultKey. The program secrecy accepts several subcommands. It is to be noted that, currently, secrecy has no arguments for reading and writing any file. One has to rely on the shell capabilities to read and write plain files, encrypted files, and key exports, using pipes and redirection operators. Subcommands are the following: secrecy createKey cipher gpgid keyname create keys for the libsecrecy, where cipher can currently take the values AES128, AES192 or AES256, gpgid needs to be a valid id (normally an email address) present as a secret key in gpg(1)'s keyring, which can be used for securely storing the AES key for use by libsecrecy, and keyname can be chosen as a human readable name for the key created, for instance "mykey". The program outputs a key hash in the form of a hexadecimal encoded string. Either this key hash or the key name given can to be provided to the encrypt command of secrecy for encrypting files using the newly created key. secrecy encrypt [keyhash|keyname] This subcommand allows one to encrypt files. keyhash/keyname is either the hexadecimal string which was printed by createKey when creating the key, or the name given to createKey when creating the key. If the string provided is empty, then the default key name is used if any has been set; see setDefaultKey. Note that this command needs to decrypt the key from it's gpg(1) encoded form, so you will need to provide the respective passphrase in some form. secrecy decrypt This subcommand allows one to decrypt files. It needs to decrypt the key from it's gpg(1) encoded form, so you will need to provide the respective passphrase in some form. Note that you do not need to provide the keyhash for decryption as this information is provided inside the encrypted file. secrecy exportKey [keyname|keyhash] gpgid Export to an encrypted transfer format, for passing data on to third parties, via the exportKey command of secrecy. keyname or keyhash are valid key name or hash respectively, and gpgid is a string identifying the recipient of the key. The public key of gpgid needs to be available in gpg's key database. secrecry importKey gpgid Import a key from the format produced by the exportKey command using the importKey command, where gpgid designates the gpg key which will be used to locally encrypt the key for storing it in libsecrecy's database. secrecy listKeys List installed keys. It prints a tabulation separated table such that the first column contains the key names and the second the respective key hash values. secrecy setDefaultKey keyname Change the default key. The default key is used when an empty keyname is used for running any command accepting a key name, with the obvious exceptions of createKey and setDefaultKey.
FILES
AES keys are stored encrypted using gpg(1) via gpgme. Each key is assigned a hash H value at creation time. H is computed as the SHA256 checksum of a randomly generated sequence. Keys are stored and searched for in the directory set in the environment variable LIBSECRECY_KEYDIR. If this variable is not set, then the subdirectory .libsecrecy inside the current users home directory, designated by the environment variable HOME, is used. Inside this directory the key for hash H is stored in the file hash/H, otherwise said: hash/3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E, where the respective files are encrypted using gpgme. The secret key used for this encryption can be set at key creation time.
EXAMPLES
Create an AES256 key using your GPG ID, for instance foo@example.org, and call it mykey: $ secrecy createKey AES256 foo@example.org mykey 3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E List available keys: $ secrecy listKeys mykey 3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E Set mykey as default key: $ secrecy setDefaultKey mykey Encrypt file into file.encrypted, using the default key: $ secrecy encrypt < file > file.encrypted Decrypt file.encrypted into file.decrypted, using the default key: $ secrecy decrypt < file.encrypted > file.decrypted Prepare an export of mykey for use by the person behind GPG ID bar@example.org, whose public key should be accessible in the user's gpg(1) keyring. The key will be exported into the file export.key: $ secrecy exportKey mykey bar@example.org > export.key
AUTHORS
secrecy is a program part of the libsecrecy, written by German Tischler-Höhle <germant@miltenyibiotec.de>. The present manual page is written by Étienne Mollier <emollier@debian.org> for the Debian project.
SEE ALSO
See the GnuPG documentation relative to key management ⟨https://gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html#OpenPGP-Key- Management⟩ for creating and handling gpg(1) keys.