1. Manuals
  2. Tumbleweed
  3. dkgpg
  4. dkg-encrypt(1)

Scroll to navigation

DKG-ENCRYPT(1) User Commands DKG-ENCRYPT(1)

NAME

dkg-encrypt -- message encryption with AES-256 algorithm according to OpenPGP

SYNOPSIS

dkg-encrypt [options] [KEYSPEC]

DESCRIPTION

This program encrypts a (text) message read from STDIN or from a file specified by its path (if option "-i" is used) according to the OpenPGP standard (RFC 4880). KEYSPEC is a list of fingerprints for keys from a keyring (if options "-r" and "-k" are given) or a single argument representing a path to a file that contains an ASCII-armored public key block with any encryption-capable subkey (recommended) or an encryption-capable primary key (used to last resort). If more than one valid admissible encryption subkey is found in a key block specified in this way, than the generated session key is encrypted for each of these subkeys. This behaviour can be tweaked by the option "-s", which limits the selected subkey based on its key ID or fingerprint. If KEYSPEC is empty then only a Symmetric-Key Encrypted Session Key (SKESK) packet is built.

Note that RSA, ElGamal, and ECDH are the current supported public-key encryption algorithms, and that AES-256 is fixed as the symmetric cipher. With the option "-a" the use of a specified AEAD algorithm can be enforced. This choice of the user overrides the stated OpenPGP feature set of the public key.

First, the symmetric cipher with a randomly chosen 256-bit session key is applied to the (text) message. An integrity protection packet (MDC) is always appended, if no AEAD algorithm is used. Next the session key is transformed by PKCS#1 v1.5 block encoding and encrypted with the corresponding public-key algorithm for each selected public key. For ECDH encoding scheme and encryption rules from RFC 6637 are employed. However, if KEYSPEC is empty, then by a S2K mechanism (iterated and salted SHA512) a Key-Encryption-Key (KEK) is derived from a passphrase. This KEK is used to symmetrically encrypt the session key.

With the option "-t" the included key ID of each public key is thrown away, i.e., instead a so-called "wild card" or speculative key ID is used. This format helps to reduce traffic analysis of messages.

The encrypted message is written in ASCII-armor to STDOUT or to an output file and can later be processed e.g. with dkg-decrypt(1). There exists also an option to write out the encrypted message in binary OpenPGP format. However, in that case for obvious reason an output file must be specified with option "-o".

OPTIONS

Arguments mandatory for long options are also mandatory for short options.

enforce use of AEAD algorithm INTEGER (cf. RFC 4880bis)
write encrypted message in binary format (only if option -i given)
print this list of options
read message rather from FILENAME than STDIN
use keyring FILENAME containing the required keys
write encrypted message rather to FILENAME than STDOUT
select key(s) from given keyring by KEYSPEC
select only encryption-capable subkeys with fingerprint equals STRING
throw included key IDs for somewhat improved privacy
print the version number of the program
turn on verbose output
allow weak public keys

SECURITY

The current implementation is in experimental state and should NOT be used in production environments.

REPORTING BUGS

Security vulnerabilities or cryptographic flaws should be reported by an email directly to <HeikoStamer@gmx.net>. In that way reported problems will be published after they've been fixed.

Please report all other bugs via public bug tracker <https://savannah.nongnu.org/bugs/?func=additem&group=dkgpg>

Home page of Distributed Privacy Guard (DKGPG): <https://savannah.nongnu.org/projects/dkgpg/>

COPYRIGHT

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the sources of this package and additionally can be obtained from Internet <https://www.gnu.org/licenses>.

SEE ALSO

dkg-generate(1), dkg-decrypt(1)

June 2019 Distributed Privacy Guard 1.1.3