Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
AESPIPE(1)			   COMMANDS			    AESPIPE(1)

NAME
       aespipe - AES encrypting	or decrypting pipe

SYNOPSIS
       aespipe [options] <inputfile >outputfile

DESCRIPTION
       aespipe reads from standard input and writes to standard	output.	It can
       be used to create and restore encrypted tar or cpio archives. It	can be
       used to encrypt and decrypt loop-AES compatible encrypted disk images.

       The AES cipher is used in CBC (cipher block chaining) mode. Data	is en-
       crypted and decrypted in	512 byte chains.  aespipe supports  three  key
       setup  modes;  single-key, multi-key-v2 and multi-key-v3	modes. Single-
       key mode	uses simple sector IV and one AES key to encrypt  and  decrypt
       all  data sectors. Multi-key-v2 mode uses cryptographically more	secure
       MD5 IV and 64 different AES keys	to encrypt and decrypt	data  sectors.
       In  multi-key  mode  first key is used for first	sector,	second key for
       second sector, and so on. Multi-key-v3 is same as  multi-key-v2	except
       is  uses	 one extra 65th	key as additional input	to MD5 IV computation.
       See -K option for more information about	 how  to  enable  multi-key-v3
       mode.

       Recommended  key	 setup mode is multi-key-v3, which is based on gpg en-
       crypted key files. In this mode,	the passphrase	is  protected  against
       optimized  dictionary  attacks  via  salting  and key iteration of gpg.
       Passphrase length should	be 20 characters or more.

       Single-key mode preserves input size at 16 byte granularity.  Multi-key
       mode preserves input size at 512	byte granularity. If input size	is not
       multiple	of 16 or 512 bytes, input data is padded with  null  bytes  so
       that both input and output sizes	are multiples of 16 or 512 bytes.

OPTIONS
       -C itercountk
	      Runs hashed passphrase through itercountk	thousand iterations of
	      AES-256 before using it for data encryption. This	consumes  lots
	      of  CPU cycles at	program	start time but not thereafter. In com-
	      bination with passphrase seed this  slows	 down  dictionary  at-
	      tacks. Iteration is not done in multi-key	mode.

       -d     Decrypt data. If this option is not specified, default operation
	      is to encrypt data.

       -e encryption
	      Following	encryption types  are  recognized:  AES128  (default),
	      AES192  and  AES256. Encryption type names are case insensitive.
	      AES128 defaults to using SHA-256	passphrase  hash,  AES192  de-
	      faults  to using SHA-384 passphrase hash,	and AES256 defaults to
	      using SHA-512 passphrase hash.

       -G gpghome
	      Set gpg home directory to	gpghome, so that gpg uses  public/pri-
	      vate  keys  on  gpghome directory. This is only used when	gpgkey
	      file needs to be decrypted using public/private keys. If	gpgkey
	      file  is	encrypted  with	 symmetric cipher only,	public/private
	      keys are not required and	this option has	no effect.

       -H phash
	      Uses phash function to hash passphrase. Available	hash functions
	      are  sha256,  sha384, sha512 and rmd160. unhashed1 and unhashed2
	      functions	also exist for compatibility with some obsolete	imple-
	      mentations. Hash type names are case insensitive.

       -K gpgkey
	      Passphrase  is  piped to gpg so that gpg can decrypt file	gpgkey
	      which contains the real keys that	are used to encrypt  data.  If
	      decryption requires public/private keys and gpghome is not spec-
	      ified, all users use their own gpg public/private	 keys  to  de-
	      crypt  gpgkey.  Decrypted	 gpgkey	 should	 contain 1 or 64 or 65
	      keys, each key at	least 20 characters and	separated by  newline.
	      If  decrypted gpgkey contains 64 or 65 keys, then	aespipe	is put
	      to multi-key mode. 65th key, if present, is used	as  additional
	      input to MD5 IV computation.

       -O sectornumber
	      Set  IV  offset  in 512 byte units. Default is zero. Data	is en-
	      crypted in 512 byte CBC chains and each 512  byte	 chain	starts
	      with  IV	whose  computation  depends on offset within the data.
	      This option can be used to start	encryption  or	decryption  in
	      middle of	some existing encrypted	disk image.

       -p fdnumber
	      Read the passphrase from file descriptor fdnumber	instead	of the
	      terminal.	If -K option is	not being used (no gpg key file), then
	      aespipe  attempts	 to  read  65  keys from passwdfd, each	key at
	      least 20 characters and separated	by newline.  If	 aespipe  suc-
	      cessfully	 reads 64 or 65	keys, then aespipe is put to multi-key
	      mode. If aespipe encounters end-of-file before 64	keys are read,
	      then only	first key is used in single-key	mode.

       -P cleartextkey
	      Read the passphrase from file cleartextkey instead of the	termi-
	      nal. If -K option	is not being used (no gpg key file), then  ae-
	      spipe  attempts  to  read	65 keys	from cleartextkey, each	key at
	      least 20 characters and separated	by newline.  If	 aespipe  suc-
	      cessfully	 reads 64 or 65	keys, then aespipe is put to multi-key
	      mode. If aespipe encounters end-of-file before 64	keys are read,
	      then  only  first	key is used in single-key mode.	If both	-p and
	      -P options are used, then	-p option takes	precedence. These  are
	      equivalent:

	      aespipe -p3 -K foo.gpg -e	AES128 ...   3<someFileName

	      aespipe -P someFileName -K foo.gpg -e AES128 ...

	      In  first	line of	above example, in addition to normal open file
	      descriptors (0==stdin 1==stdout 2==stderr), shell	opens the file
	      and  passes  open	file descriptor	to started aespipe program. In
	      second line of above example, aespipe opens the file itself.

       -q     Be quiet and don't complain about	write errors.

       -S pseed
	      Sets encryption passphrase seed pseed which is appended to  user
	      supplied	passphrase before hashing. Using different seeds makes
	      dictionary attacks slower	but does not prevent them if user sup-
	      plied  passphrase	 is  guessable.	 Seed is not used in multi-key
	      mode.

       -T     Asks passphrase twice instead of just once.

       -w number
	      Wait number seconds before asking	passphrase.

RETURN VALUE
       aespipe returns 0 on success, nonzero on	failure.

AVAILABILITY
       Source is available from	http://loop-aes.sourceforge.net/

AUTHORS
       Jari Ruusu

LINUX			       February	18 2007			    AESPIPE(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | RETURN VALUE | AVAILABILITY | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=aespipe&manpath=FreeBSD+8.0-RELEASE+and+Ports>

home | help