mcryptで検索するとphpからphp-mcryptを使ってファイルの暗号化、復号化の情報が多いのですが、mcryptコマンドで単純にファイルの暗号化、復号化は使われていないのでしょうかね。
MCrypt
http://mcrypt.sourceforge.net/
環境
・CentOS Linux release 7.3.1611 (Core)
・Kernel 3.10.0-514.26.2.el7.x86_64
CentOS 7ではepelにmcryptがありますのでyumで簡単にインストールできます。
- Install
- 暗号化
- 暗号化して元ファイルを削除
- 復号化
- 復号化して元ファイルを削除
- 複数ファイルを圧縮してから暗号化、元ファイルを削除
- 複数ファイルを復号化
- decompress
- フォルダを暗号化
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# yum info mcrypt Available Packages Name : mcrypt Arch : x86_64 Version : 2.6.8 Release : 11.el7 Size : 85 k Repo : epel/x86_64 Summary : Replacement for crypt() URL : http://mcrypt.sourceforge.net/ License : GPLv3+ Description : MCrypt is a replacement for the old crypt() package and crypt(1) command, : with extensions. It allows developers to use a wide range of encryption : functions, without making drastic changes to their code. It allows users : to encrypt files or data streams without having to be cryptographers. # yum -y install mcrypt |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ ls -l -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:02 logo1.png -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:03 logo2.png $ mcrypt logo1.png Enter the passphrase (maximum of 512 characters) Please use a combination of upper and lower case letters and numbers. Enter passphrase: Enter passphrase: File logo1.png was encrypted. $ ls -l -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:02 logo1.png -rw------- 1 guest01 guest01 157 9月 9 10:02 logo1.png.nc -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:03 logo2.png |
|
1 2 |
$ file logo1.png.nc logo1.png.nc: mcrypt 2.5 encrypted data, algorithm: rijndael-128, keysize: 32 bytes, mode: cbc, |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ ls -l -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:02 logo1.png -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:03 logo2.png $ mcrypt -u logo1.png Enter the passphrase (maximum of 512 characters) Please use a combination of upper and lower case letters and numbers. Enter passphrase: Enter passphrase: File logo1.png was encrypted. $ ls -l -rw------- 1 guest01 guest01 157 9月 9 10:02 logo1.png.nc -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:03 logo2.png |
|
1 2 3 4 5 6 7 8 9 10 11 12 |
$ ls -l -rw------- 1 guest01 guest01 157 9月 9 10:02 logo1.png.nc -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:03 logo2.png $ mcrypt -d logo1.png.nc Enter passphrase: File logo1.png.nc was decrypted. $ ls -l -rw------- 1 guest01 guest01 56 9月 9 10:02 logo1.png -rw------- 1 guest01 guest01 157 9月 9 10:02 logo1.png.nc -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:03 logo2.png |
|
1 2 3 4 5 6 7 8 9 10 11 |
$ ls -l -rw------- 1 guest01 guest01 157 9月 9 10:02 logo1.png.nc -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:03 logo2.png $ mcrypt -du logo1.png.nc Enter passphrase: File logo1.png.nc was decrypted. $ ls -l -rw------- 1 guest01 guest01 56 9月 9 10:02 logo1.png -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:03 logo2.png |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ ls -l -rw------- 1 guest01 guest01 56 9月 9 10:02 logo1.png -rw-rw-r-- 1 guest01 guest01 56 9月 9 10:03 logo2.png $ mcrypt -zu logo1.png logo2.png mcrypt: logo1.png is not a regular file. Skipping... Enter the passphrase (maximum of 512 characters) Please use a combination of upper and lower case letters and numbers. Enter passphrase: Enter passphrase: File logo2.png was encrypted. $ ls -l -rw------- 1 guest01 guest01 157 9月 9 10:02 logo1.png.gz.nc -rw------- 1 guest01 guest01 157 9月 9 10:03 logo2.png.gz.nc |
Compressファイルが出力されます。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ ls -l -rw------- 1 guest01 guest01 157 9月 9 10:02 logo1.png.gz.nc -rw------- 1 guest01 guest01 157 9月 9 10:03 logo2.png.gz.nc $ mcrypt -d *.nc Enter passphrase: File logo1.png.gz.nc was decrypted. Enter passphrase: File logo2.png.gz.nc was decrypted. $ ls -l -rw------- 1 guest01 guest01 54 9月 9 10:02 logo1.png.gz -rw------- 1 guest01 guest01 157 9月 9 10:02 logo1.png.gz.nc -rw------- 1 guest01 guest01 54 9月 9 10:03 logo2.png.gz -rw------- 1 guest01 guest01 157 9月 9 10:03 logo2.png.gz.nc |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ ls -l -rw------- 1 guest01 guest01 157 9月 9 10:02 logo1.png.gz.nc -rw------- 1 guest01 guest01 157 9月 9 10:03 logo2.png.gz.nc $ mcrypt -dzu *.nc Enter passphrase: Decompressing the output file... File logo1.png.gz.nc was decrypted. Enter passphrase: Decompressing the output file... File logo2.png.gz.nc was decrypted. $ ls -l -rw------- 1 guest01 guest01 56 9月 9 10:02 logo1.png -rw------- 1 guest01 guest01 56 9月 9 10:03 logo2.png |
mcryptはフォルダの暗号化には対応していません。
|
1 2 3 4 5 6 |
$ ls -l folder/ -rw------- 1 guest01 guest01 56 9月 9 10:02 logo1.png -rw------- 1 guest01 guest01 56 9月 9 10:03 logo2.png $ mcrypt folder mcrypt: folder is not a regular file. Skipping... |
tarで固めてから暗号化します。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ tar cfzp - folder/ | mcrypt > folder.tar.gz.nc Enter the passphrase (maximum of 512 characters) Please use a combination of upper and lower case letters and numbers. Enter passphrase: Enter passphrase: Stdin was encrypted. $ ls -l drwxrwxr-x 2 guest01 guest01 38 9月 9 10:55 folder -rw-rw-r-- 1 guest01 guest01 301 9月 9 11:21 folder.tar.gz.nc $ file folder.tar.gz.nc folder.tar.gz.nc: mcrypt 2.5 encrypted data, algorithm: rijndael-128, keysize: 32 bytes, mode: cbc, |
permissionが600になるので注意が必要ですね。
man
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 |
MCRYPT(1) General Commands Manual MCRYPT(1) NAME mcrypt, mdecrypt - encrypt or decrypt files SYNOPSIS mcrypt [ -dLFubhvrzp ] [-a algorithm] [-c config_file] [-m mode] [-s keysize] [-o keymode] [-k key1 key2 ...] [-f keyfile] [ filename ... ] mdecrypt [ -LFusbhvzp ] [-a algorithm] [-c config_file] [-m mode] [-s keysize] [-o key‐ mode] [-k key1 key2 ...] [-f keyfile] [ filename ... ] DESCRIPTION Mcrypt is a simple crypting program, a replacement for the old unix crypt(1). When encrypting or decrypting a file, a new file is created with the extension .nc and mode 0600. The new file keeps the modification date of the original. The original file may be deleted by specifying the -u parameter. If no files are specified, the standard input is encrypted to the standard output. Mcrypt uses all the symmetric algorithms included in libmcrypt. HINTS By default, mcrypt , when one of these algorithms is specified, prompts something like: Enter passphrase: ... You should then enter a passphrase long enough (512 characters is the maximum length). Now in order to encrypt the file, The passphrase is transformed using the specified (or the default) key generation algorithm, and a random salt. The produced value is then used as the key, which is fed to the algorithm. Algorithm Vulnerability: Most algorithms today are designed to resist in specific attacks. None of them is proved not to be vulnerable to some kind of attack not as yet known. Compression: By compressing your data before encryption you gain both in efficiency (faster encryption) and safety of your data (language redundancy is removed). A drawback is that most compression programs will add specific headers in the compressed file, thus making known plaintext attacks easier. Compression after encryption is useless and may result to compressed files with longer size than the original. Error Recovery: There is some error recovery in mcrypt. If bytes are removed or lost from the file or stream in ECB, CBC and OFB modes, are impossible to recover, although CFB mode will recover. If some bytes are altered then a full block of plaintext is affected in ECB mode, two blocks in CBC and CFB modes, but only the corresponding byte in OFB mode. Mcrypt uses a 32 bit CRC to check for errors in the encrypted files. Extra security: For the very paranoid, if mcrypt is executed with superuser privileges it ensures that no important data (keys etc.) are written to disk, as swap etc. Keep in mind that mcrypt was not designed to be a setuid program, so you shouldn't make it one. Do not rely on the fact that an algorithm has a large key size, try to use long passphrases and try to make them unpredictable. All the block algorithms above support these modes of encryption: ECB: The Electronic CodeBook mode. It is the simplest mode to use with a block cipher. Encrypts each block independently. CBC: The Cipher Block Chaining mode. It is better than ECB since the plaintext is XOR'ed with the previous ciphertext. A random block is placed as the first block so the same block or messages always encrypt to something different. (This is the default mode) CFB: The Cipher-Feedback Mode (in 8bit). This is a self-synchronizing stream cipher imple‐ mented from a block cipher. OFB: The Output-Feedback Mode (in 8bit). This is a synchronous stream cipher implemented from a block cipher. It is intended for use in noisy lines, because corrupted ciphertext blocks do not corrupt the plaintext blocks that follow. Insecure when used to encrypt large amounts of data, so I recommend against using it. nOFB: The Output-Feedback Mode (in nbit). n Is the size of the block of the algorithm. This is a synchronous stream cipher implemented from a block cipher. It is intended for use in noisy lines, because corrupted ciphertext blocks do not corrupt the plaintext blocks that follow. Encrypted files can be restored to their original form using mcrypt -d or mdecrypt mdecrypt takes a list of files on its command line and creates a new file for each file whose name ends with .nc by removing the ".nc" or by adding ".dc" to the end of the file name if .nc is not in the encrypted file's name. OPTIONS -F --force Force output on standard output or input from stdin if that is a terminal. By default mcrypt will not output encrypted data to terminal, nor read encrypted data from it. -z --gzip Use gzip (if it exists in your system) to compress files before encryption. If specified at decryption time it will decompress these files. -p --bzip2 Use bzip2 (if it exists in your system) to compress files before encryption. If specified at decryption time it will decompress these files. --openpgp-z INT This option will enable compression in OpenPGP (RFC2440) encrypted files. -d --decrypt Decrypt. --help Display a help screen and quit. -v --version Version. Display the version number and quit. -L --license Display the mcrypt's license and quit. -o --keymode MODE MODE may be one of the keymodes listed by the --list-keymodes parameter. It actu‐ ally is the conversion to the key before it is fed to the algorithm. It is recom‐ mended to leave it as is, if you do not know what it is. However if you still want to use this option, you might want to use the 'hex' mode which allows you to spec‐ ify the key in hex (and no conversion will be applied). -h --hash HASH_ALGORITHM HASH_ALGORITHM may be one of the algorithms listed by the --list-hash parameter. This is the digest that will be appended to the file to be encrypted, in order to detect file corruption. The default is the CRC32 checksum. -s --keysize SIZE SIZE is the algorithm's key size in bytes (not the size of the passphrase). It defaults to the maximum key supported by the algorithm. The maximum key sizes of the algorithms may be obtained by the --list parameter. It is safe not to touch this. -g --openpgp This option will make mcrypt to use the OpenPGP (RFC2440) file format for encrypted files. This will make files encrypted by mcrypt accessible from any OpenPGP compli‐ ant application. -b --bare No important information like the algorithm, mode, the bit mode and the crc32 of the original file are written in the encrypted file. The security lies on the algorithm not on obscurity so this is NOT the default. This flag must also be spec‐ ified when decrypting a bare encrypted file. When the bare flag is specified decryption and encryption are faster. This may be useful when using mcrypt to encrypt a link or something like that. --flush Flushes the output (ciphertext or plaintext) immediately. Useful if mcrypt is used with pipes. --time Prints some timing information (encryption speed etc.) --nodelete When this option is specified mcrypt does not delete the output file, even if decryption failed. This is useful if you want to decrypt a corrupted file. -q --quiet Suppress some not critical warnings. -u --unlink Unlink (delete) the input file if the whole process of encryption/decryption suc‐ ceeds. This is not the default in order to use an external program to remove sensi‐ tive data. --list Lists all the algorithms current supported. --list-keymodes Lists all the key modes current supported. --list-hash Lists all the hash algorithms current supported. -r --random Use /dev/(s)random instead of /dev/urandom. This may need some key input or mouse move to proceed. If your system does not support /dev/random or /dev/urandom, a random gatherer will be used. -k --key KEY1 KEY2 ... Enter the keyword(s) via the command line. The KEY(s) is/are then used as keyword instead of prompting for them. Keep in mind that someone may see the command you are executing and so your keyword(s). -c --config FILE Use the specified configuration file. The default is .mcryptrc in your home direc‐ tory. The format of the configuration file is the same as the parameters. An exam‐ ple file is: algorithm safer+ mode cbc key a_very_secret_one -f --keyfile FILE Enter the keyword(s) via a file. One keyword is read per line. The first keyword read is used for the first file, the second for the second file etc. If the key‐ words are less than the files then the last keyword is used for the remaining. A limitation is that you cannot use the NULL (\0) and the Newline (\n) character in the key. A solution to this problem is to specify the keyword in hex mode. -m --mode MODE Mode of encryption and decryption. These modes are currently supported: ECB, CFB, OFB, nOFB, CBC and STREAM. CBC is the default. Unless the bare flag is specified there is no need to specify these modes for decryption. For stream algorithms (like WAKE) mode should be STREAM. -a --algorithm ALGORITHM The algorithm used to encrypt and decrypt. Unless the bare flag is specified there is no need to specify these for decryption. The algorithms currently supported are shown with the --list parameter. EXAMPLES For mcrypt to be compatible with the solaris des(1), the following parameters are needed: "mcrypt -a des --keymode pkdes --bare --noiv filename". For mcrypt to be compatible with the unix crypt(1), the following parameters are needed: "mcrypt -a enigma --keymode scrypt --bare filename". To encrypt a file using a stream algorithm (eg. Arcfour), the following parameters are needed: "mcrypt -a arcfour --mode stream filename". ENVIRONMENT Mcrypt uses the following environment variables: MCRYPT_KEY: to specify the key MCRYPT_ALGO: to specify the algorithm MCRYPT_MODE: to specify the algorithm's mode MCRYPT_KEY_MODE: to specify the key mode You can use these instead of using the command line (which is insecure), but note that only one key should be used in MCRYPT_KEY. SEE ALSO crypt(1), des(1) mcrypt(3) DIAGNOSTICS Exit status is normally 0; if an error occurs, exit status is something other than 0. Usage: mcrypt [-dLFubhvrzp] [-f keyfile] [-k key1 key2 ...] [-m mode] [-o keymode] [-a algorithm] [-c config_file] [filename ...] AUTHORS Version 2.6.0 Copyright (C) 1998,1999,2000,2001,2002 Nikos Mavroyanopoulos (nmav@gnutls.org). Thanks to all the people who reported problems and suggested various improvements for mcrypt; who are too numerous to cite here. local 03 May 2003 MCRYPT(1) |