CORE File Encrypt and Decrypt Commands User Interface Guide

File Encrypt and Decrypt Commands

The ucl encrypt and ucl decrypt commands allow a group of users that have access to an RSA key in CORE partition to encrypt and decrypt arbitrary using client machines while the referred RSA key never leaves the CORE system.

This feature utilizes the Hybrid encryption:

The provided material is encrypted on the client's machine using one-time AES key. This key is encrypted by the specified RSA key that is stored in CORE . The encrypted AES key, its encryption metadata, the UID of the RSA key, and the encrypted material are all bundled into one package. See UCL Encrypt Command.

The decryption of the material reverses this sequence: the AES key is decrypted by the RSA key in the CORE using the specified encryption parameters. Then, the decrypted AES key decrypts the material utilizing the client's machine.

This feature might not work if the RSA key is stored on a cloud keystore or HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing that doesn't support the AES key decryption parameters. Test it with your cloud keystore provider or HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing vendor.

UCL Encrypt Command

ucl encrypt

<-u [--uid ] |-n [--name ]> 	// The UID or name of the RSA key 
-i [--input ] input-file     	 // File to be encrypted
-o [--output ] encrypted-file   // The encrypted file, including in-place encryption.
[--hash arg]           	 // RSA-OAEP hash. Default: SHA256
[--mgf arg]           	 	 // RSA-OAEP MGF. Default: SHA256

Notes:
1. To do in-place encryption, set the name of encrypted-file = input-file.
2. Rotation of the RSA key does not affect the decryption because the decryption UID is not affected by the rotation.

UCL Decrypt Command

The ucl decrypt command:

ucl decrypt

-i [--input ] input-file    	 // File to be decrypted, including in-place decryption
-o [--output ] decrypted-file   // The decrypted file

Note
To do in-place decryption, set the name of decrypted-file = input-file.

Encryption Specification

Method - Hybrid encryption using ephemeral AES key (client-side) and RSA key on server-side that never leaves the server.
Encryption - File is encrypted using one-time 256 bit AES key using AES-GSM block mode.
Secret protection - the one-time secret is encrypted using the specified RSA key.
- RSA - 2048 (default), 3072, 4096.
- Padding - OAEPOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys..
- OAEPOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. Hash and MGFMask Generation Function - A cryptographic primitive similar to a hash function except that it supports output of a variable length. - SHA1, SHA256 (default), SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512
Encrypted file structure - custom.

Examples

Generate an RSA key. By default, it permits decryption.
ucl generate -t rsa -n key1 --user so - w ********
Use the key to encrypt a file by user-a
ucl encrypt -i test.txt -o test-txt -n key1 --user user-a -w User-A1!
> Data encrypted successfully
Use the key to decrypt the file by user-b
ucl decrypt -i test-txt -o test.txt --user user-b -w User-B1!
> Data decrypted successfully