File Encrypt and Decrypt Commands
The ucl encrypt
and ucl decrypt
commands allow a group of users that have access to an RSA key in CORE partition to encrypt and decrypt arbitrary using client machines while the referred RSA key never leaves the CORE system.
This feature utilizes the Hybrid encryption:
The provided material is encrypted on the client's machine using one-time AES key. This key is encrypted by the specified RSA key that is stored in CORE . The encrypted AES key, its encryption metadata, the UID of the RSA key, and the encrypted material are all bundled into one package. See UCL Encrypt Command.
The decryption of the material reverses this sequence: the AES key is decrypted by the RSA key in the CORE using the specified encryption parameters. Then, the decrypted AES key decrypts the material utilizing the client's machine.
This feature might not work if the RSA key is stored on a cloud keystore or HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing that doesn't support the AES key decryption parameters. Test it with your cloud keystore provider or HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing vendor.
UCL Encrypt Command
Notes:
1. To do in-place encryption, set the name of encrypted-file = input-file.
2. Rotation of the RSA key does not affect the decryption because the decryption UID is not affected by the rotation.
UCL Decrypt Command
The ucl decrypt
command:
Note
To do in-place decryption, set the name of decrypted-file = input-file.
Encryption Specification
- Method - Hybrid encryption using ephemeral AES key (client-side) and RSA key on server-side that never leaves the server.
- Encryption - File is encrypted using one-time 256 bit AES key using AES-GSM block mode.
- Secret protection - the one-time secret is encrypted using the specified RSA key.
- RSA - 2048 (default), 3072, 4096.
- Padding - OAEP
Optimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys..
- OAEP
Optimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. Hash and MGF
Mask Generation Function - A cryptographic primitive similar to a hash function except that it supports output of a variable length. - SHA1, SHA256 (default), SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512
- Encrypted file structure - custom.
Examples
- Generate an RSA key. By default, it permits decryption.
ucl generate -t rsa -n key1 --user so - w ********
- Use the key to encrypt a file by user-a
ucl encrypt -i test.txt -o test-txt -n key1 --user user-a -w User-A1!
> Data encrypted successfully - Use the key to decrypt the file by user-b
ucl decrypt -i test-txt -o test.txt --user user-b -w User-B1!
> Data decrypted successfully