File Encrypt and Decrypt Commands

The ucl encrypt and ucl decrypt commands allow a group of users that have access to an RSA key in CORE partition to encrypt and decrypt arbitrary using client machines while the referred RSA key never leaves the CORE system.

This feature utilizes the Hybrid encryption:

    The provided material is encrypted on the client's machine using one-time AES key. This key is encrypted by the specified RSA key that is stored in CORE . The encrypted AES key, its encryption metadata, the UID of the RSA key, and the encrypted material are all bundled into one package. See UCL Encrypt Command.

    The decryption of the material reverses this sequence: the AES key is decrypted by the RSA key in the CORE using the specified encryption parameters. Then, the decrypted AES key decrypts the material utilizing the client's machine.

This feature might not work if the RSA key is stored on a cloud keystore or HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing that doesn't support the AES key decryption parameters. Test it with your cloud keystore provider or HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing vendor.

UCL Encrypt Command

ucl encrypt
<-u [--uid ] |-n [--name ]> // The UID or name of the RSA key -i [--input ] input-file // File to be encrypted -o [--output ] encrypted-file // The encrypted file, including in-place encryption. [--hash arg] // RSA-OAEP hash. Default: SHA256 [--mgf arg] // RSA-OAEP MGF. Default: SHA256

Notes:
1. To do in-place encryption, set the name of encrypted-file = input-file.
2. Rotation of the RSA key does not affect the decryption because the decryption UID is not affected by the rotation.

UCL Decrypt Command

The ucl decrypt command:

ucl decrypt
-i [--input ] input-file // File to be decrypted, including in-place decryption -o [--output ] decrypted-file // The decrypted file

Note
To do in-place decryption, set the name of decrypted-file = input-file.

Encryption Specification

Examples

  1. Generate an RSA key. By default, it permits decryption.

    ucl generate -t rsa -n key1 --user so - w ********

  2. Use the key to encrypt a file by user-a

    ucl encrypt -i test.txt -o test-txt -n key1 --user user-a -w User-A1!
    > Data encrypted successfully

  3. Use the key to decrypt the file by user-b

    ucl decrypt -i test-txt -o test.txt --user user-b -w User-B1!
    > Data decrypted successfully