Provided by: secrecy_0.0.5+ds-2_amd64 
NAME
secrecy - libsecrecy encryption and key management tool
SYNOPSIS
secrecy createKey cipher gpgid keyname
secrecy encrypt [keyhash|keyname]
secrecy decrypt
secrecy exportKey [keyhash|keyname] gpgid
secrecy importKey gpgid
secrecy listKeys
secrecy setDefaultKey keyname
DESCRIPTION
The libsecrecy distribution comes with a command line tool called secrecy. This tool currently has seven
subcommands: createKey, encrypt, decrypt, exportKey, importKey, listKeys and setDefaultKey.
The program secrecy accepts several subcommands. It is to be noted that, currently, secrecy has no
arguments for reading and writing any file. One has to rely on the shell capabilities to read and write
plain files, encrypted files, and key exports, using pipes and redirection operators. Subcommands are
the following:
secrecy createKey cipher gpgid keyname
create keys for the libsecrecy, where cipher can currently take the values AES128, AES192 or
AES256, gpgid needs to be a valid id (normally an email address) present as a secret key in
gpg(1)'s keyring, which can be used for securely storing the AES key for use by libsecrecy, and
keyname can be chosen as a human readable name for the key created, for instance "mykey". The
program outputs a key hash in the form of a hexadecimal encoded string. Either this key hash or
the key name given can to be provided to the encrypt command of secrecy for encrypting files using
the newly created key.
secrecy encrypt [keyhash|keyname]
This subcommand allows one to encrypt files. keyhash/keyname is either the hexadecimal string
which was printed by createKey when creating the key, or the name given to createKey when creating
the key. If the string provided is empty, then the default key name is used if any has been set;
see setDefaultKey. Note that this command needs to decrypt the key from it's gpg(1) encoded form,
so you will need to provide the respective passphrase in some form.
secrecy decrypt
This subcommand allows one to decrypt files. It needs to decrypt the key from it's gpg(1) encoded
form, so you will need to provide the respective passphrase in some form. Note that you do not
need to provide the keyhash for decryption as this information is provided inside the encrypted
file.
secrecy exportKey [keyname|keyhash] gpgid
Export to an encrypted transfer format, for passing data on to third parties, via the exportKey
command of secrecy. keyname or keyhash are valid key name or hash respectively, and gpgid is a
string identifying the recipient of the key. The public key of gpgid needs to be available in
gpg's key database.
secrecry importKey gpgid
Import a key from the format produced by the exportKey command using the importKey command, where
gpgid designates the gpg key which will be used to locally encrypt the key for storing it in
libsecrecy's database.
secrecy listKeys
List installed keys. It prints a tabulation separated table such that the first column contains
the key names and the second the respective key hash values.
secrecy setDefaultKey keyname
Change the default key. The default key is used when an empty keyname is used for running any
command accepting a key name, with the obvious exceptions of createKey and setDefaultKey.
FILES
AES keys are stored encrypted using gpg(1) via gpgme. Each key is assigned a hash H value at creation
time. H is computed as the SHA256 checksum of a randomly generated sequence. Keys are stored and
searched for in the directory set in the environment variable LIBSECRECY_KEYDIR. If this variable is not
set, then the subdirectory .libsecrecy inside the current users home directory, designated by the
environment variable HOME, is used. Inside this directory the key for hash H is stored in the file
hash/H, otherwise said: hash/3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E, where the
respective files are encrypted using gpgme. The secret key used for this encryption can be set at key
creation time.
EXAMPLES
Create an AES256 key using your GPG ID, for instance foo@example.org, and call it mykey:
$ secrecy createKey AES256 foo@example.org mykey
3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E
List available keys:
$ secrecy listKeys
mykey 3E35C013C66C66B09E3E0B923451530C62D4346D9F5165906FC94B9B4D35E28E
Set mykey as default key:
$ secrecy setDefaultKey mykey
Encrypt file into file.encrypted, using the default key:
$ secrecy encrypt < file > file.encrypted
Decrypt file.encrypted into file.decrypted, using the default key:
$ secrecy decrypt < file.encrypted > file.decrypted
Prepare an export of mykey for use by the person behind GPG ID bar@example.org, whose public key should
be accessible in the user's gpg(1) keyring. The key will be exported into the file export.key:
$ secrecy exportKey mykey bar@example.org > export.key
AUTHORS
secrecy is a program part of the libsecrecy, written by German Tischler-Höhle
<germant@miltenyibiotec.de>.
The present manual page is written by Étienne Mollier <emollier@debian.org> for the Debian project.
SEE ALSO
See the GnuPG documentation relative to key management for creating and handling gpg(1) keys.
GNU 2020-11-13 SECRECY(1)