ccrypt

ccrypt [options] [file...]
ccrypt -e [file...] (encrypts files)
ccrypt -d [file...] (decrypts files)
ccrypt -c (operates on standard input/output)

-e, --encrypt
    Encrypts the specified files. This is the default action if no other action is given.

-d, --decrypt
    Decrypts the specified files. Files must have the .cpt extension or be specified explicitly.

-c, --stream
    Encrypts or decrypts standard input to standard output. No files are processed.

-f, --force
    Overwrites existing output files without prompting for confirmation.

-m, --mismatch
    Allows decryption even if the checksum embedded in the file does not match (potential data corruption or wrong key).

-o, --output
    Specifies the output file name. This option is required when using -c or with a single input file.

-q, --quiet
    Suppresses most warnings and interactive prompts, useful for scripting.

-s, --symlinks
    Follows symbolic links when processing files. By default, symlinks are ignored.

-u, --unlink
    Unlinks (securely deletes) the original file after successful encryption or decryption.

-x, --key
    Specifies the encryption/decryption key on the command line. Caution: This method is insecure as the key may be visible in process listings.

-y, --key-from-file
    Reads the encryption/decryption key from the specified file.

-h, --help
    Displays a brief help message and exits.

-v, --version
    Displays version information and exits.

ccrypt is a command-line utility for encrypting and decrypting files and streams. It utilizes the Rijndael block cipher, which is the algorithm behind the Advanced Encryption Standard (AES), employing 256-bit keys and Counter (CTR) mode for robust cryptographic protection. Designed for simplicity and ease of use, it's ideal for quick encryption tasks directly from the command line or within scripts.

By default, ccrypt replaces the original file with its encrypted or decrypted version, automatically appending or removing the .cpt file extension. It also fully supports encryption and decryption from standard input and output, enabling its seamless integration into shell pipelines. Key features include secure key derivation from a passphrase, optional secure zeroing of original file data for enhanced privacy, and integrity checking using a checksum. It serves as a reliable and user-friendly tool for safeguarding sensitive data on local file systems or during data streams.

Key Security: A weak or easily guessable passphrase undermines the strongest encryption. Always use strong, unique passphrases.

Command-line Key (-x): Using the -x option to provide the key on the command line is highly insecure as the key is exposed in system process listings (e.g., via ps or history files). Prefer interactive password prompts or key files.

Data Loss: If the encryption key or passphrase is lost, the encrypted data becomes irrecoverable. Always back up your keys/passphrases securely.

Overwrite Behavior: By default, ccrypt replaces the original file. Ensure you have backups or use the -o option if you need to preserve the original file.

ccrypt uses a key derivation function (like PBKDF2) to convert your passphrase into a cryptographic key. This process is intentionally computationally intensive to make brute-force attacks against passphrases significantly harder, even if an attacker obtains the encrypted file.

The -u (--unlink) option provides a basic level of secure deletion. After successful encryption or decryption, ccrypt attempts to overwrite the original file's contents multiple times with random data before unlinking it from the file system. This reduces the chances of recovering the original data through forensic techniques.

By convention, ccrypt appends the .cpt extension to encrypted files. When decrypting, it expects this extension and removes it automatically upon successful decryption, making it easy to identify encrypted files and revert to original filenames.

ccrypt was developed by Peter Selinger, aiming to provide a modern, simple, and secure file encryption utility as an alternative to older, less secure tools. It leverages the Rijndael algorithm (AES) to offer strong cryptography in a user-friendly command-line interface. Its development focused on ease of integration into shell scripts and everyday usage, providing a straightforward approach to symmetric file encryption.

gpg(1), openssl(1), tar(1), shred(1)