Linux Man Page Viewer
The following form allows you to view linux man pages.
mcrypt [ -dLFubhvrzp ] [-a algorithm] [-c config_file] [-m mode] [-s keysize]
[-o keymode] [-k key1 key2 ...] [-f keyfile] [ filename ... ]
mdecrypt [ -LFusbhvzp ] [-a algorithm] [-c config_file] [-m mode]
[-s keysize] [-o keymode] [-k key1 key2 ...] [-f keyfile] [ filename
Mcrypt is a simple crypting program, a replacement for the old unix
crypt(1). When encrypting or decrypting a file, a new file is created
with the extension .nc and mode 0600. The new file keeps the modifica-
tion date of the original. The original file may be deleted by speci-
fying the -u parameter. If no files are specified, the standard input
is encrypted to the standard output.
Mcrypt uses all the symmetric algorithms included in libmcrypt.
crypt is a small shell wrapper around mcrypt to emulate the old unix
crypt command. For more information run crypt --help !
By default, mcrypt , when one of these algorithms is specified, prompts
Enter passphrase: ...
You should then enter a passphrase long enough (512 characters is the
maximum length). Now in order to encrypt the file, The passphrase is
transformed using the specified (or the default) key generation algo-
rithm, and a random salt. The produced value is then used as the key,
which is fed to the algorithm.
Algorithm Vulnerability: Most algorithms today are designed to resist
in specific attacks. None of them is proved not to be vulnerable to
some kind of attack not as yet known.
Compression: By compressing your data before encryption you gain both
in efficiency (faster encryption) and safety of your data (language
redundancy is removed). A drawback is that most compression programs
will add specific headers in the compressed file, thus making known
plaintext attacks easier. Compression after encryption is useless and
may result to compressed files with longer size than the original.
Error Recovery: There is some error recovery in mcrypt. If bytes are
removed or lost from the file or stream in ECB, CBC and OFB modes, are
impossible to recover, although CFB mode will recover. If some bytes
are altered then a full block of plaintext is affected in ECB mode, two
blocks in CBC and CFB modes, but only the corresponding byte in OFB
mode. Mcrypt uses a 32 bit CRC to check for errors in the encrypted
CBC: The Cipher Block Chaining mode. It is better than ECB since the
plaintext is XOR'ed with the previous ciphertext. A random block is
placed as the first block so the same block or messages always encrypt
to something different. (This is the default mode)
CFB: The Cipher-Feedback Mode (in 8bit). This is a self-synchronizing
stream cipher implemented from a block cipher.
OFB: The Output-Feedback Mode (in 8bit). This is a synchronous stream
cipher implemented from a block cipher. It is intended for use in noisy
lines, because corrupted ciphertext blocks do not corrupt the plaintext
blocks that follow. Insecure when used to encrypt large amounts of
data, so I recommend against using it.
nOFB: The Output-Feedback Mode (in nbit). n Is the size of the block of
the algorithm. This is a synchronous stream cipher implemented from a
block cipher. It is intended for use in noisy lines, because corrupted
ciphertext blocks do not corrupt the plaintext blocks that follow.
Encrypted files can be restored to their original form using mcrypt -d
mdecrypt takes a list of files on its command line and creates a new
file for each file whose name ends with .nc by removing the ".nc" or by
adding ".dc" to the end of the file name if .nc is not in the encrypted
Force output on standard output or input from stdin if that is a
terminal. By default mcrypt will not output encrypted data to
terminal, nor read encrypted data from it.
Use gzip (if it exists in your system) to compress files before
encryption. If specified at decryption time it will decompress
Use bzip2 (if it exists in your system) to compress files before
encryption. If specified at decryption time it will decompress
This option will enable compression in OpenPGP (RFC2440)
this option, you might want to use the 'hex' mode which allows
you to specify the key in hex (and no convertion will by
-h --hash HASH_ALGORITHM
HASH_ALGORITHM may be one of the algorithms listed by the
--list-hash parameter. This is the digest that will be appended
to the file to be encrypted, in order to detect file corruption.
The default is the CRC32 checksum.
-s --keysize SIZE
SIZE is the algorithm's key size in bytes (not the size of the
passphrase). It defaults to the maximum key supported by the
algorithm. The maximum key sizes of the algorithms may be
obtained by the --list parameter. It is safe not to touch this.
This option will make mcrypt to use the OpenPGP (RFC2440) file
format for encrypted files. This will make files encrypted by
mcrypt accessible from any OpenPGP compliant application.
No important information like the algorithm, mode, the bit mode
and the crc32 of the original file are written in the encrypted
file. The security lies on the algorithm not on obscurity so
this is NOT the default. This flag must also be specified when
decrypting a bare encrypted file. When the bare flag is speci-
fied decryption and encryption are faster. This may be usefull
when using mcrypt to encrypt a link or something like that.
Flushes the output (ciphertext or plaintext) immediately. Use-
full if mcrypt is used with pipes.
--time Prints some timing information (encryption speed etc.)
When this option is specified mcrypt does not delete the output
file, even if decryption failed. This is usefull if you want to
decrypt a corrupted file.
Suppress some not critical warnings.
Unlink (delete) the input file if the whole process of encryp-
tion/decryption succeeds. This is not the default in order to
use an external program to remove sensitive data.
Lists all the algorithms currently supported.
then used as keyword instead of prompting for them. Keep in mind
that someone may see the command you are executing and so your
-c --config FILE
Use the specified configuration file. The default is .mcryptrc
in your home directory. The format of the configuration file is
the same as the parameters. An example file is:
-f --keyfile FILE
Enter the keyword(s) via a file. One keyword is read per line.
The first keyword read is used for the first file, the second
for the second file etc. If the keywords are less than the files
then the last keyword is used for the remaining. A limitation is
that you cannot use the NULL (\0) and the Newline (\n) character
in the key. A solution to this problem is to specify the key-
word in hex mode.
-m --mode MODE
Mode of encryption and decryption. These modes are currently
supported: ECB, CFB, OFB, nOFB, CBC and STREAM. CBC is the
default. Unless the bare flag is specified there is no need to
specify these modes for decryption. For stream algorithms (like
WAKE) mode should be STREAM.
-a --algorithm ALGORITHM
The algorithm used to encrypt and decrypt. Unless the bare flag
is specified there is no need to specify these for decryption.
The algorithms currently supported are shown with the --list
For mcrypt to be compatible with the solaris des(1), the following
parameters are needed: "mcrypt -a des --keymode pkdes --bare --noiv
For mcrypt to be compatible with the unix crypt(1), the following
parameters are needed: "mcrypt -a enigma --keymode scrypt --bare file-
To encrypt a file using a stream algorithm (eg. Arcfour), the following
parameters are needed: "mcrypt -a arcfour --mode stream filename".
Exit status is normally 0; if an error occurs, exit status is something
other than 0.
Usage: mcrypt [-dLFubhvrzp] [-f keyfile] [-k key1 key2 ...] [-m mode]
[-o keymode] [-a algorithm] [-c config_file] [filename ...]
Version 2.6.0 Copyright (C) 1998,1999,2000,2001,2002 Nikos Mavroy-
Thanks to all the people who reported problems and suggested various
improvements for mcrypt; who are too numerous to cite here.
local 03 May 2003 MCRYPT(1)