Encryption under Solaris

The encrypt(1) utility can be used to encrypt sensitive data held on the storage media of a computer running Solaris.

encrypt(1) can be used in interactive mode where it prompts for a passprase but it can also be used in batch mode where the encryption key is read from a file.

The man page is unclear on how to generate a keyfile. The easiest way of generating one is a follows :-

    $ dd if=/dev/urandom of=keyfile bs=n count=1
    $ chmod 400 keyfile

(Where n is the required size in bytes of the keyfile. For the aes algorithm this is 16 bytes = 128 bits).

For further information see the encrypt(1) man page.

Since encrypted data is indistinguishable from random data it cannot be compressed. If you want to use compression data should be compressed before encryption.

    $ tar -cf - /export/home/fred | wc -c
     825411072
    $ tar -cf - /export/home/fred | gzip | encrypt -a aes -k keyfile | wc -c
     399452392
    $ tar -cf - /export/home/fred | encrypt -a aes -k keyfile | gzip | wc -c
     825544484

Note how the encrypted then compressed data is slightly larger than the original.

Although encrypt(1) is provided with Solaris you may want to look at ccrypt from http://ccrypt.sourceforge.net/ This provides more functionality than encrypt(1) such as an option to delete files after they have been encrypted.

Whether you use encrypt(1) or ccrypt you should NOT use crypt(1) . This program provides a woefully inadequate level of protection.

As a comment on encryption you might like to look at xkcd (and don't forget to mouse over).


Thanks to Philip Riebold for providing these instructions

Page last modified on 29 may 13 11:38