NAME

step crypto nacl secretbox – encrypt and authenticate small messages using secret-key cryptography

USAGE

step crypto nacl secretbox subcommand [arguments] [global-flags] [subcommand-flags]

DESCRIPTION

step crypto nacl secretbox command group uses secret-key cryptography to encrypt, decrypt and authenticate messages. The implementation is based on NaCl’s crypto_secretbox function.

NaCl crypto_secretbox is designed to meet the standard notions of privacy and authenticity for a secret-key authenticated-encryption scheme using nonces. For formal definitions see, e.g., Bellare and Namprempre, “Authenticated encryption: relations among notions and analysis of the generic composition paradigm,” Lecture Notes in Computer Science 1976 (2000), 531–545, http://www-cse.ucsd.edu/~mihir/papers/oem.html. Note that the length is not hidden. Note also that it is the caller’s responsibility to ensure the uniqueness of nonces—for example, by using nonce 1 for the first message, nonce 2 for the second message, etc. Nonces are long enough that randomly generated nonces have negligible risk of collision.

NaCl crypto_secretbox is crypto_secretbox_xsalsa20poly1305, a particular combination of Salsa20 and Poly1305 specified in “Cryptography in NaCl”. This function is conjectured to meet the standard notions of privacy and authenticity.

These commands are interoperable with NaCl: https://nacl.cr.yp.to/secretbox.html

EXAMPLES

Encrypt a message using a 256-bit secret key, a new nacl box private key can be used as the secret:

$ step crypto nacl secretbox seal nonce secretbox.key
Please enter text to seal: ********
o2NJTsIJsk0dl4epiBwS1mM4xFED7iE

$ cat message.txt | step crypto nacl secretbox seal nonce secretbox.key
o2NJTsIJsk0dl4epiBwS1mM4xFED7iE

Decrypt and authenticate the message:

$ echo o2NJTsIJsk0dl4epiBwS1mM4xFED7iE | step crypto nacl secretbox open nonce secretbox.key
message

COMMANDS

openauthenticate and decrypt a box produced by seal
sealproduce an encrypted ciphertext