step crypto nacl secretbox – encrypt and authenticate small messages using secret-key cryptography
step crypto nacl secretbox
subcommand [arguments] [global-flags] [subcommand-flags]
step crypto nacl secretbox command group uses secret-key cryptography to encrypt, decrypt and authenticate messages. The implementation is based on NaCl’s crypto_secretbox function.
NaCl crypto_secretbox is designed to meet the standard notions of privacy and authenticity for a secret-key authenticated-encryption scheme using nonces. For formal definitions see, e.g., Bellare and Namprempre, “Authenticated encryption: relations among notions and analysis of the generic composition paradigm,” Lecture Notes in Computer Science 1976 (2000), 531–545, http://www-cse.ucsd.edu/~mihir/papers/oem.html. Note that the length is not hidden. Note also that it is the caller’s responsibility to ensure the uniqueness of nonces—for example, by using nonce 1 for the first message, nonce 2 for the second message, etc. Nonces are long enough that randomly generated nonces have negligible risk of collision.
NaCl crypto_secretbox is crypto_secretbox_xsalsa20poly1305, a particular combination of Salsa20 and Poly1305 specified in “Cryptography in NaCl”. This function is conjectured to meet the standard notions of privacy and authenticity.
These commands are interoperable with NaCl: https://nacl.cr.yp.to/secretbox.html
Encrypt a message using a 256-bit secret key, a new nacl box private key can be used as the secret:
$ step crypto nacl secretbox seal nonce secretbox.key Please enter text to seal: ******** o2NJTsIJsk0dl4epiBwS1mM4xFED7iE $ cat message.txt | step crypto nacl secretbox seal nonce secretbox.key o2NJTsIJsk0dl4epiBwS1mM4xFED7iE
Decrypt and authenticate the message:
$ echo o2NJTsIJsk0dl4epiBwS1mM4xFED7iE | step crypto nacl secretbox open nonce secretbox.key message
|open||authenticate and decrypt a box produced by seal|
|seal||produce an encrypted ciphertext|