Usage & Examples

The usual -h flag shows you the different options that the tool accepts.

$ crypt4gh -h

Utility for the cryptographic GA4GH standard, reading from stdin and outputting to stdout.

    crypt4gh [-hv] [--log <file>] encrypt [--sk <path>] --recipient_pk <path> [--recipient_pk <path>]... [--range <start-end>] [--no_aad]
    crypt4gh [-hv] [--log <file>] decrypt [--sk <path>] [--sender_pk <path>] [--range <start-end>]
    crypt4gh [-hv] [--log <file>] reencrypt [--sk <path>] --recipient_pk <path> [--recipient_pk <path>]... [--trim]
    crypt4gh [-hv] [--log <file>] rearrange [--sk <path>] --range <start-end>

    -h, --help             Prints this help and exit
    -v, --version          Prints the version and exits
    --log <file>           Path to the logger file (in YML format)
    --sk <keyfile>         Curve25519-based Private key
                           When encrypting, if neither the private key nor C4GH_SECRET_KEY are specified, we generate a new key
    --recipient_pk <path>  Recipient's Curve25519-based Public key
    --sender_pk <path>     Peer's Curve25519-based Public key to verify provenance (aka, signature)
    -t, --trim             Keep only header packets that you can decrypt
    -n, --no_aad           Disable AEAD (Authenticated Encryption with Associated Data)
    --range <start-end>    Byte-range either as  <start-end> or just <start> (Start included, End excluded)

    The "rearrange" command only works without AEAD

Environment variables:
    C4GH_LOG         If defined, it will be used as the default logger
    C4GH_SECRET_KEY  If defined, it will be used as the default secret key (ie --sk ${C4GH_SECRET_KEY})


Assume Alice, with public/private key and alice.sec respectively, wants to send a message to Bob, with public/private key and bob.sec respectively.

Alice can encrypt the message M with:

$ crypt4gh encrypt --sk alice.sec --recipient_pk < M > M.c4gh

Bob can decrypt the encrypted message with:

$ crypt4gh decrypt --sk bob.sec < M.c4gh > M

If Bob wants to, optionally, verify that the message indeed comes from Alice, he needs to fetch Alice’s public key via another trusted channel. He can then decrypt and check the provenance of the file with:

$ crypt4gh decrypt --sk bob.sec --sender_pk < M.c4gh > M

Any user can generate a keypair with:

$ crypt4gh-keygen --sk user.sec --pk

The private key will be encrypted with a passphrase. The user is prompted at the terminal for that passphrase.