Command Line Interface: encryption for data sharing

For documentation and more information, you can check the Crypt4GH Encryption Utility page.

In this example, we first generate your key pair (a password-protected private key and a public key that can be shared with collaborators). Next, we encrypt a file with public keys of two different collaborators (research group A and research group B).

Python 3.6+ is required to use the Crypt4GH encryption utility. If you need help installing Python, please follow these instructions.

1. Install the Crypt4GH encryption CLI tool

   You can install Crypt4GH directly with pip tool:

   pip install crypt4gh     
   

   or, if you prefer the latest sources from GitHub:

   pip install -r crypt4gh/requirements.txt
   pip install ./crypt4gh
   

   or even:

   pip install git+https://github.com/EGA-archive/crypt4gh.git
   

   The usual -h flag shows you the different options that the tool accepts:

   $ crypt4gh -h
   
   Utility for the cryptographic GA4GH standard, reading from stdin and outputting to stdout.
   
   Usage:
      {PROG} [-hv] [--log <file>] encrypt [--sk <path>] --recipient_pk <path> [--recipient_pk <path>]... [--range <start-end>]
      {PROG} [-hv] [--log <file>] decrypt [--sk <path>] [--sender_pk <path>] [--range <start-end>]
      {PROG} [-hv] [--log <file>] rearrange [--sk <path>] --range <start-end>
      {PROG} [-hv] [--log <file>] reencrypt [--sk <path>] --recipient_pk <path> [--recipient_pk <path>]... [--trim]
   
   Options:
      -h, --help             Prints this help and exit
      -v, --version          Prints the version and exits
      --log <file>           Path to the logger file (in YML format)
      --sk <keyfile>         Curve25519-based Private key.
                           When encrypting, if neither the private key nor C4GH_SECRET_KEY are specified, we generate a new key
      --recipient_pk <path>  Recipient's Curve25519-based Public key
      --sender_pk <path>     Peer's Curve25519-based Public key to verify provenance (akin to signature)
      --range <start-end>    Byte-range either as  <start-end> or just <start> (Start included, End excluded)
      -t, --trim             Keep only header packets that you can decrypt
   
   Environment variables:
      C4GH_LOG         If defined, it will be used as the default logger
      C4GH_SECRET_KEY  If defined, it will be used as the default secret key (ie --sk ${C4GH_SECRET_KEY})
   

   You may notice that crypt4gh uses --sk option for the private key. This might seem odd but apparently, crypt4gh uses term secure key for private key, hence sk, and consequently pk refers to public key instead of the private key.

2. Generate your public-private key pair

   You use crypt4gh-keygen command to create your private and public keys:

   $ crypt4gh-keygen --sk mykey.sec --pk mykey.pub
   Generating public/private Crypt4GH key pair.
   Enter passphrase for meykey.sec (empty for no passphrase): 
   Enter passphrase for mykey.sec (again): 
   Your private key has been saved in mykey.sec
   Your public key has been saved in mykey.pub
   

   where --sk mykey.sec is your private (secret, sk) key and --pk mykey.pub is your public key (pk). The tool will ask you to enter a password (passphrase) for your private key. For security reasons, the password is not shown when you type it, so the tool will ask you to enter it a second time to make sure you made no typing errors (or, you make the same errors twice). Please, use a strong password!

   Note

   If you lose or forget your private key, or the password to it, you will be unable to decrypt the files. Do not share your private key or your password.

   Note

   You need to create your keys only once and use them for all your encryption needs, but you can of course, choose to generate separate keys for encryption as you wish.

3. Encrypt a file

   To encrypt files you will need the public keys of the recipients of the data. In this example we are sharing the data with two recipients: yourself and research group A. Your own public key (mykey.pub) was created in the previous step, and the public key of research group A (groupA.pub) we have received somehow (e.g. via email). To encrypt a file you use crypt4gh encrypt command:

   $ crypt4gh encrypt --recipient_pk mykey.pub --recipient_pk groupA.pub <dog.jpg >dog.jpg.c4gh
   

   The crypt4gh command uses only standard input (stdin) and standard output (stdout) so you must use shell redirections: < denotes an input file and > and denotes an output file, hence <dog.jpg reads in a file called dog.jpg and >dog.jpg.c4gh writes out an encrypted file named dog.jpg.c4gh.

4. Decrypt a file

   To decrypt a file you will need a private key which corresponds to one of the public keys used in encryption phase. Let's assume in our example that the research group A is decrypting a file you've sent them. To decrypt a file they use crypt4gh decrypt command:

   crypt4gh decrypt --sk groupA.sec <dog.jpg.c4gh >dog.jpg
   Passphrase for groupA.sec: 
   

   where --sk groupA.sec is a corresponding private key to one of the public keys used in the encryption. The crypt4gh command uses only standard input (stdin) and standard output (stdout) so you must use shell redirections: < denotes an input file and > and denotes an output file, hence <dog.jpg.c4gh reads in an encrypted file called dog.jpg.c4gh and >dog.jpg writes out a decrypted file named dog.jpg.

   The command will ask the user to enter the password (passphrase) of your private key. For security reasons the password is not displayed when you type it.

   Note

   In case you are decrypting the file in SD Desktop and the CSC Sensitive Data public key has been used in encryption, decryption will be done automatically, and you do not need to specify any decryption keys.

---

Last update: October 27, 2023

Do you find this page useful?

Yes

Thank you for your feedback!

No

Thank you! Your feedback is appreciated.

Please let us know how we could improve this page by contacting us or by creating an issue in GitHub. You can also edit this page yourself and contribute your improvements by creating a pull request.