Command Line Interface
To encrypt and upload files via command line, please check this tutorial illustrating how to use the crpt4GH tool to upload files in Allas (visible from SD Connect).
Below more information about the crypt4GH CLI:
For documentation and more information, you can check the Crypt4GH Encryption Utility page.
In this example, we first generate your key pair (a password-protected private key and a public key that can be shared with collaborators). Next, we encrypt a file with public keys of two different collaborators (research group A and research group B).
Python 3.6+ is required to use the Crypt4GH encryption utility. If you need help installing Python, please follow these instructions.
-
Install the Crypt4GH encryption CLI tool
You can install Crypt4GH directly with pip tool:
or, if you prefer the latest sources from GitHub:
or even:
The usual
-h
flag shows you the different options that the tool accepts:$ crypt4gh -h Utility for the cryptographic GA4GH standard, reading from stdin and outputting to stdout. Usage: {PROG} [-hv] [--log <file>] encrypt [--sk <path>] --recipient_pk <path> [--recipient_pk <path>]... [--range <start-end>] {PROG} [-hv] [--log <file>] decrypt [--sk <path>] [--sender_pk <path>] [--range <start-end>] {PROG} [-hv] [--log <file>] rearrange [--sk <path>] --range <start-end> {PROG} [-hv] [--log <file>] reencrypt [--sk <path>] --recipient_pk <path> [--recipient_pk <path>]... [--trim] Options: -h, --help Prints this help and exit -v, --version Prints the version and exits --log <file> Path to the logger file (in YML format) --sk <keyfile> Curve25519-based Private key. When encrypting, if neither the private key nor C4GH_SECRET_KEY are specified, we generate a new key --recipient_pk <path> Recipient's Curve25519-based Public key --sender_pk <path> Peer's Curve25519-based Public key to verify provenance (akin to signature) --range <start-end> Byte-range either as <start-end> or just <start> (Start included, End excluded) -t, --trim Keep only header packets that you can decrypt Environment variables: C4GH_LOG If defined, it will be used as the default logger C4GH_SECRET_KEY If defined, it will be used as the default secret key (ie --sk ${C4GH_SECRET_KEY})
You may notice that crypt4gh uses
--sk
option for the private key. This might seem odd but apparently, crypt4gh uses term secure key for private key, hencesk
, and consequentlypk
refers to public key instead of the private key. -
Generate your public-private key pair
You use
crypt4gh-keygen
command to create your private and public keys:$ crypt4gh-keygen --sk mykey.sec --pk mykey.pub Generating public/private Crypt4GH key pair. Enter passphrase for meykey.sec (empty for no passphrase): Enter passphrase for mykey.sec (again): Your private key has been saved in mykey.sec Your public key has been saved in mykey.pub
where
--sk mykey.sec
is your private (secret, sk) key and--pk mykey.pub
is your public key (pk). The tool will ask you to enter a password (passphrase) for your private key. For security reasons, the password is not shown when you type it, so the tool will ask you to enter it a second time to make sure you made no typing errors (or, you make the same errors twice). Please, use a strong password!Note
If you lose or forget your private key, or the password to it, you will be unable to decrypt the files. Do not share your private key or your password.
Note
You need to create your keys only once and use them for all your encryption needs, but you can of course, choose to generate separate keys for encryption as you wish.
-
Encrypt a file
To encrypt files you will need the public keys of the recipients of the data. In this example we are sharing the data with two recipients: yourself and research group A. Your own public key (
mykey.pub
) was created in the previous step, and the public key of research group A (groupA.pub
) we have received somehow (e.g. via email). To encrypt a file you usecrypt4gh encrypt
command:The
crypt4gh
command uses only standard input (stdin) and standard output (stdout) so you must use shell redirections:<
denotes an input file and>
and denotes an output file, hence<dog.jpg
reads in a file calleddog.jpg
and>dog.jpg.c4gh
writes out an encrypted file nameddog.jpg.c4gh
. -
Decrypt a file
To decrypt a file you will need a private key which corresponds to one of the public keys used in encryption phase. Let's assume in our example that the research group A is decrypting a file you've sent them. To decrypt a file they use
crypt4gh decrypt
command:where
--sk groupA.sec
is a corresponding private key to one of the public keys used in the encryption. Thecrypt4gh
command uses only standard input (stdin) and standard output (stdout) so you must use shell redirections:<
denotes an input file and>
and denotes an output file, hence<dog.jpg.c4gh
reads in an encrypted file calleddog.jpg.c4gh
and>dog.jpg
writes out a decrypted file nameddog.jpg
.The command will ask the user to enter the password (passphrase) of your private key. For security reasons the password is not displayed when you type it.
Note
In case you are decrypting the file in SD Desktop and the CSC Sensitive Data public key has been used in encryption, decryption will be done automatically, and you do not need to specify any decryption keys.
If you need to decrypt a large number of files, please check the tutorial Decrypting all files in a directory.