Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SCRYPT(1)		    General Commands Manual		     SCRYPT(1)

NAME
       scrypt -- encrypt and decrypt files

SYNOPSIS
       scrypt	{enc   |   dec	 |  info}  [-f]	 [--logN  value]  [-M  maxmem]
	      [-m  maxmemfrac]	[-P]  [-p  value]  [--passphrase   method:arg]
	      [-r value] [-t maxtime] [-v] infile [outfile]
       scrypt --version

DESCRIPTION
       scrypt  enc  encrypts infile and	writes the result to outfile if	speci-
       fied, or	the standard output otherwise.	The user will be  prompted  to
       enter  a	passphrase (twice) to be used to generate a derived encryption
       key.

       scrypt dec decrypts infile and writes the result	to outfile  if	speci-
       fied,  or  the standard output otherwise.  The user will	be prompted to
       enter the passphrase used at encryption time to	generate  the  derived
       encryption key.

       scrypt  info  provides information about	the encryption parameters used
       for infile.

       Unless otherwise	specified via --passphrase, scrypt  reads  passphrases
       from  its  controlling  terminal, or failing that, from stdin.  Prompts
       are only	printed	when scrypt is reading passphrases from	some terminal.

OPTIONS
       -f	      Force the	operation to proceed even if it	is anticipated
		      to require an excessive amount of	memory	or  CPU	 time.
		      Do  not print any	warnings about exceeding any memory or
		      CPU time limits.

       --logN value   Set the work parameter N to 2^value.  If --logN is  set,
		      -r and -p	must also be set.  If such explicit parameters
		      are given, the resource limits set by -M,	-m, and	-t are
		      not enforced.

       -M maxmem      Use  at  most maxmem bytes of RAM	to compute the derived
		      encryption key.

       -m maxmemfrac  Use at most the fraction maxmemfrac of the available RAM
		      to compute the derived encryption	key.  The maximum pos-
		      sible value for maxmemfrac is 0.5.

       -P	      Deprecated synonym for --passphrase dev:stdin-once.

       -p value	      Set the work parameter p to value.  If -p	is set,	--logN
		      and -r must also be set.	If  such  explicit  parameters
		      are given, the resource limits set by -M,	-m, and	-t are
		      not enforced.

       --passphrase method:arg
		      Read the passphrase using	the specified method.

		      dev:tty-stdin
			  Attempt  to  read  the  passphrase from /dev/tty; if
			  that fails, read it from stdin.  This	is the default
			  behaviour.

		      dev:stdin-once
			  Attempt to read the passphrase from stdin, and do so
			  only once even when encrypting.  This	cannot be used
			  if infile is also stdin (aka '-').

		      dev:tty-once
			  Attempt to read the passphrase from /dev/tty,	and do
			  so only once even when encrypting.

		      env:VAR
			  Read the passphrase from  the	 environment  variable
			  specified by VAR.

			  Storing  a passphrase	in an environment variable may
			  be a security	risk.  Only use	this option if you are
			  certain that you know	what you are doing.

		      file:FILENAME
			  Read the  passphrase	from  the  file	 specified  by
			  FILENAME.

			  Storing  a  passphrase  in  a	file may be a security
			  risk.	 Only use this option if you are certain  that
			  you know what	you are	doing.

       -r value	      Set the work parameter r to value.  If -r	is set,	--logN
		      and  -p  must  also be set.  If such explicit parameters
		      are given, the resource limits set by -M,	-m, and	-t are
		      not enforced.

       -t maxtime     Use at most maxtime seconds of CPU time to  compute  the
		      derived encryption key.

       -v	      Print  encryption	 parameters  (N,  r, p)	and memory/cpu
		      limits.

       --version      Print version of scrypt, and exit.

       In scrypt enc, the memory and CPU time limits are enforced  by  picking
       appropriate  parameters	to  the	 scrypt	 key  derivation function.  In
       scrypt dec, the memory and CPU time limits are enforced by exiting with
       an error	if decrypting the file would require too much  memory  or  CPU
       time.

EXIT STATUS
       The scrypt utility exits	0 on success, and >0 if	an error occurs.

       Note that if the	input encrypted	file is	corrupted, scrypt dec may pro-
       duce output prior to determining	that the input was corrupt and exiting
       with a non-zero status; so users	should direct the output to a safe lo-
       cation  and  check the exit status of scrypt before using the decrypted
       data.

ALGORITHM PARAMETERS
       The scrypt algorithm has	three tuneable work parameters:	N, r, p.  When
       decrypting, scrypt will always use the values specified by the  encryp-
       tion  header.   When  encrypting, scrypt	will choose appropriate	values
       based on	your system's speed and	memory (influenced by -M,  -m,	and/or
       -t), unless you specify explicit	parameters via --logN, -p, -r.

SEE ALSO
       Colin  Percival,	 Stronger  Key	Derivation  via	Sequential Memory-Hard
       Functions, BSDCan'09, May 2009.

       Colin Percival and  Simon  Josefsson,  The  scrypt  Password-Based  Key
       Derivation Function, IETF RFC 7914, August 2016.

HISTORY
       The  scrypt  utility  was  written  in  May 2009	by Colin Percival as a
       demonstration of	the scrypt key derivation function.   The  scrypt  key
       derivation function was invented	in March 2009 by Colin Percival	in or-
       der  to allow key files from the	Tarsnap	backup system to be passphrase
       protected.

FreeBSD	ports 15.0	       February	13, 2025		     SCRYPT(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=scrypt&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help