anjuna-decrypt

Name

`anjuna-decrypt`

Decrypt a file created by a trusted enclave.

Synopsis

anjuna-decrypt --key-file FILE.pem [OPTIONS] ENCRYPTED_FILENAME

Description

When running an application in the Anjuna SGX Runtime, some files can be transparently encrypted by the Anjuna SGX Runtime without any modifications to the application using an RSA public key (specified by the keys entry in the manifest) provided by the user. The anjuna-decrypt enables you to decrypt these files.

See the keys entry in Configuration reference for instructions on how to specify the key that the Anjuna SGX Runtime uses to encrypt files and how to specify the list of files to be encrypted.

Decrypting files with an AES128 key

Using the command-line flag --aes-key, you can also decrypt files using an AES128 symmetric encryption key. These encrypted files can be created using anjuna-encrypt or any other AES128 encryption tool.

Options

anjuna-decrypt [OPTIONS] ENCRYPTED_FILENAME
      --aes-key string    Base64 encoded AES128 key to decrypt the file with
  -k, --key-file string   Decryption key filename
  -o, --out string        Decrypted output filename (optional)

Exit status

0 on success
1 on error

When anjuna-decrypt succeeds, the decrypted file is created in the same directory as the encrypted file, with the same name as the original file, but with ".decrypted" extension added. The decrypt tool also prints the HMAC of the encrypted payload.

Example

$ {TOOL_DECRYPT} --key-file anjuna-enclave-sign-privkey.pem testfile
SHA256-HMAC (hex): 2C348966BF20DD4802F731299891EE242E73A4B47196F74A1FC762AE2F03B7A7
SHA256-HMAC (b64): LDSJZr8g3UgC9zEpmJHuJC5zpLRxlvdKH8diri8Dt6c=
Decrypted file: testfile.decrypted