NCRYPT(8)		   User Manuals			NCRYPT(8)


NAME
       ncrypt - NMRC File Encryptor/Decryptor/Wiper


SYNOPSIS
       ncrypt  <-h>  <-e|-d>  <-z>  <-w> <-v> <-V> <-a algo > <-i
       infile > <-o outfile >


DESCRIPTION
       Ncrypt is intended to give you  security	 in  an	 insecure
       environment. If you are wanting to encrypt files (particu-
       larly on a multi-user system where you don't  have  root),
       wishing	to hide your activites from prying eyes, and want
       to "cover your tracks", then Ncrypt is for you.	It  gives
       you  the	 choice of three strong encryption algorithms and
       two secure file wiping options.

       For file encryption, Ncrypt is a symmetrical file  encryp-
       tor/decryptor  that  gives you the choice of the top three
       candidates for AES as the encryption  algorithm	(Rijndael
       (AES),  Serpent,	 Twofish),  tries to minimize exposure of
       the plaintext password in memory, and can safely erase the
       plaintext version from the hard drive.

       The erasing of files uses techniques from two sources. The
       first set of techniques was originally outlined	in  Peter
       Gutmann's  1996	paper  "Secure Deletion of Data from Mag-
       netic and Solid-State Memory". The  second  set	of  tech-
       niques  was originally outlined in the DoD 5220.22-M stan-
       dard developed by the NSA,  specifically	 the  recommenda-
       tions  for  sanitizing  drives  for  redeployment. For the
       insanely paranoid, yes you can use  both	 options  at  the
       same time.

       For  added security during wiping, the random data streams
       use the ISAAC PRNG during wiping of files, and the  wiping
       can  take  place either independently or concurrently with
       encryption operations. The wiping routine also wipes  file
       slack.

       Ncrypt compiles without any extra crypto libraries, making
       it ideal for systems where you just have	 a  compiler  and
       basic libraries (such as an ISP's shell server).


OPTIONS
       -h or --help
	      Display help/usage information and exit.

       -e or --encrypt
	      Signifies you wish to encrypt a file. When encrypt-
	      ing you are asked for the password twice (to ensure
	      you have entered it correctly).

       -d or --decrypt
	      Signifies you wish to decrypt a file. When decrypt-
	      ing you are asked for the password one time.

       -r or rijndael or -a or -aes
	      Use  the	AES  (Rijndael)	 algorithm  for	  encryp-
	      tion/decryption.	If  no algorithm is chosen, Rijn-
	      dael is used by default.

       -s or --serpent
	      Use the Serpent  algorithm  for  encryption/decryp-
	      tion.

       -t or --twofish
	      Use  the	Twofish	 algorithm for encryption/decryp-
	      tion.

       -i     Specify the input file infile for ncrypt to  either
	      encrypt  or  decrypt.   If  used	with the -g or -m
	      option during encryption, the input file	specified
	      is wiped.

       -o     Specify  the output file outfile for the results of
	      ncrypt's encryption or decryption.

       -g or --wipe-gutmann
	      Do a `safe' erase of the input file (during encryp-
	      tion mode) or a specified file or files if not per-
	      forming  encryption/decryption   operations.   This
	      overwrites the file on the hard drive with a series
	      of 35 passes as outlined in  Peter  Gutmann's  1996
	      paper  (see  above)  before  erasing the file. File
	      slack is also wiped using the  same  technique.  Be
	      careful  -  the erased file is unrecoverable, which
	      is kind of the point.

       -m or --wipe-military
	      This option runs	like  the  -g  or  --wipe-gutmann
	      option, except 3 passes are done. The first pass is
	      a character, the second is the complement	 of  that
	      character	 (the bits are flipped), and the third is
	      with random data which is	 verified.  This  is  the
	      military-grade  standard	for wiping files that are
	      classified (does not apply to TOP SECRET	classifi-
	      cation).	And  like  the	-g or --wipe-gutmann, use
	      with caution as the file is not recoverable.

       -v or --verbose
	      More verbose output during program execution.

       -V or --version
	      Print ncrypt version information and exit.


EXAMPLE USAGE
       ncrypt -e -s -i foo.txt -o bar.enc
	      Encrypts plaintext  file	foo.txt	 and  writes  the
	      encrypted	 file  out as bar.enc.	The Serpent algo-
	      rithm is being used.

       ncrypt -d -i bar.enc -o foo.txt
	      Decrypts encrypted  file	bar.enc	 and  writes  out
	      plaintext file foo.txt. Since no algorithm is spec-
	      ified, AES (Rijndael) is used by default.

       ncrypt --encrypt --wipe-gutmann -i foo.txt -o bar.enc
	      Encrypts plaintext  file	foo.txt	 and  writes  the
	      encrypted	 file out as bar.enc.  AES is being used,
	      and the original foo.txt	file  using  the  Gutmann
	      method.

       ncrypt -m -i foo.txt
	      The  file	 foo.txt  is  erased  using  the military
	      method.

       ncrypt --wipe-gutmann foo.txt bar.txt foobar.txt
	      The files	 foo.txt,  bar.txt,  and  foobar.txt  are
	      wiped using the Gutmann method.


DIAGNOSTICS
       Errors  from Ncrypt are written to stderr. There shouldn't
       be any bugs, because it compiled without errors ;-)


AUTHOR
       Ncrypt implementation by Simple Nomad  <thegnome@nmrc.org>
       and  Inertia  <inertia@nmrc.org>. Additional coding ideas,
       including the improved PRNG were added by  Todd	MacDermid
       <tmacd@synacklabs.net>.	Based  upon  code  by Joh Johnson
       <jojo@farm9.com>,  which	 was  taken  from  code	 by  Gary
       Rancier, as well as code taken from Dave Whiting's Twofish
       implementation. The read_pass.c routine is based upon sam-
       ple  code in the excellent book "Building Secure Software"
       by John Viega and Gary McGraw.


BUGS
       Send bug reports to <thegnome@nmrc.org>.

Linux			     May 2003				3


