aea
AEA(1) General Commands Manual AEA(1)
NAME
aea - Manipulate Apple Encrypted Archives
SYNOPSIS
aea command [options]
DESCRIPTION
aea creates and manipulates Apple Encrypted Archives (AEA)
VERBS
encrypt Create a new AEA archive
decrypt Decrypt an AEA archive
sign Sign an AEA archive
append Append data to an existing AEA archive
id Identify an AEA archive
OPTIONS
-v Increase verbosity. Default is silent operation.
-h Print usage and exit.
-i input_file
Input file. Default is stdin.
-o output_file
Output file. Default is stdout.
-profile profile
Archive profile, one of the following (both index and id are
allowed):
0: hkdf_sha256_hmac__none__ecdsa_p256 - no
encryption, signed
1: hkdf_sha256_aesctr_hmac__symmetric__none - symmetric key
encryption
2: hkdf_sha256_aesctr_hmac__symmetric__ecdsa_p256 - symmetric key
encryption, signed
3: hkdf_sha256_aesctr_hmac__ecdhe_p256__none - ECDHE
encryption
4: hkdf_sha256_aesctr_hmac__ecdhe_p256__ecdsa_p256 - ECDHE
encryption, signed
5: hkdf_sha256_aesctr_hmac__scrypt__none - scrypt
encryption (password based)
-a algorithm
Compression algorithm used when creating archives. One of lzfse,
lzma, lz4, zlib, copy. Default is lzfse.
-b block_size
Block size used for compression+encryption, a number with optional
b, k, m, g suffix (bytes are assumed if no suffix is specified).
Default is 1m.
-t worker_threads
Number of worker threads. Default is the number of physical CPU on
the running machine.
-checksum checksum_mode
Block checksum mode, one of none, murmur64, sha256.
-key key_file
File containing or receiving the symmetric encryption key.
-key-value <key>
Symmetric encryption key, encoded either as hex:..., or
base64:....
-key-gen
When creating a new archive, generate a new random high entropy
symmetric key, and store it in the file specified by -key. The
new key is stored as hex:... in the file.
-password password_file
File containing or receiving the encryption password.
-password-value <password>
Encryption password.
-password-gen
When creating a new archive, generate a new random high entropy
password, and store it in the file specified by -password.
-auth-data-key <string>
Define the key for the next -auth-data or -auth-data-value option.
If this option is specified at least once, the auth data blob in
the archive will be stored using the key->value format, and all
occurrences of fI-auth-data or -auth-data-value must be preceded
by a -auth-data-key.
-auth-data data_file
Insert the contents of data_file in the container as
authentication data. This option can be specified multiple times.
Authentication data is stored in plain text in the container, and
can be used to store public key certificates for example.
-auth-data-value <data>
Insert the contents of data (encoded either as hex:..., or
base64:...) in the container as authentication data. This option
can be specified multiple times. Authentication data is stored in
plain text in the container, and can be used to store public key
certificates for example.
-sign-pub key_file
File containing the signature public key. Used to decrypt a signed
container, or encrypt a container without signing it.
-sign-priv key_file
File containing the signature private key. Used to sign a
container.
-recipient-pub key_file
File containing the recipient public key. Used to encrypt a
container in the ECDHE modes.
-recipient-priv key_file
File containing the recipient private key. Used to decrypt a
container in the ECDHE modes.
-master-key key_file
When creating a new container, if this option is given, the file
will receive the container main key, needed for future append
operations. The main key is only intended to unlock an existing
container to append new data, and should be kept by the container
creator.
-signature-key key_file
When creating an new signed container, if this option is given,
the file will receive the signature encryption key. if only the
signature public key is passed with -sign-pub when creating a new
signed container, the container needs to be signed offline using
the sign command. This requires both the signature private key
-sign-priv, and this signature encryption key.
EXAMPLES
Encrypt foo into foo.aea using a new random symmetric key stored in
foo.key
aea encrypt -profile hkdf_sha256_aesctr_hmac__symmetric__none -i
foo -o foo.aea -key foo.key
Decrypt foo.aea into bar
aea decrypt -i foo.aea -o bar -key foo.key
Alice encrypts and signs foo into foo.aea, so only Bob can decrypt it.
aea encrypt -profile
hkdf_sha256_aesctr_hmac__ecdhe_p256__ecdsa_p256 -i foo -o foo.aea
-sign-priv alice.priv -recipient-pub bob.pub
Bob decrypts foo.aea into bar using his private key, and at the same time
verifying Alice signed it.
aea decrypt -i foo.aea -o bar -sign-pub alice.pub -recipient-priv
bob.priv
AEA(1)