NAME

aea — Manipulate Apple Encrypted Archives

SYNOPSIS

aea command [options]

DESCRIPTION

aea creates and manipulates Apple Encrypted Archives (AEA)

VERBS

encrypt           Create a new AEA archive
decrypt           Decrypt an AEA archive
sign              Sign an AEA archive
append            Append data to an existing AEA archive
id                Identify an AEA archive

OPTIONS

-v

Increase verbosity. Default is silent operation.

-h

Print usage and exit.

-i -input_file

Input file. Default is stdin.

-o -output_file

Output file. Default is stdout.

-profile -profile

Archive profile, one of the following (both index and id are allowed):
- 0: hkdf_sha256_hmac__none__ecdsa_p256 - no encryption, signed
- 1: hkdf_sha256_aesctr_hmac__symmetric__none - symmetric key encryption
- 2: hkdf_sha256_aesctr_hmac__symmetric__ecdsa_p256 - symmetric key encryption, signed
- 3: hkdf_sha256_aesctr_hmac__ecdhe_p256__none - ECDHE encryption
- 4: hkdf_sha256_aesctr_hmac__ecdhe_p256__ecdsa_p256 - ECDHE encryption, signed
- 5: hkdf_sha256_aesctr_hmac__scrypt__none - scrypt encryption (password based)

-a -algorithm

Compression algorithm used when creating archives. One of lzfse, lzma, lz4, zlib, copy. Default is lzfse.

-b -block_size

Block size used for compression+encryption, a number with optional b, k, m, g suffix (bytes are assumed if no suffix is specified). Default is 1m.

-t -worker_threads

Number of worker threads. Default is the number of physical CPU on the running machine.

-checksum -checksum_mode

Block checksum mode, one of none, murmur64, sha256.

-key -key_file

File containing or receiving the symmetric encryption key.

-key-value -<key>

Symmetric encryption key, encoded either as hex:..., or base64:....

-key-gen

When creating a new archive, generate a new random high entropy symmetric key, and store it in the file specified by -key. The new key is stored as hex:... in the file.

-password password_file

File containing or receiving the encryption password.

--password-value -<password>

Encryption password.

-password-gen

When creating a new archive, generate a new random high entropy password, and store it in the file specified by -password.

--auth-data-key -<string>

Define the key for the next -auth-data or -auth-data-value option. If this option is specified at least once, the auth data blob in the archive will be stored using the key->value format, and all occurrences of fI-auth-data or -auth-data-value must be preceded by a -auth-data-key.

--auth-data -data_file

Insert the contents of data_file in the container as authentication data. This option can be specified multiple times. Authentication data is stored in plain text in the container, and can be used to store public key certificates for example.

--auth-data-value -<data>

Insert the contents of data (encoded either as hex:..., or base64:...) in the container as authentication data. This option can be specified multiple times. Authentication data is stored in plain text in the container, and can be used to store public key certificates for example.

--sign-pub -key_file

File containing the signature public key. Used to decrypt a signed container, or encrypt a container without signing it.

--sign-priv -key_file

File containing the signature private key. Used to sign a container.

--recipient-pub -key_file

File containing the recipient public key. Used to encrypt a container in the ECDHE modes.

--recipient-priv -key_file

File containing the recipient private key. Used to decrypt a container in the ECDHE modes.

--master-key -key_file

When creating a new container, if this option is given, the file will receive the container main key, needed for future append operations. The main key is only intended to unlock an existing container to append new data, and should be kept by the container creator.

--signature-key -key_file

When creating an new signed container, if this option is given, the file will receive the signature encryption key. if only the signature public key is passed with -sign-pub when creating a new signed container, the container needs to be signed offline using the sign command. This requires both the signature private key -sign-priv, and this signature encryption key.

EXAMPLES

Encrypt foo into foo.aea using a new random symmetric key stored in foo.key  aea encrypt -profile hkdf_sha256_aesctr_hmac__symmetric__none -i foo -o foo.aea -key foo.key

Decrypt foo.aea into bar

  aea decrypt -i foo.aea -o bar -key foo.key

Alice encrypts and signs foo into foo.aea, so only Bob can decrypt it.

  aea encrypt -profile hkdf_sha256_aesctr_hmac__ecdhe_p256__ecdsa_p256 -i foo -o foo.aea -sign-priv alice.priv -recipient-pub bob.pub

Bob decrypts foo.aea into bar using his private key, and at the same time verifying Alice signed it.

  aea decrypt -i foo.aea -o bar -sign-pub alice.pub -recipient-priv bob.priv