These are some command line tools for using TweetNaCl by Prof Daniel J. Bernstein et al. There are three tools for encryption (make keys, encrypt, and decrypt), and three tools for signatures (make keys, sign, and verify).
make to compile the tools using
gcc. The scripts go in
Generates Curve25519 public and secret keys.
$ tweetnacl-keypair public.key secret.key
secret.key files will contain 32 bytes each of the public and secret Curve25519 keys respectively. If either or both of the file names are given as
- then the key will be printed as hexadecimal (64 bytes) with a trailing line feed (
"\n") to stdout instead.
Encrypts data using Curve25519 public and secret keys.
$ tweetnacl-encrypt sender.sec recipient.pub input.txt output.enc
sender.sec file is the Curve25519 secret key of the person sending the message. The
recipient.pub file is the Curve25519 secret key of the person receiving the message.
input.txt contains the content of the message to be encrypted, and
output.enc will be created to contain the encrypted message. Using
- for the output filename will mean hexadecimal encrypted message content will be printed instead to stdout.
Decrypts data using Curve25519 public and secret keys.
$ tweetnacl-decrypt sender.pub recipient.sec input.enc output.txt
sender.pub file is the Curve25519 public key of the person who sent the message. The
recipient.sec file is the Curve25519 secret key of the person who received the message.
input.enc contains the encrypted message, and
output.txt will be created to contain the decrypted message. Using
- for the output filename will mean that the decrypted message content will be printed to stdout, verbatim.
Creates public and secret keys suitable for signing.
$ tweetnacl-sigpair sign.pub sign.sec
sign.pub file is a public signature key, used for verification; and the
sign.sec file is the counterpart private signature key, used for signing. Using
- for either output filename will mean that the key is printed as hexadecimal with a trailing newline to stdout.
Signed a message using a secret signing key.
$ tweetnacl-sign sign.sec message.txt message.signed
sign.sec secret signature key is used to sign the message in
message.txt and the output is placed into
- is used for the output filename then it is printed verbatim to stdout.
Verifies a signed message relative to its public signature key.
$ tweetnacl-verify sign.pub message.signed message.txt
sign.pub public signature key is used to verify the signed message in
message.signed. If the signature is verified, the message is placed into
message.txt and the program exits with successful status 0. If the signature is not verified, an error message is printed to stderr and the program exists with the unsuccessful status 0. If the signature is verified and the message output file is
- then the message is printed to stdout.
Encrypting and decrypting:
$ tweetnacl-keypair alice.pub alice.sec $ tweetnacl-keypair bob.pub bob.sec $ echo 'Secret message!' > message.txt $ tweetnacl-encrypt alice.sec bob.pub message.txt secret.enc $ tweetnacl-decrypt alice.pub bob.sec secret.enc - Secret message!
$ tweetnacl-sigpair sign.pub sign.sec $ echo 'Verified message!' > message.txt $ tweetnacl-sign sign.sec message.txt message.signed $ tweetnacl-verify sign.pub message.signed - Verified message!
Only the TweetNaCl portion of this software (
tweetnacl.c) was written by professional cryptographers. Use with caution, and the understanding that no professional security audit of this software has been conducted. This software comes with NO WARRANTY.
Please contribute a professional security audit if you are able to.
This software uses TweetNaCl version 20140427.
This software uses the
devurandom flavour of the
randombytes implementation from NaCl version 20110221.