Working With the dfcrypt Command Line Utility
The dfcrypt utility provides an alternative to the Sentinel LDK Data Protection utility. dfcrypt enables you to encrypt data files by specifying the relevant information in a command line instead of a graphical user interface.
The utility supports Version 1 and Version 2 data protection modes as follows:
>For Version 1: dfcrypt can be executed only on a Windows machine. To run the utility, you must connect a Vendor key or protection key with the relevant Vendor Code to your machine.
>For Version 2: dfcrypt can be executed on a Windows or Linux machine. To run the utility, you must connect a Vendor key with the relevant Vendor Code to your machine.
The dfcrypt utility is located in the following path:
>For Windows:
%ProgramFiles(x86)%\Thales\Sentinel LDK\VendorTools\VendorSuite\
>For Linux:
\Linux\VendorTools\Envelope\
To encrypt or decrypt data files using dfcrypt, enter the following command:
dfcrypt <options> <source> <destination>
The parameters used in the dfcrypt command line are described in the table that follows.
| Parameter | Description |
|---|---|
| options | List of options that indicate the function to be performed by the dfcrypt utility. See the tables of options that follow. |
| source | The file to be read and processed by the utility. To process multiple files, place the files in a directory and specify the name of the directory for this parameter. |
| destination | The file to be generated by the utility. If you specified a directory as the source, specify the name of the directory to contain the generated output. |
The options that determine the function to be performed by the dfcrypt utility are described in the tables that follows. All options for a given execution of dfcrypt must be selected from the same table.
Options for Version 1 Data Protection Mode (Windows)
| Option | Action |
|---|---|
| -v:1 --encver:1 |
This specifies that the data protection mode is Version 1. |
| -e --encrypt |
dfcrypt reads the source file or directory and generates an encrypted file or a directory of encrypted files. (This is the default action.) |
| -d --decrypt |
dfcrypt reads an encrypted source file or directory and generates an unencrypted file or a directory or unencrypted files. |
| -c:<file> --vcf:<file> |
Name of a Vendor Code file (mandatory). |
| -k:<key> --key:<key> |
The encryption key to be used to encrypt or decrypt data files (mandatory). You must also specify this encryption key in Sentinel LDK Envelope for each protected application that will access the protected data files. The key may contain 1-8 printable characters. If you include special characters, enclose the entire command in quotation marks. For example: "-k:qe4<!r^B" |
| -o --overwrite |
Overwrite destination files, if any. |
| -r --recursive |
Enables recursive handling of all files in all subdirectories contained in the specified source directory. |
| -q
--quiet |
Suppresses output by excluding copyright information and the progress indicator. Only error messages are displayed. This is particularly useful in Makefile integration. |
For example:
dfcrypt -v:1 -c:demoma.hvc -k:4873Asdb data.txt data_crypt.txt
Encrypts the file data.txt using the specified Vendor Codes file and encryption key. The encrypted file is written to data_crypt.txt.
dfcrypt --encver:1 --decrypt --recursive --vcf:demomb.hvc --key:4873Asdb myInputs myOutputs
Decrypts all the files in the directory myInputs and in all contained subdirectories, using the specified Vendor Codes file and encryption key. The decrypted files are written to the directory myOutputs.
Options for Version 2 Data Protection Mode (Windows)
| Option | Action |
|---|---|
| -v:2 --enver:2 |
This specifies that the data protection mode is Version 2. |
| -e --encrypt |
dfcrypt reads the source file or directory and generates an encrypted file or a directory of encrypted files. (This is the only available action. The decrypt action is not available for Version 2.) |
| -c:<file> --vcf:<file> |
Name of a Vendor Code file (mandatory). |
| -k:<key> --key:<key> |
The encryption key to be used to encrypt data files (optional). The key may contain 1-8 printable characters. If you include special characters, enclose the entire command in quotation marks. For example: "-k:qe4<!r^B" If you do not provide a key, each file will be encrypted using a random key. |
| -f:<fid> --fid:<fid> |
The Feature ID to be used to license the data file. (The default Feature ID is 0.) |
| -o --overwrite |
Overwrite destination files, if any. |
| -r --recursive |
Enables recursive handling of all files in all subdirectories contained in the specified source directory. |
| -q
--quiet |
Suppresses output by excluding copyright information and the progress indicator. Only error messages are displayed. This is particularly useful in Makefile integration. |
For example:
dfcrypt -v:2 -c:demoma.hvc -f:25 data.txt data_crypt.txt
Encrypts the file data.txt using the specified Vendor Codes file. Feature ID 25 is used to license the file. The encrypted file is written to data_crypt.txt.
dfcrypt --encver:2 --recursive --vcf:demomb.hvc --fid:50 myInputs myOutputs
Encrypts all the files in the directory myInputs and in all contained subdirectories, using the specified Vendor Codes file. Feature ID 50 is used to license all the files. The encrypted files are written to the directory myOutputs.
Options for Version 2 Data Protection Mode (Linux)
| Option | Action |
|---|---|
| -c:<file> --vcf:<file> |
Name of a Vendor Code file (mandatory). |
| -k:<key> --key:<key> |
The encryption key to be used to encrypt data files (optional). The key may contain 1-8 printable characters. If you include special characters, enclose the entire command in quotation marks. For example: "-k:qe4<!r^B" If you do not provide a key, each file will be encrypted using a random key. |
| -f:<fid> --fid:<fid> |
The Feature ID to be used to license the data file. (The default Feature ID is 0.) |
| -o --overwrite |
Overwrite destination files, if any. |
| -r --recursive |
Enables recursive handling of all files in all subdirectories contained in the specified source directory. |
| -q
--quiet |
Suppresses output by excluding copyright information and the progress indicator. Only error messages are displayed. This is particularly useful in Makefile integration. |
For example:
dfcrypt -c:demoma.hvc --key:1c03m06k -f:25 data.txt data_crypt
Encrypts the file data.txt using the specified Vendor Codes file and the specified encryption key. Feature ID 25 is used to license the file. The encrypted file is written to data_crypt.
dfcrypt --recursive --vcf:demomb.hvc --fid:50 myInputs myOutputs
Encrypts all the files in the directory myInputs and in all contained subdirectories, using the specified Vendor Codes file. A random encryption key is used. Feature ID 50 is used to license all the files. The encrypted files are written to the directory myOutputs.
Source or Destination Files for Linux
If a conflict exists between an option name and the source or destination file name, append the prefix ‑‑<space> to the file name to differentiate it from the option. For example. ‑‑key is one of the option names. To specify a source or destination file named ‑‑key, specify it as: ‑‑ ‑‑key
Display the dfcrypt help screen
Specify one of the following to display the options available for the dfcrypt utility:
dfcrypt -h
dfcrypt --help