Using AES Crypt Command-Line Program

The AES Crypt command-line program is available on Windows, Mac, and Linux.

You do not need to be an expert to use the AES Crypt command-line program to securely encrypt your data files. To encrypt a file, you simply enter the "aescrypt" command with the appropriate command-line arguments.

Before getting started, you will need to install the AES Crypt command-line tool. For Windows, you can download a .zip file containing the program. You can place the "aescrypt.exe" program anywhere you wish, though it makes sense that it would be in a directory included in your PATH environment variable. For both Mac and Linux, download the .tgz file and place the contents in /usr/local. For example, the AES Crypt executable should be placed in /usr/local/bin. The man page should be placed in /usr/local/man/man1/.

Suppose you have a file called "picture.jpg" that you would like to encrypt using the password "apples". You would enter the following command:

CLI Example

aescrypt -e -p apples picture.jpg

That's it! The program will create a file with the name "picture.jpg.aes".

You may also specify multiple files to encrypt on the command-line. Each will be encrypted with the same password.

When you want to later decrypt the file "picture.jpg.aes", you would enter the following command:

CLI Example

aescrypt -d -p apples picture.jpg.aes

The program will create the file "picture.jpg", containing the contents of the original file before it was encrypted.

It can't be any simpler than that!

Many users create sophisticated scripts that pipe input from one program into another, and AES Crypt fully supports such usage. For example, you could backup files and encrypt them with a command like this (on Linux or Mac):

CLI Example

tar -cvf - /home | aescrypt -e -p apples -o - - >backup_files.tar.aes

Windows also supports the same syntax, but "tar" is not generally available on Windows. Nonetheless, and tool that outputs to stdout can be consumed by AES Crypt.

In all of the examples above, the password is provided on the command line. Since there are certain risks associated with that kind of usage, it may be preferred to let AES Crypt prompt you to enter the password. This can be accomplished simply by not including the -p parameter, like this:

CLI Example

aescrypt -d picture.jpg.aes

AES Crypt will prompt you for the password, but what you enter will not be displayed on the screen.

What if you want to decrypt a file, but just want to have it displayed on the screen and not stored in a plaintext file? That's possible. To do that, just use this syntax:

CLI Example

aescrypt -d -o - passwords.txt.aes

The AES Crypt command-line program has the ability to create and use an encryption key file. This more securely allows for automated backups or other system administration tasks where one needs to provide a password, but would prefer to not have it appear on the command-line. To use a key file, first create a key file like this:

CLI Example

aescrypt -g -k secret.key

Place the file "secret.key" somewhere secure. Then when you wish to encrypt a file, you call AES Crypt like this:

CLI Example

tar -czvf - /home | aescrypt -e -k secret.key -o - - >backup_files.tgz.aes

Be sure to provide the full pathname to the key file.

For those who are curious, the key file is nothing more than a UTF-16 or UTF-8 text file containing randomly-generated text that serves as a password. You may also manually create a file with a text editor. If you use UTF-16 as the file format, be sure the file includes the byte order mark, as that will be consumed by AES Crypt to determine the proper byte order.