HOWTO: Run the XENC (“zinc”) utility
This step assumes that you have successfully installed the SKS server and its components, as well as installed the Symmetric Key Client Library (SKCL). If not, please finish that before continuing with this step. It also assumes that you have downloaded the StrongKey distribution and extracted it into a directory called /usr/tmp. If you have extracted the distribution in a different directory, substitute that directory for /usr/tmp.
Windows users should use the back-slash (\) instead of the forward-slash (/) in these commands.
1
From a Command Prompt (or shell window in Linux) create a temporary directory called /usr/tmp/sktest using
mkdir /usr/tmp/sktest
2
In the same shell (terminal) / Command Prompt window, change directory to the /usr/local/etc/symkey/skcl directory using
cd /usr/local/etc/symkey/skcl
3
On Linux, copy a few publicly readable files into the /usr/tmp/sktest directory; ensure that some of them are binary and some text files – for example /etc/services, /etc/group, /bin/date and /usr/bin/dir is a good set of files to use.
cp /etc/hosts /usr/tmp/sktest
cp /etc/services
/usr/tmp/sktest
cp /bin/networks /usr/tmp/sktest
Windows users should use the following commands:
copy
c:\windows\system32\drivers\etc\hosts c:\usr\tmp\sktest
copy
c:\windows\system32\drivers\etc\services c:\usr\tmp\sktest
copy
c:\windows\system32\drivers\etc\networks c:\usr\tmp\sktest
4
Encrypt a file using the following (it assumes that $JAVA_HOME/bin is in your execution path):
You will see a output related to the initialization of the tool, the SKCL, the request for a symmetric key, and finally, a message indicating success in encrypting the file. The encrypted file (also called ciphertext) is appended with the extension “.xenc”.
5
Rename the /usr/tmp/sktest/services file to /usr/tmp/sktest/services.original temporarily using the following (note that xenc does not delete the original “plaintext” files; you are required to do that after you've encrypted it, if you wish to):
mv /usr/tmp/sktest/services /usr/tmp/sktest/services.original
Windows users should use
ren \usr\tmp\sktest\services \usr\tmp\sktest\services.original
6
Decrypt the encrypted file using the following
java -jar xenc.jar -d -f /usr/tmp/sktest/services.xenc
You will see a output related to the process and finally, a message indicating success in decrypting the file. The decrypted file (also called plaintext) is the name of the file without the “.xenc” extension.
7
Compare the files services and services.original using the following (on Linux)
diff /usr/tmp/sktest/services /usr/tmp/sktest/services.original
It should produce no output message if the files are identical.
Windows users may use the “dir” command to compare file-sizes. Opening the documents in WordPad will also provide visual confirmation.
8
Delete the services.original and services.xenc files using the following:
rm /usr/tmp/sktest/services.original /usr/tmp/sktest/services.xenc
Windows users should use
del /usr/tmp/sktest/services.original /usr/tmp/sktest/services.xenc
9
Encrypt an entire directory of files using the following:
java -jar xenc.jar -e -d /usr/tmp/sktest
You will see a output related to the initialization of the tool, the SKCL, the request for one or more symmetric keys, and finally, a message indicating success in encrypting the file(s). The encrypted files are all appended with the extension “.xenc”.
10
Rename the original plaintext files temporarily, using the following:
mv
/usr/tmp/sktest/hosts /usr/tmp/sktest/hosts.0
mv
/usr/tmp/sktest/networks /usr/tmp/sktest/networks.0
mv
/usr/tmp/sktest/services /usr/tmp/sktest/services.0
11
Decrypt all encrypted files in the directory using the following
java -jar xenc.jar -d -d /usr/tmp/sktest
You will see a output related to the process and finally, a message indicating success in decrypting the file(s). The decrypted files are just the name of the file without the “.xenc” extension.
12
Compare the decrypted files visually using the following (on Linux):
ls -ltr /usr/tmp/sktest
You will see the files, their sizes, time-stamps, etc. and can visually determine, for example, that the sizes of date and date.0 are identical. You can also use diff to determine if the binary files are different. You should see no output for that command.
13
Finally, to test the database encryption capability of xenc, open a second shell window (terminal) and log into the MySQL database using the mysql client utility, as follows (supply the password you created for the xenc user during the MySQL installation process; it should be “xenc” if you followed our suggestion)::
mysql -u xenc -p xenc
You should see the mysql> prompt.
14
Read the content from the customers table, using the following:
select * from customers;
You should see the following:
+-----+--------+-------+-----------+------------------+------------+------------+----------------+----------------+------+
|
cid | fname | lname | ssn | ccn | ssn_sha256 | ccn_sha384 |
ssn_ciphertext | ccn_ciphertext | gkid
|
+-----+--------+-------+-----------+------------------+------------+------------+----------------+----------------+------+
|
1 | John | Galt | 123456789 | 1111222233334444 | NULL | NULL |
NULL | NULL | NULL |
| 2 | Howard | Roark | 234567890 |
2222333344445555 | NULL | NULL | NULL | NULL | NULL |
| 3 | Ayn
| Rand | 345678901 | 3333444455556666 | NULL | NULL | NULL | NULL
| NULL
|
+-----+--------+-------+-----------+------------------+------------+------------+----------------+----------------+------+
15
Switching to the other shell window, run the xenc utility to encrypt the SSN column (make sure you are in the /usr/local/etc/symkey/skcl directory when you do this):
java -jar xenc.jar -e -db xdc.xml
16
You will see a output related to the initialization of the tool, the SKCL, the request for one or more symmetric keys, and finally, a message indicating that the cryptographic operation was a success.
17
Switch to the other shell window and execute the same SQL command from step 14:
select * from customers;
This time you should see output that resembles the following (your actual content will be different because of the nature of encryption):
+-----+--------+-------+-----------+------------------+----------------------------------------------+------------+--------------------------+----------------+------+
|
cid | fname | lname | ssn | ccn | ssn_sha256 | ccn_sha384 |
ssn_ciphertext | ccn_ciphertext | gkid
|
+-----+--------+-------+-----------+------------------+----------------------------------------------+------------+--------------------------+----------------+------+
|
1 | John | Galt | 123456789 | 1111222233334444 |
FeKw08M4keuw8e9gnsQZQgwg4yDOlMZfvIwzEkSOsiU= | NULL |
WWXbc+LeetSl97wCPkUuhA== | NULL | 2-1 |
| 2 | Howard | Roark |
234567890 | 2222333344445555 |
qZLh0/Wl20X8DRprCaIH2rMcKuqiyLdyX/qNGB8nQMY= | NULL |
Z5P98OhIb5IIp6Nn4iCa0Q== | NULL | 2-2 |
| 3 | Ayn | Rand |
345678901 | 3333444455556666 |
0DstA8tvql8ZY3l3eN8wQjpD4rqNSDcMPOyLDUuxvhc= | NULL |
jxEhLg1tc5yBD8aBh1glcw== | NULL | 2-2
|
+-----+--------+-------+-----------+------------------+----------------------------------------------+------------+--------------------------+----------------+------+
18
Select the SSN column separately to view the original content, using the following:
select ssn from customers;
You should see the following:
+-----------+
| ssn |
+-----------+
| 123456789 |
|
234567890 |
| 345678901 |
+-----------+
19
Now delete the Social Security Numbers from the customers table, using the following:
update customers set ssn = '';
Note that the last value is a NULL value inside two single-quotes.
20
View the updated column to ensure that it is, indeed, null using the following:
select ssn from customers;
You should see the following:
+-----+
| ssn
|
+-----+
| |
| |
| |
+-----+
21
Now run the decryption process using the following:
java -jar xenc.jar -d -db xdc.xml
You will see a output related to the process and finally, a message indicating success.
21
Switch to the other shell window and execute the following SQL command:
select ssn from customers;
You should see the following:
+-----------+
| ssn |
+-----------+
| 123456789 |
|
234567890 |
| 345678901 |
+-----------+
Exit from the mysql utility using quit;
You have now successfully tested the xenc utility. You can read more about the utility on this website, in the Resources->Documentation->Utilities section.