<< Click to Display Table of Contents >> Navigation:  Robo-FTP User's Guide > Script Programming > Script Commands > All Script Commands > CMSENCRYPT        Encrypt a file using CMS

 

This script command encrypts and/or digitally signs a file using the CMS format, which is also known as PKCS #7. Files may be decrypted and/or verified using the Robo-FTP CMSDECRYPT script command.

 

To encrypt a file, you must first import the X.509 TLS certificate of the recipient into Robo-FTP. Keys are imported by using the Import Certificate functionality in the Robo-FTP Configurator. All imported certificates are displayed in the Configurator on the TLS Certificates menu.

 

To sign a file, you must first import a TLS PKCS#12 (.pfx) certificate. You must send the public X.509 certificate (.cer or .pem) that corresponds to the one found in the PKCS#12 (.pfx) file and send it to your intended recipient. They will use the X.509 certificate to verify your signature.

 

The /encryptfor and /signwith options are used to specify the certificates used for encrypting and signing. The values passed to these options must be at least partial matches to either the "common name" or "email" fields as displayed in the TLS Certification Details dialog that appears after right clicking a TLS certificate in the TLS Certificates menu and choosing View Certificate Details.  Alternately, you can be more specific in selecting the appropriate certificate by providing both the "common name" and the "email" fields together in the keyspec, as follows: "My common name <[email protected]>".

 

You must specify a certificate with one or both of /encryptfor and /signwith. If there are no certificates specified with /encryptfor, the file will not be encrypted. If there are no certificates specified with /signwith, the file will not be signed. If neither are specified the command will error out.

 

Use the /cipher option to select the cipher used by Robo-FTP to encrypt a file. If left unspecified, the default cipher is AES256.  The available ciphers are: DES3, AES192, AES256, CAMELLIA128, CAMELLIA192, CAMELLIA256.

 

In the example below, a file is encrypted using a X.509 TLS certificate identified by a partial match on the "common name" field. Because no /signwith option is provided, the target file "datafile.txt.cms" does not contain a digital signature.

 

CMSENCRYPT "datafile.txt" "datafile.txt.cms" /encryptfor="Clark Kent"

 

In the following example, a file is encrypted using the same X.509 TLS certificate as above, and additionally, signed with a TLS PKCS#12 certificate identified by a keyspec that matches the "email" field on the latter certificate. The recipient will be able to use the signature to verify the sender.

 

CMSENCRYPT "datafile.txt" "datafile.txt.cms" /encryptfor="Clark Kent" /signwith="[email protected]"

 

In the following example, the file is encrypted and signed using the same certificates in the previous example, but with both keyspecs containing the "common name" and "email" fields found in their respective certificates. This provides for greater specificity when selecting the appropriate certificate:

 

CMSENCRYPT "datafile.txt" "datafile.txt.cms" /encryptfor="Clark Kent <[email protected]>" /signwith="Bruce Wayne <[email protected]>"

 

In the following example, the file is encrypted using the CAMELLIA256 cipher instead of the default AES256 cipher:

 

CMSENCRYPT "datafile.txt" "datafile.txt.cms" /encryptfor="Clark Kent <[email protected]>" /signwith="Bruce Wayne <[email protected]>" /cipher=CAMELLIA256

 

In the following example, the file is not encrypted at all and only signed with the sender's X.509 TLS certificate:

 

CMSENCRYPT "datafile.txt" "datafile.txt.cms /signwith="Bruce Wayne"

 

Related command(s): CMSDECRYPT

See also: TLS Certificates menu, Import Certificate