nenctool --help Usage: nenctool [options] Summary: Copy the file from the first parameter to the second parameter. Encryption, decryption. or re-encryption are the expected purpose. Parameters: source-file-path The path to a file either in native format destination-file-path in 'file' URI scheme or in 'ncbi-file' URI scheme. "ncbi-file" scheme adds a query to the "file" scheme where 'enc' or 'encrypt' means the file is encrypted and 'pwfile=' points to a file to get the password or 'pwfd=' refers to a file descriptor from which to read a password. Options: -f|--force force overwrite of existing files -h|--help Output brief explanation for the program. -V|--version Display the version of the program then quit. -L|--log-level Logging level as number or enum string. One of (fatal|sys|int|err|warn|info) or (0-5) Current/default is warn -v|--verbose Increase the verbosity level of the program. Use multiple times for more verbosity. --report Control program execution environment report generation (if implemented). One of (never|error|always). Default is error ncbi-file uri syntax: 'ncbi-file' uris are based on a combination of the standard 'file' and 'http' syntax familiar to browser users. Enclosing questions marks are probably necessary. URI syntax is 'scheme:'hierarchical-part'?'query'#'fragment' scheme: ncbi-file hierarchical-part: this is the same as for scheme file and can be the native form or the ncbi 'posix' format that matches most flavors of Unix. Environment variables and short hands such as '~' are not interpreted. query: Zero or two symbols separated by the '&'. The whole query can be omitted. enc or encrypt pwfile='path to a file containing a password' pwfd='file descriptor where the password can be read' If the encrypt is present exactly one of the other two must be present. fragment: No fragment is permitted. password contents: The file or file descriptor containing the password is read enough to satisfy the following restriction. The password is terminated by the end of file, a carriage return or a line feed. The length must be no more than 4096 bytes. The password file should have limited read access to protect it. Use examples: To encrypt a create a file named 'example' with a password from a file named 'password-file' to a file named 'example.nenc' all in the current directory: $ nenctool example "ncbi-file:example.nenc?encrypt&pwfile=password-file" To decrypt a file named 'example.nenc' with a password from a file named 'password-file' to a file named 'example' in directories implied in the command: $ nenctool "ncbi-file:/home/user/downloads/example.nenc?encrypt&pwfile=/home/user/password-file" example To change the encryption of a file from one password to another: $ nenctool "ncbi-file:/home/user/downloads/example.nenc?encrypt&pwfile=old-password-file" \ "ncbi-file:example.nenc?encrypt&pwfile=/home/user/new-password-file" nenctool : 2.1.11 ===== More description --report is not supported The nenctool (NCBI Encryption Tool) will encrypt, decrypt or re-encrypt a file in the NCBI encryption format. There are two generations of encrypted format. The tool will only encrypt to the new format but it can decrypt either. There is an ever decreasing need to decrypt files. The ncbi tools are becoming ever more able to work with files that remain encrypted and only decrypt for its needs those portions of the files that they need. This means data remain encrypted for more security when possible. For example an NCBI encrypted database archive file can remain encrypted with fastq extracted only as as needed. The tool does not accept a password on the command line to try to make the password more secure. It should be in a file that can not be read by other users. Ideally password files would also be in a directory that does not allow write permission to other users as well. Such as /home/myusername/.ncbi/.vdbpass where the access mode for .ncbi directory would be 0700 (or 0750). The access mode for the ..vdbpass file should be 0600 to keep the contents secure. Another file such as /home/myusername/.ncbi/.grp.vdbpass could contain a password shared amongst a small secure group. If these two files exist you could encrypt a file as such $ nenctool some-data-run.csra \ "ncbi-file:some-data-run.csra.nenc?encrypt&pwfile=/home/myusername/.ncbi/.vdbpass" This will create the new encrypted file that can be moved around freely with the contents secure. A technician that doesn't need to know the contents could use sister tool nencvalid to examine the integrity of the file without knowing the password and not being able to see the contents. If that file instead needed to be shared with a colleague that didn't know your password but does know a common shared password you could then use $ nenctool \ "ncbi-file:some-data-run.csra.nenc?encrypt&pwfile=/home/myusername/.ncbi/.vdbpass" \ "ncbi-file:shared.some-data-run.csra.nenc?encrypt&pwfile=/home/myusername/.ncbi/.grp.vdbpass" to create a file that both could decrypt but again could be secure from others on the system even if they have access to the file.