claes - Man Page

conventional encryption tool interoperating with gpg and openssl


claes [-debug] [-cms | -openssl [-128]] [OPTION] [FILE | -]


claes encrypts or decrypts data in OpenPGP format, CMS format and OPENSSL format using files or standard input with a passphrase-based AES cipher. If no FILE or "-" is given, data is read from standard input.  The size of any input data is limited to 150 MByte.  The default mode of operation is encryption with the ciphertext stored base64-encoded in the OpenPGP format.  To decrypt base64-encoded or binary input data the option "-decrypt" must be used.

All input data is processed AS IS and is treated internally as binary data with no changes. For every encryption or decryption a user-provided passphrase is read from the terminal in which claes is run. So claes always works interactively. There is deliberately no public-key-cryptography build into claes. If you need those, please use clrsa and clkeys.



display this help and exit


output version information and exit


print debugging information to stderr


produce CMS enveloped and encrypted data instead of OpenPGP (default)


produce encrypted data using pbkdf2 in openssl format


forces the use of 128 bit AES keys in conjunction with -opensslbr (256 bits is the default)


decrypts an encrypted message (default is encrypt)


Full documentation <>    

This program depends on two packages providing the cryptlib shared object library and the python3-bindings to this library.

You can download both packages in RPM or DEB format at

Using FEDORA you can install the packages cryptlib and cryptlib-python3 directly from the repository.

In addition the program /bin/systemd-ask-password is needed to read sensible data from stdin. This program is part of the systemd package.



Without any options claes produces OpenPGP (base64-encoded) encrypted messages using AES-128. It can decrypt any messages (ascii or binary) produced by GnuPG with the following ciphers: AES, AES192, AES256, 3DES and CAST-128.


In OpenSSL mode claes writes (base64-encoded) encrypted messages in the proprietary OpenSSL format using AES256 as the default.

These messages can be decrypted with openssl :br      openssl aes-256-cbc -pbkdf2 -d -a -in FILE.asc

The use of AES-128 can be forced by the additional option -128 both for encryption or decryption of OpenSSL messages.


In CMS mode claes produces PKCS#7 formated (base64-encoded) enveloped and encrypted messages.



This program is used to provide the passphrase based on a user's input.


The cryptlib library.


Bindings to the cryptlib library used by python3.


Please report bugs to


claes is written by Ralf Senderek <>.
Cryptlib is written and maintained by Peter Gutmann <>

See Also

cryptlib, clrsa, clkeys


June 2022 Cryptlib Tools