ltm rule command CRYPTO decrypt
iRule(1) BIG-IP TMSH Manual iRule(1)
CRYPTO::decrypt
Decrypts data.
SYNOPSIS
CRYPTO::decrypt (('-padding' (pkcs | oaep) )
('-alg' ENCRYPT_DECRYPT_ALG)
('-ctx' CONTEXT)
('-final')
(('-key' | '-keyhex') KEY)
(('-iv' | '-ivhex') VECTOR)
)#
(CRYPTO_DATA)?
DESCRIPTION
This iRules command decrypts data.
CRYPTO::decrypt [-alg <>] [-ctx <> [-final]] [-key[hex] <>] [-iv[hex]
<>] []
[-padding <"pkcs" | "oaep">]
* decrypts data based on several parameters
+ alg - algorithm. ASCII string from a given list (see below)
The spelling is lowercase and the iRule will fail for anything
not in the list. In ctx mode, alg must be given in the first
CRYPTO::command and cannot be modified.
+ ctx - context is the name of a Tcl variable and can only be
generated from and used in CRYPTO commands. Notes:
o Trying to get or set value for a ctx variable will fail.
o When a CTX variable is first used in iRule, a tcl object
will be generated from the given arguments (alg, key, iv,
etc.).
o A given CTX variable can only be used for one
CRYPTO:: command. An
iRule CRYPTO:: command would fail if CTX is reused for
different purpose. "aXXfinal" must be used for the last
CRYPTO:: command for the same CTX variable to finish the
CRYPTO:: command. After "-final" is used, the CTX
variable will be freed and the same ctx variable name can
be reused.
o When a CTX variable already has a key and an IV value
stored in it, the value can only be updated before CRYPTO
command really starts, that is before any data is given.
After the command starts and before it finishes, updating
key or IV in CTX would fail.
+ key - key (binary data). Key length is determined by alg used.
Can be generated by CRYPTO::keygen
+ keyhex - key as hex data. Key length is determined by alg
used. Can be generated by CRYPTO::keygen
+ padding - padding technique for asymmetric encryption operations.
The default value is "pkcs".
+ iv - initialization vector (binary data). Length is determined
by alg used. Can be generated by CRYPTO::keygen
+ ivhex - initialization vector as hex data. Length is
determined by alg used. Can be generated by CRYPTO::keygen
Algorithm List
Algorithm Cipher Name Block Size (bits) Key Size (bits)
aes-128-mode AES-128 128 128
aes-192-mode AES-192 128 192
aes-256-mode AES-256 128 256
bf-mode Blowfish 64 variable, up to 448
des-mode DES 64 56
des-ede-mode DES (2 key) 64 112
des-ede3-mode DES (3 key) 64 168
dea-mode IDEA 64 128
rc2-mode RC2 64 variable, 40 to 128
rc4 RC4 (stream cipher) N/A variable, up to 2048
Warning
Cryptography is very difficult to get correct. It is easy to create a
system that looks secure but isn't. The CRYPTO::encrypt and
CRYPTO::decrypt commands were designed to provide interoperability
between BIG-IP and 3rd-party software using common cipher algorithms
(AES, Blowfish, DES, etc.).
The CRYPTO:: commands should not be used in an attempt to replace
transport security protocols such as SSL for providing secure
communication between devices. It is the responsibility of the iRule
designer(s) to manage any compositional weaknesses in systems created
using the CRYPTO:: commands.
RETURN VALUE
VALID DURING
EXAMPLES
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-11.1.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)