====== Decrypt an encrypted image ====== ===== Synopsis ===== imgdecrypt [--name ] [--timeout ] [--keep] ===== Examples ===== === Decrypt and boot an encrypted Linux kernel === imgdecrypt http://192.168.0.1/vmlinuz.dat http://129.168.0.1/vmlinuz.env boot vmlinuz ===== Description ===== Decrypts an encrypted image using the specified encryption envelope, using a private key embedded into the iPXE binary at build time. A name for the decrypted image can be specified using the ''%%--name%%'' option. If no name is specified, then a default name will be constructed by stripping any suffix (such as ''.dat''). A download progress timeout can be specified (in milliseconds) using the ''%%--timeout%%'' option. The envelope image will be automatically discarded unless the ''%%--keep%%'' option is specified. ===== Command status ===== ^ Success | The image was successfully decrypted | ^ Failure | The image was not successfully decrypted | ===== See also ===== * ''[[:cmd:imgverify]]'' * ''[[:cmd:certstore]]'' * iPXE [[:crypto|cryptography]] guide * [[:cmd|List of all iPXE commands]] ===== Build options ===== This command is available only when the build option ''[[:buildcfg:IMAGE_CRYPT_CMD]]'' is enabled. ===== Notes ===== The envelope file may be in PEM or DER format. The private key must be embedded into the iPXE binary at build time using the ''PRIVKEY=...'' build parameter as described in the iPXE [[:crypto|cryptography guide]]. The certificate corresponding to the private key must either be embedded into the iPXE binary at build time using the ''CERT=...'' build parameter, or obtained at runtime using the ''[[:cmd:certstore]]'' command. The iPXE [[:crypto|cryptography guide]] demonstrates the process of creating an encrypted image and the corresponding encryption envelope.