Table of Contents

Decrypt an encrypted image

Synopsis

  imgdecrypt [--name <name>] [--timeout <timeout>] [--keep]
             <uri|image> <envelope uri|image>

Examples

Decrypt and boot an encrypted Linux kernel

  imgdecrypt http://192.168.0.1/vmlinuz.dat http://129.168.0.1/vmlinuz.env
  boot vmlinuz

Description

Decrypts an encrypted image using the specified encryption envelope, using a private key embedded into the iPXE binary at build time.

A name for the decrypted image can be specified using the --name option. If no name is specified, then a default name will be constructed by stripping any suffix (such as .dat).

A download progress timeout can be specified (in milliseconds) using the --timeout option.

The envelope image will be automatically discarded unless the --keep option is specified.

Command status

Success The image was successfully decrypted
Failure The image was not successfully decrypted

See also

Build options

This command is available only when the build option IMAGE_CRYPT_CMD is enabled.

Notes

The envelope file may be in PEM or DER format.

The private key must be embedded into the iPXE binary at build time using the PRIVKEY=… build parameter as described in the iPXE cryptography guide.

The certificate corresponding to the private key must either be embedded into the iPXE binary at build time using the CERT=… build parameter, or obtained at runtime using the certstore command.

The iPXE cryptography guide demonstrates the process of creating an encrypted image and the corresponding encryption envelope.