The ice and deice applications


ice [ -CDNZ ] [ -p passwd ] [ -l level ] [ file ... ]

deice [ -CNZ ] [ -p passwd ] [ -l level ] [ file ... ]


ice and deice are programs for encrypting and decrypting files using the ICE (Information Concealment Engine) encryption algorithm. The data is encrypted in Cipher Block Chaining (CBC) mode, with an initialization vector by default obtained from the gettimeofday(2) function.

The ICE encryption algorithm allows key lengths of any multiple of 64 bits by specifying the encryption level. Specifying a level greater than 1 allows long passwords, and correspondingly higher security. The drawback is slower encryption.

This program only uses the lower 7 bits from each character in the password, so the first 10 characters are significant when using levels 0 or 1. For higher levels n, the key size is 64n, so the useful password length will be (64n + 6)/7. Short passwords will be padded out with zeroes.

The deice program is typically a symbolic link to the ice executable, since the program automatically uses decrypt mode if the name of the executable begins with the characters "de".

When encrypting, a new file will be created with a .ice suffix, and the original file deleted. Before deletion, the original file is overwritten with zeroes to minimize the chance that the data remains in the filesystem. Where possible the new file will have the same permissions as the original. If no files are specified, data will be read from standard input.

For decryption, the files must have a .ice suffix, or there must be a for every file. The program will check that the data is ICE-encrypted, but it will give no indication as to whether the correct password is being used, so beware.

The encrypted file format contains "ice" as the first three characters, followed the value of the character "0" added to the ICE level being used. The next eight bytes contain the initialization vector, followed by the actual encrypted data. This information, plus padding of the last block, will increase the file size by between 13 and 20 bytes.


Send encrypted/decrypted output to standard output.

Decrypt the data. This is the default in deice.

Do not ask for confirmation of the password when an interactive password is required. By default, the user has to type the password twice.

Use a zero initializing vector. Only useful if identical files have to encrypt identically. The initializing vector is otherwise set from time of day information. In the case of decryption the vector is read from the data anyway, so this flag is ignored.

-p password
The password used to encrypt/decrypt the data. If this is set, no interactive password is required. This password is zeroed out at the first opportunity to prevent it appearing in the process table.

-l level
The ICE level used to encrypt the data. Defaults to 1. This is ignored during decryption, since the level information is stored in the data.


The following command will encrypt the file foo, and store the result in The user will be prompted twice for a password, which will have the first 10 of its characters used.

ice foo

The next example will encrypt the same file with a command-line password using level 2 ICE.

ice -l2 -p"The first 19 charac" foo

The resulting file can be decrypted with

deice -p"The first 19 charac"


This application was written by Matthew Kwan, who can usually be reached at