.IR output ]
.RI [ file ]
.br
-.B encode
+.B decode
.RB [ \-f
.IR format ]
.RB [ \-b
Algorithms to be used with a particular key are described by attributes
on the key, or its type. The
.B catcrypt
-command deals with both signing and key-encapsulation keys.
+command deals with both signing and key-encapsulation keys. (Note that
+.B catcrypt
+uses signing keys in the same way as
+.BR catsign (1).)
.SS "Key-encapsulation keys"
(Key encapsulation is a means of transmitting a short, known, random
secret to a recipient. It differs from encryption in technical ways
The following options are recognized.
.TP
.B "\-a, \-\-armour"
-Read ASCII-armoured output. This is equivalent to specifying
+Read ASCII-armoured input. This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
.TP
+.B "\-b, \-\-buffer"
+Buffer plaintext data until we're sure we've got it all. This is forced
+on if output is to stdout, but is always available as an option.
+.TP
.BI "\-f, \-\-format " format
Read input encoded according to
.IR format .
Major problems cause the program to write a diagnostic to standard error
and exit nonzero as usual. The quantity of output varies depending on
the verbosity level and whether the plaintext is also being written to
-standard output. Output lines begin with a keyword.:
+standard output. Output lines begin with a keyword:
.TP
.BI "FAIL " reason
An error prevented decryption. The program will exit nonzero.
.B "DATA"
The plaintext follows, starting just after the next newline character or
sequence. This is only produced if main output is being sent to
-standard output. If anything goes wrong, a
-.B FAIL
-message is printed, preceded and followed by a newline, and the program
-exits nonzero.
+standard output.
.TP
.BI "INFO " note
Any other information.
All messages.
.PP
.B Warning!
-All output written has been checked for authenticity. However, since
-the input is chunked, a chunk will be checked and written before the
-authenticity of following chunks is established. Don't rely on the
-output being complete until
+All output written has been checked for authenticity. However, output
+can fail madway through for many reasons, and the resulting message may
+therefore be truncated. Don't rely on the output being complete until
+.B OK is printed or
.B catcrypt decrypt
-prints
-.B OK
-and/or exits successfully.
+exits successfully.
.SS "encode"
The
.B encode
That's it. Nothing terribly controversial, really.
.SH "SEE ALSO"
.BR key (1),
+.BR catsign (1),
.BR dsig (1),
.BR hashsum (1),
.BR keyring (5).