.IR output ]
.RI [ file ]
.br
-.B encode
+.B decode
.RB [ \-f
.IR format ]
.RB [ \-b
Algorithms to be used with a particular key are described by attributes
on the key, or its type. The
.B catcrypt
-command deals with both signing and key-encapsulation keys.
+command deals with both signing and key-encapsulation keys. (Note that
+.B catcrypt
+uses signing keys in the same way as
+.BR catsign (1).)
.SS "Key-encapsulation keys"
(Key encapsulation is a means of transmitting a short, known, random
secret to a recipient. It differs from encryption in technical ways
.TP
.B ec
This is the elliptic-curve analogue of
-.BR dh . Use the
+.BR dh .
+Use the
.B ec
algorithm of the
.BR key (1))
attribute then the
.I hash
in the
-.I kemalgspec is used; if that is absent then the default of
+.I kemalgspec
+is used; if that is absent then the default of
.B rmd160
is used. Run
.B catcrypt show hash
The following options are recognized.
.TP
.B "\-a, \-\-armour"
-Read ASCII-armoured output. This is equivalent to specifying
+Read ASCII-armoured input. This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
.TP
+.B "\-b, \-\-buffer"
+Buffer plaintext data until we're sure we've got it all. This is forced
+on if output is to stdout, but is always available as an option.
+.TP
.BI "\-f, \-\-format " format
Read input encoded according to
.IR format .
Major problems cause the program to write a diagnostic to standard error
and exit nonzero as usual. The quantity of output varies depending on
the verbosity level and whether the plaintext is also being written to
-standard output. Output lines begin with a keyword.:
+standard output. Output lines begin with a keyword:
.TP
.BI "FAIL " reason
An error prevented decryption. The program will exit nonzero.
.TP
.B "DATA"
The plaintext follows, starting just after the next newline character or
-sequence. This is only produced if main output is being sent to
-standard output. If anything goes wrong, a
-.B FAIL
-message is printed, preceded and followed by a newline, and the program
-exits nonzero.
+sequence. This is only produced if main output is also being sent to
+standard output.
.TP
.BI "INFO " note
Any other information.
All messages.
.PP
.B Warning!
-All output written has been checked for authenticity. However, since
-the input is chunked, a chunk will be checked and written before the
-authenticity of following chunks is established. Don't rely on the
-output being complete until
+All output written has been checked for authenticity. However, output
+can fail madway through for many reasons, and the resulting message may
+therefore be truncated. Don't rely on the output being complete until
+.B OK is printed or
.B catcrypt decrypt
-prints
-.B OK
-and/or exits successfully.
+exits successfully.
.SS "encode"
The
.B encode
That's it. Nothing terribly controversial, really.
.SH "SEE ALSO"
.BR key (1),
+.BR catsign (1),
.BR dsig (1),
.BR hashsum (1),
.BR keyring (5).