Best practices

Using an encryption private key instead of a password

Passwords have been the standard for decades, but they are far from perfect. Most people are bad at generating and remembering passwords, which leads to weak passwords and password reuse. These insecure practices significantly reduce the security of password-based encryption.
Therefore, if you struggle with passwords, you should consider using an encryption private key to encrypt your files rather than a password. This means you only have to remember one password to protect your private key.
Always use a strong password and back up your .private key file to external storage (e.g. memory sticks).

Choosing strong passwords

  1. 1.
    Download a free and open source password manager. I recommend Bitwarden or KeePassXC.
  2. 2.
    If you do not intend to memorise the password, then randomly generate 25+ character passwords that contain lowercase letters, uppercase letters, numbers, and symbols using your password manager.
  3. 3.
    If you want to memorise a password, then I recommend generating a random passphrase containing 8+ words. You can let Kryptor do this for you, as explained here.

Sharing encrypted files

If you want to send someone an encrypted file, then I recommend encrypting the file using your private and their public key. When decrypting the file, if the recipient knows that the sender's public key belongs to the sender, then they can be sure that the encrypted file was sent from them.
Alternatively, you can encrypt files with a password and share that password using an end-to-end encrypted messaging app, like Signal. This is easier for sharing files with multiple recipients but less secure. Ideally, use a different password each time.
If you intend to share a password, then I recommend using disappearing messages or deleting the password message manually after the recipient has written it down or decrypted the file.

Sharing your public key

Only ever share your public key. You can send someone your public key as a string or as a .public file. You can safely share your public key via an insecure channel (e.g. via an unencrypted messaging app, like Discord).
Never share your private key file! Keep it secret and offline!

Storing your public and private keys

Always back up your .public and .private key files to external storage (e.g. memory sticks). The default key folder depends on your operating system:
  • Windows: %USERPROFILE%/.kryptor
  • Linux: /home/.kryptor
  • macOS: /Users/USERNAME/.kryptor
You can recover your public key from the private key, but if you lose your private key, then you will be forced to generate a new key pair.
Never share your private key file! Keep it secret and offline!

Rotating key pairs

There are two main reasons to rotate a key pair:
  1. 1.
    If you believe your private key may have or has been compromised, then you should generate a new key pair.
  2. 2.
    For file sharing, both parties can rotate their encryption key pair after every message to obtain forward secrecy. However, this is generally overkill.
In the case of a potentially compromised encryption private key, decrypt any files encrypted using that private key​ before overwriting your encryption key pair.

Using keyfiles

If you would like to use a keyfile, then I strongly recommend using one alongside a password because that means an additional secret is required to derive the encryption key.
By contrast, using a keyfile instead of a password is less secure than using a strong password since keyfiles must be stored on disk, whereas passwords can be memorised.​
Please read the following sections for guidance on choosing and storing keyfiles.​

Choosing keyfiles

I recommend randomly generating keyfiles using Kryptor. Randomly generated keyfiles have more entropy, are made read-only, and are unlikely to be accidentally modified since you have no reason to open such files.
Any type of file (e.g. .jpg, .mp3, .zip, etc) that is at least 64 bytes long can be used as a keyfile but using an ordinary file type is riskier since it is more likely to be accidentally modified. Compressed file types, like those listed above, are strongly recommended if you do not want to use a randomly generated keyfile. Text files should generally be avoided.
If the keyfile is modified, then files encrypted using that keyfile will become unrecoverable.

Storing keyfiles

Always back up your keyfiles in case they are accidentally modified. I recommend keeping your keyfiles offline on memory sticks or external hard drives that have been encrypted using full disk encryption.
Be aware that some online services, like Signal, may remove metadata from and/or compress files. Therefore, such services should be avoided when backing up keyfiles.
If you lose a keyfile, then files encrypted using that keyfile will become unrecoverable.