Best practices

Using an encryption private key instead of a password

Passwords have been the standard for decades, but they are far from perfect. Most people are bad at generating and remembering passwords, which leads to weak passwords and password reuse. These insecure practices significantly reduce the security of password-based encryption.
Therefore, if you struggle with passwords, you should consider using an encryption private key to encrypt your files rather than a password. This means you only have to remember one password to protect your private key. Make sure it is a secure one and that you back up your private key file to external storage.

Choosing strong passwords

  1. 1.
    Download a free and open source password manager. I recommend Bitwarden or KeePassXC.
  2. 2.
    If you do not intend to memorise the password, then randomly generate 25+ character passwords that contain lowercase letters, uppercase letters, numbers, and symbols using your password manager.
  3. 3.
    If you want to memorise a password, then I recommend generating a random passphrase containing 8+ words. You can let Kryptor do this for you, as explained here.

Sharing encrypted files

If you want to send someone an encrypted file, then I recommend encrypting the file using your private key and their public key. When decrypting the file, if the recipient knows that the sender's public key belongs to the sender, then they can be sure that the encrypted file was sent from them.
Alternatively, you can encrypt files with a password and share that password using an end-to-end encrypted messaging app, like Signal or Element. This is easier for sharing files with multiple recipients. However, be sure to regularly change passwords.
If you intend to share a password, then I recommend using disappearing messages or deleting the password message manually after the recipient has decrypted the file.

Sharing your public key

Only ever share your public key. You can send someone your public key as a string or as a .public file. You can safely share your public key via an insecure channel (e.g. via an unencrypted messaging app, like Discord).
Never share your private key! Your private key must be kept secret.

Storing your public and private keys

Always back up your .public and .private key files to external storage. The default key folder is %USERPROFILE%/.kryptor on Windows and /home/.kryptor on Linux/macOS.
You can recover your public key from the private key, but if you lose your private key, then you will be forced to generate a new key pair.
Ideally, do not store your .private key files in the cloud. Private keys are encrypted, but keeping them offline provides an additional layer of protection.

Rotating key pairs

If you believe your private key may have been compromised (e.g. you accidentally shared it), then you should generate a new key pair.
In the case of an encryption private key, decrypt any files encrypted using that private key​ before overwriting your encryption key pair.

Using keyfiles

I strongly recommend using a keyfile alongside a password because that means an additional secret is required to derive the key encryption key.
By contrast, using a keyfile instead of a password is less secure than using a password since keyfiles have to be stored on disk, whereas passwords can be memorised.​
Please read the following sections for information regarding choosing and storing keyfiles.​

Choosing keyfiles

I recommend randomly generating keyfiles using Kryptor. Randomly generated keyfiles have more entropy, are made read-only, and are unlikely to be accidentally modified since you have no reason to open such files.
Any type of file (e.g. .jpg, .mp3, .zip, etc) that is at least 64 bytes long can be used as a keyfile, but using an ordinary file type is riskier since it is more likely to be accidentally modified. Files with high entropy, like those listed above, are strongly recommended if you do not want to use a randomly generated keyfile. Text files should generally be avoided.
If the keyfile is modified, then files encrypted using that keyfile will become unrecoverable.

Storing keyfiles

Always back up your keyfiles in case they are accidentally modified. I recommend keeping your keyfiles offline on memory sticks or external hard drives that have been encrypted using full disk encryption.
If you lose a keyfile, then files encrypted using that keyfile will become unrecoverable.
Last modified 18d ago