Best practices

Using an encryption private key instead of a password

Passwords have been the standard for decades, but they are far from perfect. Most people are bad at generating and remembering passwords, which leads to weak passwords and password reuse. These insecure practices significantly reduce the security of password-based encryption.

Therefore, if you struggle with passwords, you should consider using an encryption private key to encrypt your files rather than a password. This means you only have to remember one password to protect your private key. Make sure it is a secure one.

Choosing strong passwords

  1. Download a free and open source password manager. I recommend Bitwarden or KeePassXC.

  2. Randomly generate passwords of 20+ characters using your password manager. Alternatively, use the passphrase generator in Kryptor, and store these passwords using your password manager.

  3. If you want to memorise a password, then I recommend generating a random passphrase containing 6+ words.

Sharing encrypted files

If you want to send someone an encrypted file, then I recommend encrypting the file using your private key and their public key. When decrypting the file, if you know that the sender's public key belongs to the sender, then you can be sure that the encrypted file was sent from them.

Alternatively, you can encrypt files with a password and share that password using an end-to-end encrypted messaging app like Signal or Element. This is easier for sharing files with multiple recipients. However, be sure to regularly change passwords.

If you intend to share a password, I recommend using disappearing messages or deleting the password message manually after the recipient has decrypted the file.

Sharing your public key

Only ever share your public key. You can send someone your public key as a string or as a .public file. You can safely share your public key via an insecure channel (e.g. via a messaging app).

Never share your private key! Your private key must be kept secret.

Storing your public and private keys

Always back up your .public and .private key files to external storage. You can recover your public key from the private key, but if you lose your private key, you will be forced to generate a new key pair.

I strongly advise against storing your .private key files in the cloud. Private keys are encrypted, but it is still safest to keep them offline and under your control.

Rotating key pairs

If you believe your private key may have been compromised (e.g. you accidentally shared it), then you should decrypt any files encrypted using that private key and generate a new key pair. You can then use the new private key to re-encrypt your files.

Choosing keyfiles

I recommend randomly generating keyfiles using Kryptor. Randomly generated keyfiles are made read-only and unlikely to be accidentally modified since you have no reason to open these types of files.

However, any type of file (e.g. jpg, mp3, zip) can be used as a keyfile, but using an ordinary file type is riskier since it is more likely to be accidentally modified.

If the keyfile is modified, then files encrypted using that keyfile will become unrecoverable.

Storing keyfiles

Always back up your keyfiles in case they are accidentally modified. I recommend keeping your keyfiles offline on memory sticks or external hard drives that have been encrypted using full disk encryption.

If you lose a keyfile, then files encrypted using that keyfile will become unrecoverable.