Kryptor uses strong, fast, and modern cryptographic algorithms.
Kryptor provides both encryption and signing, meaning you do not need to use multiple tools.
Kryptor is easier to use than other command line tools, such as GPG.
You can use passwords, keyfiles, or asymmetric keys to encrypt files.
You can encrypt multiple files and directories at once.
You can encrypt files for another person that only they can decrypt.
The design is well documented, and the source code is easy to read, meaning it is easy to audit.
Kryptor is free and open source.
When should I not use Kryptor?
If you want to frequently access lots of your encrypted files (e.g. multiple directories), then you should use Cryptomator or VeraCrypt.
If you want to encrypt individual files using your browser to avoid downloading another program, then you should consider using Hat.sh.
If you intend to encrypt a file for lots of recipients using asymmetric keys, then you should consider using age. However, the key exchange is not authenticated, meaning an attacker could replace the entire file undetected.
If you want to use SSH keys for encryption, then you should use age. However, this is not recommended because it allows someone to track files encrypted to a specific public key.
If you want to encrypt a disk, then you should use LUKS (on Linux) or VeraCrypt (on Windows).
If you want something based on an industry standard, then you are stuck with GPG. However, GPG uses some dated cryptographic algorithms and is not user friendly for many tasks. It should only really be used to verify digital signatures.
Has Kryptor been audited?
Kryptor has not been officially audited by a third-party, but the source code has been reviewed by some security researchers as a result of the HackerOne bug bounty program, the design is well documented, and the code is easy to read, meaning it is easy to audit. Furthermore, the libsodium library is used for all of the cryptography, which was audited in 2017.
I would love for Kryptor to be audited by a company like Cure53, but security audits are extremely expensive (thousands of dollars) and require open source funding, which is difficult for even very popular projects to get hold of. For example, KeePassXC and age have not been audited.
Yes, click here to view an explanation of each option with examples.
I forgot my password/lost a keyfile, is there any way to recover encrypted files?
Unfortunately not. Assuming you used a secure password/keyfile, it will take an impractical amount of time to bruteforce the encryption keys used. There is no backdoor in Kryptor.
Always remember to store your passwords in a password manager and back up keyfiles to external storage.
Is is safe to use Kryptor for long-term storage?
In theory, yes. If you keep a backup of the source code and executable, then you should still be able to decrypt old files after several years. Furthermore, the file format is documented here and can be determined from the source code, meaning someone else could recreate Kryptor if something was to happen to me.
However, I recommend re-encrypting your files after breaking changes (major releases) since that ensures that your files are always encrypted using the latest file format. This is best for security since cryptographic algorithms may get replaced over time.
Which method of encryption should I use?
If you are bad with passwords or just want to remember a single password, then you should use an encryption private key for file encryption.
If you can generate and remember/store strong passwords, then there is nothing wrong with using a password. For extra security, you could also use a keyfile as well as a password.
Guidance on choosing strong passwords can be found here. If you are stuck, you can always generate a random passphrase by pressing Enter (typing no password) when asked to enter a password.
What is a keyfile?
A keyfile is a file that is combined with or used as your password. Keyfiles can be randomly generated, or any type of file can be selected to act as a keyfile.
For the best security, I recommend randomly generating keyfiles and using them alongside a strong password. Please see the Generating a Keyfile section for instructions.
Although ordinary files can be used as keyfiles (e.g. .mp3, .zip, .jpg, etc), these files are more likely to be accidentally modified. Therefore, I advise against using ordinary files unless you know what you are doing and take adequate precautions (e.g. multiple backups).
How secure are keyfiles?
If you use a keyfile and a password, then you are improving your security since the keyfile is an additional secret required to derive the key encryption key. However, you should randomly generate keyfiles and store them appropriately to gain the most benefit (e.g. on an encrypted memory stick).
By contrast, using a keyfile instead of a password is less secure than using a password since keyfiles have to be stored on disk, whereas passwords can be memorised.
Does Kryptor connect to the internet?
Kryptor runs offline by default but does connect to the internet when you use the -u|--update option to check for updates via GitHub.
How do I report bugs?
Please report bugs via GitHub using the Bug report issue template.
How do I report security vulnerabilities?
Please report vulnerabilities via HackerOne. I will respond as soon as possible.
If you identify a valid security issue, then your name and HackerOne account will be credited in the GitHub release that resolves the vulnerability you reported and in the Acknowledgements section of the website.
Can I help package Kryptor?
Help from packagers is much appreciated as I have no experience distributing software. If you would be willing to maintain a package (e.g. on Homebrew, Chocolatey, etc), please get in touch.
How is Kryptor different from age?
Here is a summary of the differences:
Kryptor supports encrypting multiple files and directories at once, whereas age can only encrypt one file at a time.
Kryptor supports authenticated key exchange, whereas age does not. This authentication ensures that the file comes from who you expect. The lack of sender authentication in age means an attacker can replace the ciphertext without the recipient knowing.
Kryptor supports file signing using Ed25519, whereas age has classed signing as out of scope (aka it will never be implemented).
Kryptor encrypts your private key using a password before it gets written to disk, whereas age stores your private key in plaintext.
Kryptor hides whether the file was encrypted using asymmetric keys, a password, a keyfile, or a password and keyfile, except when performing directory encryption, as explained here. By contrast, age files reveal how the file was encrypted.
Kryptor always encrypts files in chunks of 16 KiB, whereas age will not chunk the file if it is less than 64 KiB in size, which leaks the file size.
Kryptor uses XChaCha20-BLAKE2b with 16 KiB chunks. This means a longer tag (256-bit) is used and there are no key commitment/multi-key attack issues. In contrast, age uses ChaCha20-Poly1305 with 64 KiB chunks and limits message size to mitigatemulti-key attacks. BLAKE2b is more suitable for long-term storage than Poly1305, but it is important to note that such multi-key attacks are unlikely.
Kryptor uses Argon2id and BLAKE2b for hashing and key derivation, whereas age uses scrypt, HKDF, and SHA512.
Kryptor uses a fixed file format, meaning the headers are always the same length. By contrast, age uses a stanza file format (the headers are not fixed). Both approaches have advantages and disadvantages, but a fixed file format leaks less information.
Kryptor supports keyfiles with or instead of passwords, whereas age does not support keyfiles at all.
Age supports SSH keys, ASCII armor, and a few other features for more advanced users. However, age keys are still recommended over SSH keys because using SSH keys allows someone to track files that are encrypted to a specific public key.
Age provides better support for encrypting files to multiple recipients using asymmetric keys, but this is unauthenticated, meaning an attacker could replace the ciphertext without the recipient knowing. Kryptor currently requires you to either share a password or encrypt the same file multiple times for multiple recipients, but this is authenticated, meaning an attacker cannot replace the ciphertext.
Kryptor is written in C#, whereas age is written in Go, although they are both garbage-collected languages.
Kryptor is just an encryption program, whereas age is also a Go library.
For a more detailed comparison, take a look at the technical details of Kryptor and age.
How is Kryptor different from Minisign?
Here is a summary of the differences:
Minisign is just a signing tool, whereas Kryptor is also an encryption program.
Kryptor only supports authenticated (trusted) comments, whereas Minisign also supports unauthenticated (untrusted) comments that can be tampered with.
Minisign uses more complicated file/key formats, which makes keys slightly longer. Some of this information is unnecessary, which is why it was removed. However, performing a checksum over the public key provides some protection against fault attacks.
Kryptor uses a binary file format for signature files, whereas Minisign uses text files.
Kryptor protects the private key using XChaCha20-BLAKE2b, whereas Minisign uses scrypt as a stream cipher and BLAKE2b as a MAC.
Kryptor uses Argon2id for key derivation, whereas Minisign uses scrypt.
Minisign supports unauthenticated (untrusted) comments for the public and private key files. Kryptor does not offer any comment functionality for the key files. This information is too long to be part of the key string, and renaming the key file achieves the same result.
For a more detailed comparison, take a look at the technical details of Kryptor and Minisign.
XChaCha20 was chosen instead of ChaCha20 due to the longer nonce (192-bits), meaning random nonces can be used safely.
Kryptor v3.0.0-beta was originally going to use XChaCha20-Poly1305, but I decided to switch to my XChaCha20-BLAKE2b AEAD implementation because Poly1305 is not designed for long-term storage, and the lack of key commitment in popular AEAD schemes allows a ciphertext message to be decrypted using multiple keys. This can lead to things like partitioning oracle attacks.
Although my implementation has not been standardised, neither has XChaCha20, XChaCha20-Poly1305, or Encrypt-then-HMAC. They are all still used in production. XChaCha20-BLAKE2b is just Encrypt-then-MAC with BLAKE2b, support for additional data in the authentication tag calculation, and key derivation baked in. More information is available here.
The main disadvantage is that XChaCha20-BLAKE2b is slightly slower than XChaCha20-Poly1305. However, the additional security makes the decrease in speed worthwhile.
Why are you using Argon2id?
Argon2 won the Password Hashing Competition in 2015 and is now recommended over other password-based key derivation algorithms, such as PBKDF2 and scrypt.
Argon2id is being used because it is the recommended mode according to the RFC and Argon2i (the other mode available in libsodium) is vulnerable to attacks and weaker in terms of GPU/ASIC resistance.
Why are you using BLAKE2b?
BLAKE2b is used because it is faster than SHA2 and SHA3 whilst being as real-world secure as SHA3. BLAKE (the algorithm BLAKE2 was based on) was subject to thorough cryptanalysis during the SHA3 competition, even more than Keccak (the SHA3 winner), and was found to have a large security margin. Moreover, Guo et al. (2014) argued that some changes between BLAKE and BLAKE2 provided improved protection against certain types of attack.
Are the algorithms post-quantum secure?
The asymmetric algorithms in Kryptor are not quantum-safe. Most asymmetric algorithms will be broken. With that said, they are currently secure and widely used.
Once post-quantum asymmetric algorithms become available in libsodium and common in online protocols, I will investigate making the switch to future-proof Kryptor.