Kryptor is easier to use than other command line tools, such as GPG. It has fewer command line options than Minisign whilst also supporting file encryption in five different ways.
You can use passwords, keyfiles, or asymmetric keys to encrypt files.
You can encrypt multiple files and directories at once. Many tools only support encrypting individual files.
You can encrypt files for another person that only they can decrypt.
The design is well documented, and the source code is easy to read, meaning it is easy to audit.
Kryptor is free and open source.
When should I not use Kryptor?
If you want to frequently access lots of your encrypted files (e.g. multiple directories), then you should use Cryptomator or VeraCrypt.
If you want to encrypt a disk, then you should use VeraCrypt on Windows, LUKS on Linux, and FileVault on macOS.
If you intend to encrypt a file for lots of recipients using asymmetric keys, then you should consider using age. However, the key exchange is not authenticated, meaning an attacker could replace the entire file undetected.
If you want to use SSH keys for encryption, then you should use age. However, this is not recommended because it allows someone to track files encrypted to a specific public key.
If you want to encrypt individual files using your browser to avoid downloading another program, then you should consider using Hat.sh.
If you want something based on an industry standard, then you are stuck with GPG. However, GPG has been rightly criticised for many reasons. For instance, it supports dated cryptographic algorithms and is not user friendly for many tasks.
Has Kryptor been audited?
Kryptor has not been officially audited by a third party, but some cryptographers kindly provided feedback on the design, the source code has been reviewed by some security researchers as a result of the HackerOne bug bounty program, the technical details are well documented, and the code is easy to read, meaning it is easy to audit. Furthermore, the libsodium library is used for all of the cryptography, which was audited in 2017.
I would love for Kryptor to be audited, but security audits are extremely expensive ($5,000+) and require open source funding, which is difficult for even very popular projects to get hold of. For example, KeePassXC and age have not been audited.
It is also important to remember that a change to any sensitive piece of code could introduce a vulnerability, meaning an audit does not save you after the fact. Moreover, security audits do not necessarily detect everything, as demonstrated by the fact that Threema has been audited twice and was still found to contain vulnerabilities.
Yes, click here to view an explanation of each option with examples.
I forgot my password/lost a keyfile, is there any way to recover encrypted files?
Unfortunately, no. Assuming you used a secure password/keyfile, it will take an impractical amount of time to bruteforce the encryption keys used. There is no backdoor in Kryptor.
Always remember to store your passwords in a password manager and back up private keys and keyfiles to external storage (e.g. memory sticks).
Is it safe to use Kryptor for long-term storage?
In theory, yes. However, v4 will contain lots of breaking changes required to improve the software. Such breaking changes may be necessary again in the future as well. Therefore, I strongly recommend re-encrypting your files after breaking changes (major releases) since that ensures that your files are always encrypted using the latest file format. This is best for security since cryptographic algorithms may get replaced over time.
With that said, if you keep a backup of the source code and executable, then you should still be able to decrypt old files after several years. Furthermore, the file format is documented here and can be determined from the source code, meaning someone else could recreate Kryptor if something was to happen to me.
Which method of encryption should I use?
If you are bad with passwords or just want to remember a single password, then you should use an encryption private key for file encryption.
If you can generate and remember/store strong passwords, then there is nothing wrong with using a password. For extra security, you could also use a keyfile alongside a password, which is akin to using 2FA for online accounts.
Guidance on choosing strong passwords can be found here. If you are stuck, then you can always generate a random passphrase by pressing Enter (typing no password) when asked to enter a password.
What is a keyfile?
A keyfile is a file that is combined with or used instead of a password. Keyfiles can be randomly generated, or any type of file that is at least 64 bytes long can be selected to act as a keyfile.
For the best security, I recommend randomly generating keyfiles and using them alongside a strong password. Please see the Generating a keyfile section for instructions.
Although ordinary files can be used as keyfiles (e.g. .zip, .jpg, etc), these files are more likely to be accidentally modified. Therefore, I advise against using ordinary files unless you know what you are doing and take adequate precautions (e.g. multiple backups).
How secure are keyfiles?
If you use a keyfile and a password, then you are improving your security since the keyfile is an additional secret required to derive the key encryption key. However, you should randomly generate keyfiles and store them appropriately to gain the most benefit (e.g. on an encrypted memory stick).
By contrast, using a keyfile instead of a password is less secure than using a password since keyfiles must be stored on disk, whereas passwords can be memorised.
Does Kryptor connect to the internet?
Kryptor runs offline by default but does connect to the internet when you use the -u|--update option to check for updates via GitHub, as explained here.
How do I report bugs?
Please report bugs via GitHub using the Bug report issue template.
Help from packagers is much appreciated as I have no experience distributing software and am doing a rather poor job of it currently. If you would be willing to maintain a package, then please get in touch so I can credit you in the Acknowledgements section.
How is Kryptor different from age?
Here is a summary of the differences:
Kryptor supports encrypting multiple files and directories at once, whereas age can only encrypt one file at a time.
Kryptor supports authenticated key exchange, whereas age does not. This authentication ensures that the file comes from who you expect. The lack of sender authentication in age means an attacker can replace the ciphertext without the recipient knowing.
Kryptor supports file signing using Ed25519, whereas age has classed signing as out of scope (aka it will never be implemented).
Kryptor encrypts your private key using a password before it gets written to disk, whereas age stores your private key as plaintext.
Kryptor hides whether the file was encrypted using asymmetric keys, a password, a keyfile, or a password and keyfile, except when performing directory encryption, as explained here. By contrast, age files reveal how the file was encrypted.
Kryptor always encrypts files in chunks of 16 KiB, whereas age will not chunk the file if it is less than 64 KiB in size, which leaks the file size.
Kryptor uses XChaCha20-BLAKE2b with 16 KiB chunks. This means a longer tag (256-bit) is used and there are no key commitment/multi-key attack issues. In contrast, age uses ChaCha20-Poly1305 with 64 KiB chunks and limits message size to mitigatemulti-key attacks. BLAKE2b is more suitable for long-term storage than Poly1305, but it is important to note that such multi-key attacks are unlikely.
Kryptor uses Argon2id and BLAKE2b for hashing and key derivation, whereas age uses scrypt, HKDF, and SHA512.
Kryptor uses a fixed file format, meaning the headers are always the same length. By contrast, age uses a stanza file format, meaning the headers are not fixed in length. A fixed file format leaks less information.
Kryptor supports keyfiles with or instead of passwords, whereas age does not support keyfiles at all. Keyfile support will also be used to add post-quantum security to hybrid encryption in v4 of Kryptor.
Age supports SSH keys, ASCII armor, and a few other features for more advanced users. However, age keys are still recommended over SSH keys because using SSH keys allows someone to track files that are encrypted to a specific public key. Kryptor currently does not support such functionality to keep things simple (e.g. proper SSH support requires supporting multiple different cryptographic algorithms for the same purpose, meaning additional dependencies, more code complexity, etc).
Age provides better support for encrypting files to multiple recipients using asymmetric keys, but this is unauthenticated, meaning an attacker could replace the ciphertext without the recipient knowing. Kryptor currently requires you to either share a password or encrypt the same file multiple times for multiple recipients, but this is authenticated, meaning an attacker cannot replace the ciphertext.
Kryptor is written in C#, whereas age is written in Go, although they are both garbage-collected languages.
Kryptor is an encryption and signing program, whereas age is an encryption program and a Go library.
For a more detailed comparison, take a look at the technical details of Kryptor and age.
How is Kryptor different from Minisign?
Here is a summary of the differences:
Minisign is just a signing tool, whereas Kryptor is also an encryption program.
Minisign does not sign a format identifier, allowing some forgery. This is being fixed by enforcing prehashed signatures. By contrast, Kryptor does not suffer from this problem because the entire signature file is signed.
Kryptor only supports authenticated (trusted) comments, whereas Minisign also supports unauthenticated (untrusted) comments that can be tampered with.
Minisign uses more complicated file/key formats, which makes keys slightly longer. Some of this information is unnecessary, which is why it was removed.
Kryptor uses a binary file format for signature files, whereas Minisign uses text files.
Kryptor protects the private key using XChaCha20-BLAKE2b, whereas Minisign uses scrypt as a stream cipher and BLAKE2b as a MAC.
Kryptor uses Argon2id for key derivation, whereas Minisign uses scrypt.
Minisign supports unauthenticated (untrusted) comments for the public and private key files. Kryptor does not offer any comment functionality for the key files. This information is too long to be part of the key string, and renaming the key file achieves the same result.
For a more detailed comparison, take a look at the technical details of Kryptor and Minisign.
XChaCha20 was chosen instead of ChaCha20 due to the longer nonce (192 bits), meaning random nonces can be used safely.
Kryptor v3.0.0-beta was originally going to use XChaCha20-Poly1305, but I decided to switch to my XChaCha20-BLAKE2b AEAD implementation because Poly1305 is not designed for long-term storage, and the lack of key commitment in popular AEAD schemes allows a ciphertext message to be decrypted using multiple keys. This can lead to things like partitioning oracle attacks.
Although my implementation has not been standardised, neither has XChaCha20, XChaCha20-Poly1305, or Encrypt-then-HMAC. They are all still used in production. XChaCha20-BLAKE2b is just Encrypt-then-MAC with BLAKE2b, support for additional data in the authentication tag calculation, and key derivation baked in. More information is available here.
The main disadvantage is that XChaCha20-BLAKE2b is slightly slower than XChaCha20-Poly1305 for small and large messages. However, the speed is nearly identical for 16-64 KiB buffers, with Kryptor using 16 KiB chunks, and the additional security makes the decrease in speed worthwhile.
Why are you using Argon2id?
Argon2 won the Password Hashing Competition in 2015 and is now recommended over other password-based key derivation algorithms, such as PBKDF2 and scrypt.
Argon2id is being used because it is the recommended mode according to the RFC and Argon2i (the other mode available in libsodium) is vulnerable to attacks and weaker in terms of GPU/ASIC resistance.
Why are you using BLAKE2b?
BLAKE2b is used because it is faster than SHA2 and SHA3 whilst being as real-world secure as SHA3. BLAKE (the algorithm BLAKE2 was based on) was subject to thorough cryptanalysis during the SHA3 competition, even more than Keccak (the SHA3 winner), and was found to have a large security margin. It did not win the SHA3 competition because it is more similar in construction to SHA2. However, SHA2 is still secure after many years of cryptanalysis. Moreover, Guo et al. (2014) argued that some changes between BLAKE and BLAKE2 provide improved protection against certain types of attack.
Are the algorithms post-quantum secure?
The asymmetric algorithms in Kryptor are not quantum-safe. Most asymmetric algorithms will be broken. With that said, they are currently secure and widely used. Furthermore, there will be support for a pre-shared key during the key exchange in v4, which will provide post-quantum security.