Why should I use Kryptor over the alternatives?

  1. Kryptor uses strong, fast, and modern cryptographic algorithms.

  2. Kryptor provides both encryption and signing, meaning you do not need to use multiple tools.

  3. Kryptor is a lot easier to use than GPG.

  4. You can use passwords, keyfiles, or asymmetric keys to encrypt files.

  5. You can encrypt files for another person that only they can decrypt.

  6. Kryptor is free and open source.

When should I not use Kryptor?

  • If you want to frequently access lots of your encrypted files (e.g. multiple directories), then you should use Cryptomator or VeraCrypt.​​

  • If you intend to encrypt a file for lots of recipients using asymmetric keys, then you should consider using age. However, the key exchange is not authenticated, meaning an attacker could replace the entire file undetected.

  • If you want to use SSH keys for encryption, then you should use age.

  • If you want to encrypt a disk, then you should use LUKS (on Linux) or VeraCrypt (on Windows).

  • If you want something based on an industry standard, then you should use GPG. However, GPG uses some dated cryptographic algorithms and is about as far from user friendly as you can get.

Has Kryptor been audited?

Kryptor has not been audited by a third-party. I would love for Kryptor to be audited, but security audits are extremely expensive (thousands of dollars) and require open source funding, which is difficult for even very popular projects to get hold of. For example, KeePassXC and age have not been audited.

However, the code is open source, and the libsodium library is used for all cryptography, which was audited in 2017.

Is there a tutorial for new users?

Yes, click here to view a guide with examples.

I forgot my password/lost a keyfile, is there any way to recover encrypted files?

Unfortunately not. Assuming you used a secure password/keyfile, it will take an impractical amount of time to bruteforce the encryption keys used. There is no backdoor in Kryptor.

Always remember to store your passwords in a password manager and back up keyfiles to external storage.

Is is safe to use Kryptor for long-term storage?

In theory, yes. If you keep a backup of the source code, program version, and executable, then you should still be able to decrypt old files after several years. The file format is documented here and can be determined from the source code.

However, I recommend re-encrypting your files after breaking changes since that ensures that your files are always encrypted using the latest file format. This is best for security since cryptographic algorithms may get replaced over time.

Does Kryptor connect to the internet?

Kryptor runs offline by default but does connect to the internet when you use the -u|--update option to check for updates via GitHub.

How do I choose a strong password?

Guidance on choosing strong passwords can be found here. If you are stuck, you can always generate a random passphrase by pressing Enter (typing no password) when asked to enter a password.

What is a keyfile?

A keyfile is a file that is combined with or used as your password. Keyfiles can be randomly generated, or any type of file can be selected to act as a keyfile.

For the best security, I recommend randomly generating keyfiles and using them alongside a strong password. See Generating a Keyfile for instructions.

Although ordinary files can be used as keyfiles (e.g. mp3, zip, jpg), these files are more likely to be accidentally modified. Therefore, I advise against using ordinary files unless you know what you are doing and take adequate precautions (e.g. multiple backups).​

How secure are keyfiles?

If you use a keyfile and password, you are improving your security since the keyfile is an additional secret required to generate the key encryption key. However, you should randomly generate keyfiles and store them appropriately to gain the most benefit (e.g. on a memory stick).

By contrast, using a keyfile instead of a password is less secure than using a password since keyfiles have to be stored on disk, whereas passwords can be memorised.

How do I report bugs?

Please report bugs via GitHub using the Bug report issue template.

How do I report security vulnerabilities?

Please email me at samuel[dash]lucas6[at]pm[dot]me using the subject line Kryptor Security Vulnerability. I encourage you to use PGP if possible as it is better than nothing.

Can I help package Kryptor?

Help from packagers is much appreciated as I have no experience distributing software. If you would be willing to maintain a package (e.g. on Homebrew, Chocolatey, etc), please get in touch.

How is Kryptor different from age?

Kryptor and age have similar goals, but the design decisions were completely different. Age is maintained by Filippo Valsorda, who has considerably more experience and knowledge than me. However, a few aspects of the design are questionable (e.g. the lack of authenticated key exchange), which contributed to me doing things differently in Kryptor. Neither tool is perfect.

Here is a summary of differences:

  • Kryptor supports authenticated key exchange, whereas age does not. This authentication ensures that the file comes from who you expect. The lack of authentication in age means an attacker could replace the ciphertext unnoticed.

  • Kryptor supports file signing using Ed25519, whereas age has classed signing as out of scope (it will never be implemented).​

  • Kryptor encrypts your private key using a password, whereas age stores your private key as plaintext.​

  • Age provides better support for multiple recipients (but this is unauthenticated). Kryptor requires you to either share a password or encrypt the same file multiple times for multiple recipients (but this is authenticated). However, Kryptor does have additional benefits over age such as hiding whether the file was encrypted using an asymmetric key, keyfile, or password (with the exception of directory encryption).

  • Kryptor uses XChaCha20-BLAKE2b with 16 KiB chunks. This means each chunk uses unique keys, there are no key commitment/multi-key attack issues, and a longer tag is used. In contrast, age uses ChaCha20-Poly1305 with 64 KiB chunks. Age limits message size to mitigate multi-key attacks.

  • Kryptor always encrypts files in chunks of 16 KiB, whereas age will not chunk the file if it is less than 64 KiB in size, which leaks the file size.

  • Age uses scrypt, HKDF, and SHA512, whereas Kryptor uses Argon2id and BLAKE2b.

  • Age uses a stanza file format (the headers are not fixed), which means multiple recipients can be specified in one file. By contrast, Kryptor uses a fixed file format. Both approaches have advantages and disadvantages.

  • Kryptor supports keyfiles with/instead of passwords, whereas age does not.

  • Age supports SSH keys, ASCII armor, and various other features for advanced users.

  • Kryptor is written in C#, whereas age is written in Go, although both are garbage-collected languages.

  • Kryptor is just an encryption program, whereas age is also a Go library.

For a more detailed comparison, take a look at the technical details of Kryptor and age.

How is Kryptor different from Minisign?

Kryptor essentially offers the same features as Minisign for signing files, with a few exceptions. Minisign is maintained by Frank Denis, the author of the libsodium library. He has vastly superior knowledge and experience. However, some parts of the Minisign design can arguably be simplified, which is why I decided against directly using the Minisign format.

Here is a summary of the differences:

  • Minisign is just a signing tool, whereas Kryptor is also an encryption program.

  • Kryptor only supports authenticated (trusted) comments, whereas Minisign also supports unauthenticated (untrusted) comments. Untrusted comments can be tampered with.

  • Minisign uses more complicated file/key formats. This makes the keys slightly longer.

  • Kryptor uses a binary file format for signature files, whereas Minisign uses text.

  • Kryptor protects the private key with XChaCha20-BLAKE2b, whereas Minisign uses scrypt as a stream cipher and BLAKE2b as a MAC.

  • Minisign uses scrypt for key derivation, whereas Kryptor uses Argon2id.​

  • Minisign supports unauthenticated (untrusted) comments for the public and private key files. Kryptor does not offer any comment functionality for the key files. This information is too long to be part of the key string, and renaming the key file achieves the same result.

For a more detailed comparison, take a look at the technical details of Kryptor and Minisign.

Why are you using XChaCha20-BLAKE2b?

ChaCha20 has become increasingly popular for several reasons - for example, it has a higher security margin than AES due to a greater number of rounds, it is not vulnerable to timing attacks, and it is consistently fast in software.

XChaCha20 was chosen instead of ChaCha20 due to the longer nonce (192-bits), meaning random nonces can be used safely.

Kryptor v3.0.0 Beta was originally going to use XChaCha20-Poly1305, but I decided to switch to my XChaCha20-BLAKE2b AEAD implementation because the lack of key commitment in popular AEAD schemes allows a ciphertext to be decrypted using multiple keys. This can lead to loss of data and partitioning oracle attacks.

Although my implementation has not been standardised, neither has XChaCha20, XChaCha20-Poly1305, or Encrypt-then-HMAC. They are all still used in production. XChaCha20-BLAKE2b is just Encrypt-then-MAC with BLAKE2b, support for additional data in the authentication tag calculation, and key derivation baked in. More information is available here.

The main disadvantage of this approach is that XChaCha20-BLAKE2b is slower than XChaCha20-Poly1305, especially for small-medium length messages. However, the additional security makes the decrease in speed worthwhile.

Why are you using Argon2id?

Argon2 won the Password Hashing Competition in 2015 and is now recommended over other password-based key derivation algorithms such as PBKDF2 and scrypt.

Argon2id is being used because it is the recommended mode according to the RFC draft and Argon2i (the other mode available in libsodium) is vulnerable to attacks.

Why are you using BLAKE2b?

BLAKE2b is used because it is faster than SHA2/SHA3 whilst being at least as secure as SHA3. BLAKE (the algorithm BLAKE2 was based on) was subject to thorough cryptanalysis during the SHA3 competition and found to have a large security margin.

Are the algorithms post-quantum secure?

The asymmetric algorithms are not quantum-safe. Note that most asymmetric algorithms will be broken. With that said, they are currently secure and widely used.​

What programming language is Kryptor written in?

Kryptor is written in C# using .NET 5. All development is done in Visual Studio 2019 Community.

What does the version number mean?

Kryptor uses semantic versioning:

  1. The major version. This changes when there are breaking changes.

  2. The minor version. This changes when new functionality is added.

  3. The patch version. This changes when bugs are fixed or code improvements are made.

How do I build Kryptor from source?

Step by step instructions can be found here.