Running Kryptor

Please refer to the Installation page for instructions on how to execute Kryptor on your operating system.

Specifying files

Please read the Usage page for information about specifying file names/file paths correctly.

Password entry

Kryptor uses UNIX style password entry, meaning nothing is displayed in the terminal when you type. This can be confusing for non-Linux users, but it prevents someone from seeing the length of your password. You can paste passwords by using right click.

When asked to enter a password, you can press Enter on your keyboard (rather than typing anything) to randomly generate a secure passphrase, which will be displayed in your terminal. You can then copy and paste this passphrase into a password manager so you do not forget it.

$ kryptor -e -p message.txt
Enter a password (leave empty for a random passphrase):
Randomly generated passphrase: Sesame-Immunity-Geometry-Uptown-Divisive-Ibuprofen-Gleaming-Celtic

File encryption

Use the -e|--encrypt option to perform file encryption. You can either use a password, keyfile, password and keyfile, private key, or private and public key. You can either specify a single file, multiple files, a directory, or multiple directories.

Using a password

Use the -p|--password option to specify a password. Kryptor will ask you to enter a new password and then retype the same password for confirmation. The characters you type are hidden to prevent someone from seeing your password.

$ kryptor -e -p message.txt

Always use a strong password; otherwise, the encryption is pointless!

Using a keyfile

For some extra security, you can use a password and keyfile to encrypt files. Use the -k|--keyfile option to specify a keyfile.

See Generating a keyfile for instructions on how to randomly generate a keyfile. Alternatively, you can specify any type of file as a keyfile, but make sure you do not accidentally modify the file.

$ kryptor -e -p -k keyfile.key message.txt

Using a private key

Instead of a password and/or keyfile, you can use your private key to encrypt files. This requires an encryption key pair. See Generating a new key pair for more details.

To specify your default private key, you can use the -x|--private option without specifying a file path. You will be asked to decrypt your private key using your password.

$ kryptor -e -x message.txt
Enter your password:

Using a private and public key (file sharing)

You can use asymmetric encryption to send an encrypted file to someone else. Note that this is one-way encryption. The sender cannot decrypt the file. This means that you should not overwrite the original file.

  1. To encrypt a file to share with another person, both you (the sender) and the recipient need to generate an encryption key pair using Kryptor (see Generating a new key pair).

  2. Next, you need to exchange public keys (e.g. via a messaging app). You can either share your .public files or the public key strings.

  3. You can then specify your private key (using -x|--private) and the recipient's public key (using -y|--public) to encrypt a file.

  4. You will be asked to enter your private key password.

Here is an example of how to use your default encryption private key:

$ kryptor -e -y Q3W9uqyBvaWr6ONs0hbiWT6AncnYXmmC/2pcuOT8wo8eVw== message.txt
Enter your password:

Never share your private key! Only exchange public keys. Sharing your public key as a string is easiest.

Overwriting input files

Use the -o|--overwrite option to overwrite files you want to encrypt with encrypted data.

$ kryptor -e -o -p message.txt

Remember that when encrypting to a recipient using their public key, the encryption is one-way. Therefore, overwriting the file will cause you to lose access.

Obfuscating ouput file names

Use the -f|--obfuscate option to give encrypted files/folders random names.

$ kryptor -e -f -p message.txt

Generating a keyfile

To randomly generate keyfiles (.key files), you can type in a directory or file path after the -k|--keyfile option like so:

$ kryptor -e -k /home/samuel/Documents message.txt
Randomly generated keyfile: df00kis5djjuruahggarhe.key

File decryption

File decryption is exactly the same process as encryption except that you need to use the -d|--decrypt option and specify .kryptor files or a directory containing .kryptor files.

Using a password

Use the -p|--password option to indicate that a password was used for encryption. Kryptor will ask you to enter your password.

$ kryptor -d -p message.txt.kryptor

Using a keyfile

Use the -k|--keyfile option to specify the keyfile used for encryption.

$ kryptor -d -p -k keyfile.key message.txt.kryptor

Using a private key

Use the -x|--private option to specify the private key was used for encryption.

$ kryptor -d -x message.txt.kryptor

Using a private and public key (file sharing)

Use the -x|--private option to specify your private key (as the recipient) and the -y|--public option to specify the sender's public key as either a string or a file.

Here is an example of how to use your default encryption private key:

$ kryptor -d -y sender.public message.txt.kryptor

Generating a new key pair

You can generate a new asymmetric key pair using -g|--generate. You will be asked to select a type of key pair - encryption or signing. Then you will be asked to enter a strong password to encrypt your private key.

The generated public key will be displayed in the terminal as a Base64 string, which can be copied and pasted. However, the private key is not displayed in the terminal since it should never be shared.

The asymmetric keys will be exported to files (.public and .private), and the file paths will be displayed in the terminal. Make sure you back up these files.

The default directory is ~/.kryptor, but you can pass a custom directory after the -g|--generate option. However, I recommend using the default directory because that saves you typing in the path of your private key each time you want to use it.

$ kryptor -g
Please select a key pair type (type 1 or 2):
1) Encryption
2) Signing
Enter a password (leave empty for a random passphrase):
Public key: RWRfyoF8ofT8GqaRvEP0EqDo11B+yBbo0QuBDXsM9/jZEQ==
Public key file: /home/samuel/.kryptor/signing.public
Private key file: /home/samuel/.kryptor/signing.private - Keep this secret!

You can share your encryption public key string/file with other people for file encryption (so they can send you an encrypted file).

You can share your signing public key string/file to allow other people to verify signatures you created (so people can verify the authenticity of a file).

Never share your private key! Keep it secret.

Overwriting key pairs

If you have already generated a key pair, you must specify the -o|--overwrite option to generate a new key pair of the same type (encryption or signing).

$ kryptor -g -o

This will replace the existing key pair.​

Signing a file

You can sign a file using -s|--sign, specifying your private key and a file to sign. Here is an example of how to use your default signing private key:

$ kryptor -s message.txt

This will create a .signature file that you can share along with your public key so other people can verify the signature.

Authenticated comment

You can use the -c|--comment option to specify a comment that will be displayed if verification is successful. If you do not specify a comment, then the default comment will be used.

Remember to specify "speech marks" (on Windows) or 'apostrophes' (on Linux and macOS) around the comment.

$ kryptor -s -c "You can trust this file." message.txt


You can use the -l|--prehash option to sign large files without having to load them into memory. This is useful if you have limited RAM.

Kryptor automatically uses prehashing when you select a file that is greater than 1 GiB in size.

$ kryptor -s -l large-message.txt

Verification of a prehashed signature happens automatically - there is no need to specify the -l|--prehash option when verifying a signature.

Verifying a signature

You can verify a signature using -v|--verify, specifying the signer's public key as a string or file path, a signature file (.signature), and the file to verify.

If the signature file has the same file name and is in the same directory as the file to verify, then you do not need to specify the signature file:

$ kryptor -v -y publickey.public message.txt
message.txt: Good signature.
Authenticated comment: This file has not been tampered with.

If the signature is valid, then you will see the message Good signature and the authenticated comment will be displayed.

If you see the message Bad signature, then the signature is not valid and the comment will not be displayed.