CLI tool to easily encrypt and decrypt files or directories.
The encryption/decryption process and the source code is transparent and easily understandable, see the Under the Hood section.
The simplest way is: cargo install ecrypt
To build from source, you can clone the repo and build the release binary:
git clone https://github.com/tirax-lab/ecrypt
cd ecrypt
cargo build --release
sudo mv target/release/ecrypt /usr/local/bin
Use --help
after any subcommand(e.g. enc
for encrypt and dec
for decrypt) to view all options. For example directory encryption supports the -c/--compress
flag for tar gunzip compression.
$ ecrypt enc README.md
Encryption password:
[2023-01-23T20:37:31Z INFO ecrypt::enc] Writing encrypted data of file "README.md" to "README.md.encrypted"
[2023-01-23T20:37:31Z WARN ecrypt::enc] The unencrypted file 'README.md' remains on disk, you can remove it manually or run ecrypt with the --remove/-r flag
A file README.md.encrypted
will have been created with the encrypted contents.
$ ecrypt dec README.md.encrypted
Decryption password:
[2023-01-23T20:39:11Z INFO ecrypt::dec] Writing decrypted data of file "README.md.encrypted" to "README.md.decrypted"
A file README.md.decrypted
will have been created with the decrypted contents.
$ ecrypt dec directory.encrypted_dir
Decryption password:
[2023-01-23T20:41:33Z INFO ecrypt::dec] Writing decrypted data of file "directory.encrypted_dir" to "directory.decrypted"
[2023-01-23T20:41:33Z INFO ecrypt::dec] Unpacking tarball of decrypted directory: 'directory.decrypted'
This will create 2 outputs: a directory.decrypted
file which is the decrypted tarball, which has been unpacked to produce the directory
This section documents how ecrypt
handles file/directory encryption and decryption so you can evaluate if it is suitable for your security needs. For background see the article on Rust file encryption by Sylvian Kerkour, the author of Black Hat Rust:
- User specifies the source file to be encrypted
- User provides a password with either the
-p
flag or to the password prompt - The password is hashed using
argon
, with a salt being produced - A nonce is generated with random bytes
- A 32 byte extract is taken from the hash and used as a key to the
chacha20poly1305
stream encryptor with the generated nonce - The salt and nonce are written to the start of the output file which will have the
.encrypted
suffix - The
chacha20poly1305
stream encryptor encrypts and writes chunks of bytes to the output file until the entire source file has been read - The final result is a
file.encrypted
which has salt and a nonce at the beginning of the file and encrypted data after that
- User specifies the source file to be decrypted, it may have the
.encrypted
suffix but this is not required - User provides a password with either the
-p/--password
flag or to the password prompt - The salt and the nonce are read from the start of the source file into Rust variables
- Using the provided password and the salt, the same hash that was used for encryption is produced and used as a key to the
chacha20poly1305
stream decryptor and the same nonce has been read from the file. If an incorrect password is provided this hash will be different and the decryption will fail. - The
chacha20poly1305
stream decryptor decrypts and writes chunks of bytes to the output file, which will have a.decrypted
suffix, until the entire source file has been read - The final result is a
file.decrypted
which contains the plaintext
- The directory is archived into a tarball, with optional compression by specifying the
-c/--compress
flag - This tarball is then encrypted using file encryption and outputed to
directory.encrypted
- The unencrypted tarball is then deleted, the user can specify
-r/--remove
to automatically delete the original non-tarball directory too
- The encrypted tarball is decrypted first using file decryption
- The decrypted tarball is then unpacked/unarchived to the current working directory
- This results in both
directory.decrypted
(decrypted tarball) anddirectory
(unencrypted directory) being produced