#files #encryption #security

bin+lib file_endec

Secure file encryption and decryption from the command line

2 stable releases

1.0.1 Nov 22, 2020
1.0.0 Apr 19, 2020

#950 in Cryptography

23 downloads per month





File encrypt/decrypt

Command line utility that encrypts and decrypts files.


  • Encryption and decryption using established algorithms.
  • Compression.
  • Key stretching.
  • Salts.
  • Checksums.
  • Backward-compatibility.
  • Pass keys by prompt, argument, environment, file or pipe.
  • Warnings for weak keys.
  • Shredding of deleted files.

In Docker

Run the encryptor with Docker::

docker run --rm -it -v "$(pwd):/data" mverleg/file-endec /fileenc file.txt

You can mount any directory in which you want to encrypt files; the above example uses the current directory $(pwd). Use /filedec instead of /fileenc for decryption.

To build the image yourself (instead of downloading from Dockerhub), clone the Github project and run::

docker build -t mverleg/file-endec .

This will also run the tests and lints, to verify that your version is okay.


Use fileenc --help and filedec --help to see CLI arguments. For fileenc:

    fileenc [FLAGS] [OPTIONS] <FILES>...

        --accept-weak-key    Suppress warning if the encryption key is not strong.
    -v, --debug              Show debug information, especially on errors.
    -d, --delete-input       Delete unencrypted input files after successful encryption (overwrites garbage before
        --dry-run            Test encryption, but do not save encrypted files (nor delete input, if --delete-input).
    -h, --help               Prints help information
    -f, --overwrite          Overwrite output files if they exist.
    -q, --quiet              Do not show progress or other non-critical output.
    -V, --version            Prints version information

    -k, --key <key-source>
            Where to get the key; one of 'pass:$password', 'env:$var_name', 'file:$path', 'ask', 'askonce', 'pipe'
            [default: ask]
    -o, --output-dir <output-dir>
            Alternative output directory. If not given, output is saved alongside input.

        --output-extension <output-extension>    Extension added to encrypted files. [default: .enc]

    <FILES>...    One or more paths to input files (absolute or relative)

Keep in mind

While this mostly relies on established hashing and encryption algorithms, there are no security guarantees, and the author is not a professional security expert. Use at your own risk.

  • Encrypting the same file twice will give different results, which is needed for semantically security. This may be suboptimal for version control.
  • When hashing multiple files, they share the same salt. This choice was made because stretching takes long, and because if one key were to be found somehow, it would work for all files regardless of salts.


~650K SLoC