#encryption-decryption #encryption #decryption #file-encryption #secret

app lockit

Password protect your files with strong encryption

1 unstable release

0.1.0 Apr 10, 2024

#493 in Cryptography


207 lines


Lockit is a small, command line program to password protect your files with strong encryption.


$ cargo install lockit


Display help.

$ lockit -h  # Use --help for the long help message.

Encrypt a file.

$ lockit -e secret.txt

Decrypt a file.

$ lockit -d secret.txt

Increase the number of hashing iterations of the KDF's HMAC function. This increases the computational cost of cracking your password. The same iteration count needs to be passed to Lockit when decrypting the file.

$ lockit -e -i 1000000 secret.txt

Technical Details

By default, Lockit applies PBKDF2 with 200,000 iterations of HMAC-SHA512 to your password and a random 16-byte salt to generate a key, which it then uses to encrypt the file using AES-256 in Galois/Counter Mode (GCM). This mode of operation provides both confidentiality (i.e. the data cannot be read) and integrity (i.e. the data cannot be covertly tampered with).


This is the work of a Rust noob, which I am sharing here as a potential learning resource for others and to show off some of my newfound Rust skills.

I recently finished reading The Rust Programming Language and was looking for a project to help me get more comfortable writing software in Rust and making use of the available crates. I tried a few of the many Build Your Own X tutorials, but found that I was doing a lot of copy-pasting of the code samples without actually doing much thinking for myself. Therefore, I wasn't getting the benefit of figuring out how to design Rust software.

I eventually decided to take a break from these follow-along style tutorials and to try to implement something, myself, that I thought would be fun and interesting. Cryptography being one of my primary interests, I chose to write a file encryption/decryption utility!

If you are interested in trying this out for yourself, then here is my proposal for you: Do NOT read the source code in this repository. Implement your own version of this application, and, once you have a product that you are satisfied with, feel free to compare my code to what you wrote, keeping in mind that your solution may very well be better.

This is roughly the order in which I implemented the various components.

  1. Command line option/argument parsing
  2. Reading a password from the terminal
  3. Turning the password into a key
  4. Reading a file into memory
  5. Writing a file to disk
  6. Encrypting data
  7. Decrypting data

In my implementation (~300 LoC) I used the following crates, but I encourage you to search for alternatives.

Crate Description
anyhow Improved error messages with optional context
clap Command line argument parsing
ring Cryptographic primitives
rpassword Read passwords from the console
tempfile Temporary files to help prevent data loss
thiserror Easily create custom error types
zeroize Securely clear secrets from memory

Finding, evaluating, and comparing the libraries you have at your disposal in order to choose the one that is right for your use case is an important part of software development. And so is reading documentation, which I hope you will get lots of practice doing when figuring out how to use your chosen crates.


~338K SLoC