1 unstable release

0.8.0 Nov 4, 2019

#2436 in Cryptography

MIT license

185KB
4K SLoC

Rypt: versatile command-line encryption tool

  • Encrypt/decrypt files and streams using passwords, public/private key pairs and complex combinations of these.
  • Uses modern cryptographic primitives provided by libsodium.
  • Written in Rust, efficient and memory-safe programming language.
  • 100% Authenticated Encryption: any change to encrypted files would make them invalid.
  • Offline, standalone tool that does not depend on any commercial services / clouds.
  • Supports advanced use cases like multiple passwords/public keys, key threshold schemes and more.
  • Fast. ~1.1 Gb/s on a 2013 MacBook using AES256-GCM algorithm. Usually I/O bandwidth is the limiting factor.
  • Easy to use at both beginner and advanced level (see examples below).
  • Lightweight: ~1 Mb binary size; <10 Mb memory used (except as required by password derivation functions).
  • Operating System Support: x86 Linux, MacOS, Windows.
  • Open source, MIT license.

Examples

$ # Basic use case: encrypt/decrypt file with a password
$ rypt secret-interview.mp4 
Enter password: 
Confirm password: 

secret-interview.mp4 -> secret-interview.mp4.rypt (1/1)
   100.0 %       1.46 GiB     310.18 MiB/s   ETA  0:00s

Remove original file(s)? [y/N]: y

$ rypt -d secret-interview.mp4.rypt 
Enter password: 

secret-interview.mp4.rypt -> secret-interview.mp4 (1/1)
   100.0 %       1.46 GiB     320.48 MiB/s   ETA  0:00s

Remove original file(s)? [y/N]: y

$ # Advanced examples: generate public/private key pair
$ rypt -g recipient-key
Keypair 1/1:
    Public key: 8bF9648A4C7705E3276795901819Dfe734fa62Df587CF7dB27a17D6FD0d5012c
    Public key file: recipient-key.pub
    Private key file: recipient-key

$ # Upload a public-key-encrypted compressed archive to S3
$ tar c . | xz | rypt --public-key recipient-key.pub | aws s3 cp - s3://mybucket/archive.xz.rypt

$ # Then download it, decrypt and unpack
$ aws s3 cp s3://mybucket/archive.xz.rypt - | rypt -d --private-key recipient-key | xz -d | tar x

$ # More advanced examples: encrypt a note from stdin using an any-2-out-of-3 passwords threshold scheme
$ rypt -p -p -p --key-threshold 2 > encrypted.rypt
Enter password: 
Confirm password: 

Enter password: 
Confirm password: 

Enter password: 
Confirm password: 

(stdin) -> (stdout) (1/1)
This is a secret message.
^D
$ ./rypt -d -p -p -s encrypted.rypt
Enter password: 

Enter password: 

encrypted.rypt -> (stdout) (1/1)
This is a secret message.

Installation

Download binary

See the Releases section.

From source

  1. Install Rust: https://www.rust-lang.org/tools/install
  2. cargo install rypt

Why not use existing tools?

  • PGP: Large installation; cumbersome (--symmetric?); old algorithms (AES128 in CFB mode); slow (TODO: numbers); no proper password derivation, no full-file authentication.
  • OpenSSL: too low-level; TODO.
  • Keybase: No password-based encryption, depends on having an account at a commercial service; TODO.
  • Archivers like zip, 7z, winrar: old algorithms, not stream-friendly, no public key crypto; TODO.

Dependencies

~21–28MB
~225K SLoC