#authenticated-encryption #file-encryption

app scromble

A no-nonsense single-file encryptor with data authentication

1 stable release

2.0.1 Feb 16, 2023

#2480 in Cryptography

AGPL-3.0-or-later

290KB
1.5K SLoC

have your datums been scrombled?

scromble, a simple authenticated file encryptor.

Have you ever wanted to encrypt one file with symmetric encryption?

Have you ever wanted that encryption to be randomized?

Have you ever wanted that file to be indistinguishable from random noise?

Have you ever wanted that encryption to be authenticated?

Well, I certainly did! And apparently no existing tool did all those things. So I made one.

Building

Running nix-shell --command 'cargo build --release' should work. The executable will then be in ./target/release/scromble. Please file an issue if that doesn't work!

If you would like to use the AVX2 backend for XChaCha20, build with nix-shell --command 'RUSTFLAGS="-Ctarget-cpu=haswell -Ctarget-feature=+sse2" cargo build --release' instead. Everything else should be the same. The fastest results I've seen are expected with RUSTFLAGS="-Ctarget-cpu=native".

NOTE FOR WINDOWS USERS

scromble was designed and tested on Linux, so writing the output to stdout was a perfectly reasonable, sensible idea. However, apparently on Windows, writing non-unicode data to stdout crashes the program, and if you redirect stdout to a file causes bytes to be interpreted as UTF-8, then converted to UTF-16le with a byte order marker and some extra data. I'm working on understanding how on earth to deal with that, but for now, please use scromble encrypt <infile> <outfile> and scromble decrypt <infile> <outfile>.

Example usage

$ scromble -h
$ echo mypassword | scromble encrypt mydata.txt >mydata.enc1
$ echo mypassword | scromble encrypt mydata.txt >mydata.enc2
$ echo mypassword | scromble decrypt mydata.enc1 >mydata1.txt
$ echo mypassword | scromble decrypt mydata.enc2 >mydata2.txt
# should be empty
$ diff mydata{,1}.txt
$ diff mydata{,2}.txt
# should be different
$ diff -b mydata.enc*
# should fail, leaving mydata3.txt empty
$ echo notmypassword | scromble decrypt mydata.enc2 >mydata3.txt
Error: Ciphertext has an incorrect HMAC

What cryptography does this use?

For detailed information on the overall design, please see DESIGN.md or run scromble explain-design.

Is this fast?

On my machine I'm seeing encryption and decryption speeds of 150-180MB/s (default sse2 backend) and 200-240MB/s (avx2 backend) when measured through iotop -- although, decryption will require reading the whole file twice. With RUSTFLAGS="-Ctarget-cpu=native", I observed ~300-330MB/s. It can probably be made faster, either through simple optimizations or by multithreading it.

Is this reliable?

I originally made this in a day and it hasn't been independently audited (yet). It is built using fairly reputable Rust-based implementations of the involved cryptographic primitives, and it is simple enough that there shouldn't be many subtle ways for it to be implemented incorrectly. I am willing to use it for my own needs, but as they say:

  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Dependencies

~6.5MB
~112K SLoC