FAQ
General
Is Kryptor compatible with age and Minisign?
No, it uses newer cryptographic primitives and different file formats to address problems with both tools. However, Kryptor isn't perfect either.
Why should I use Kryptor over the alternatives?
Three words: security, privacy, and usability.
Kryptor uses strong, fast, and modern cryptographic algorithms, offering post-quantum security. It also addresses security limitations of tools like age and Minisign.
Unlike most tools, Kryptor limits metadata by using an indistinguishable from random encrypted file format. Encrypted files have no identifiable headers and are randomly padded. File names can also be encrypted.
Encrypt/sign multiple files and directories at once. No need to specify an output file path. No config options. Short public keys. Fewer command-line options than Minisign whilst also supporting encryption.
When should I not use Kryptor?
If you want to frequently access lots of your encrypted files (e.g. multiple large directories), you should use Cryptomator or VeraCrypt.
If you want to use SSH keys, you should use age. However, SSH keys aren't recommended by the author.
Has Kryptor been audited?
No, audits are extremely expensive (e.g. $5,000+). A very generous donation would be required to cover the cost.
However, some cryptographers were contacted for design feedback and advice, libsodium and Monocypher are used for the cryptography, and it should be possible to single-handedly audit the code.
I forgot my passphrase/lost a key, can I recover encrypted files?
No, it would take an impractical amount of time to bruteforce the encryption keys unless you used a very weak passphrase/low entropy key.
Is it safe to use Kryptor for long-term backups?
Hopefully, but write down the version and keep a copy of the executable and source code. Ideally, re-encrypt your files when a new major version is released.
Best practices
Which method of encryption should I use?
For yourself: passphrases or random pre-shared keys. Keep them in a password manager.
For others: your private key and their public key. Keep your private key backed up on external storage (e.g. memory sticks).
How do I choose a strong passphrase?
Just let Kryptor generate a passphrase for you and store it in a password manager like KeePassXC or Bitwarden.
What's a keyfile?
A keyfile is a file that's combined with or used instead of a passphrase. If combined, it acts like 2FA. Used alone, it's weaker than a passphrase in that it's stored on disk and can't be memorised.
A random keyfile is equivalent to a random symmetric key stored on disk. Using a regular file as a keyfile is equivalent to hashing the file, so the file should be high in entropy (e.g. compressed).
How do I choose a keyfile?
Just let Kryptor generate a keyfile for you and back it up on external storage (e.g. memory sticks).
However, if you insist on choosing a regular file, make sure it's a compressed file type (e.g. .zip
).
Should I store keyfiles in the cloud?
No, they're not encrypted. It would be like uploading a text file containing your passphrase.
How do I share my public key?
Send people your public key string or .public
file. Either could also be put on a personal website.
How do I back up my private key?
Navigate to the ~/.kryptor
directory and copy any .private
files to external storage (e.g. memory sticks). Keeping private keys offline is good practice even though they're encrypted.
How do I share a pre-shared key?
Using an end-to-end encrypted messenger with disappearing messages enabled.
When should I rotate my key pair?
When you think the private key has been compromised, which shouldn't happen if you keep it offline and use a strong passphrase.
Contributing
How do I report bugs?
Please use the Bug report
issue template on GitHub.
How do I report vulnerabilities?
Please read the SECURITY.md file on GitHub.
Can I help package Kryptor?
Yes, please get in touch.
Crypto
Why ChaCha20-Poly1305?
It's fast, standardised, doesn't require hardware support, and ChaCha20 has a higher security margin than AES.
How does the key-committing ChaCha20-Poly1305 padding fix work?
The latter 32 bytes of block 0 (after the Poly1305 key) are prepended to the ciphertext as a commitment. For decryption, this commitment is checked in constant time alongside the tag, eliminating a timing difference. Here's some code.
This is similar to the padding fix discussed in How to Abuse and Fix Authenticated Encryption Without Key Commitment. Credit goes to Loup Vaillant for the block 0 idea.
Why Argon2id?
Argon2 won the Password Hashing Competition in 2015 and is now recommended over other password-based key derivation algorithms, such as PBKDF2 and scrypt.
Argon2id is used because it's the recommended mode in the RFC and Argon2i is vulnerable to attacks plus weaker in terms of GPU/ASIC resistance.
Why randomised padding?
PADMÉ padding, which is deterministic, was originally implemented. However, Covert Encryption convinced me that it seems wrong to have deterministic file sizes when trying to make files indistinguishable from random.
Coding
How do I build from source?
Instructions can be found here.
Why are Kryptor executables ~30 MiB?
Because the .NET runtime is included so users don't have to install .NET themselves, and ReadyToRun compilation is enabled to improve startup performance.
Last updated