AES Crypt: cross platform file encryption

AES Crypt is a multi-platform open source encryption solution for those who are looking for a well-maintained TrueCrypt alternative. Of course, there’s VeraCrypt which is based on TrueCrypt but AES Crypt has a wider platform support and desktop integration (for Gnome & KDE). AES Crypt is a good alternative to utilities like ccrypt or mcrypt. Continue reading AES Crypt: cross platform file encryption

InstantCryptor: encrypt, upload files to cloud

Would you want to upload files with confidential information unencrypted to cloud storage services? If you care about security and privacy you wouldn’t. What can you do about it? A good approach would to encrypt your files using a local tool like ccrypt and then upload it to the cloud. However, you may not have your laptop with you all the time. InstantCryptor is a webapp to solve this problem.

InstantCryptor works with Dropbox and Google Drive at the time of writing. It is free of cost and claims to have 0 knowledge of your data as all files are encrypted (or decrypted) on the local device. InstantCryptor works directly from the browser, you do not need to install anything on your device. Continue reading InstantCryptor: encrypt, upload files to cloud

dislocker: decrypt BitLocker encrypted volumes

diskdislocker is a tool to decrypt Microsoft’s BitLocker encrypted volumes from Linux or OSX. dislocker uses a fuse based mechanism to decrypt the volume and mount it so that the user can access (read or write) the files within the volume. Continue reading dislocker: decrypt BitLocker encrypted volumes

fxor: xor based file encryption

emailXOR is an extremely commonplace operation in cyphers. The reason is the output of encryption can be decrypted using the same XOR function. In other words:

A ⊕ B = C
C ⊕ B = A
C ⊕ A = B

fxor is a simple tool that uses the same logic to encrypt and decrypt files using a key file from the user. Te tool does a byte by byte XOR and can take care of situations where the key is larger than input and vice versa. fxor can even handle binary files or size 50GB.


To install fxor on Ubuntu, run:

$ git clone
$ cd fxor
$ make
$ sudo make install



-r: Overwrite (destroy contents) OUT_FILE if it exists
-s: Start output from OUT_FILE beginning and replace bytes, Perfect to encrypt/decrypt IN_FILE and output to IN_FILE!

To generate a key file, use any of the following methods:

$ openssl rand -out <FILE NAME> <FILE SIZE IN BYTES>
$ openssl rand -engine rdrand -out <FILE NAME> <FILE SIZE IN BYTES>
$ dd if=/dev/random of=<FILE NAME> bs=1M count=50
$ dd if=/dev/urandom of=<FILE NAME> bs=1M count=50

You can also use scripts/opssl_rand in the project tree to generate a key file same in size as <IN FILE>:

$ opssl_rand <IN FILE> <RANDOM KEY FILE>

On GitHub: fxor

mcrypt: encrypt your files

emailIn an earlier article we explored how to encypt text files with vim. There are several ways to encrypt binaries on Linux too; using GnuPG, external tools like VeraCrypt etc. mcrypt is a similar utility that works as a frontend to libemcrypt.


To install mcrypt on Ubuntu, run:

$ sudo apt-get install mcrypt


  • List the algorithms supported
    $ mcrypt --list

    We will use arcfour for our example.

  • List hashing algorithms supported
    $ mcrypt --list-hash

    The hash is a digest added to an encrypted file, in order to detect corruption. We will use sha384.

  • Compression options
    -z : gzip
    -p : bzip2
  • Compress a file
    $ mcrypt -a arcfour -h sha384 -p webcheck.dat

    -a : algorithm to use [optional]
    -h : hashing algorithm to use [optional]
    -p : use bzip2 compression [optional]
    mcrypt will prompt you for the key (or password).
    The file is saved as

  • Decrypt the above file
    $ mcrypt -d
    $ mdecrypt

    Extract the bz2 archive to get the original file

    $ bunzip2 webcheck.dat.bz2
  • Encrypt multiple files
    $ mcrypt file1 file2
  • mcrypt can handle files only. To encrypt a directory archive and compress it first
    $ tar -jcvf mydir.tar.bz2 mydir/
    $ mcrypt mydir.tar.bz2
  • It is possible to pass a key in the cmdline using the -k parameter or in mcrypt configuration file (~/.mcryptrc) but these are not advisable as the key is exposed.

Webpage: mcrypt

Encrypt files with vim

vim_compWhat if you want to hide the contents of a file from the root user? Encryption is the answer. If it is a plaintext file, you do not need any additional software to encrypt it, vim has the ability to encrypt files using several algorithms. Currently vim supports 3 encryption methods:

zip: weak [default method for backward compatibility]
blowfish: better
blowfish2: best [supported from v7.4.399]

To use an encryption method other than zip (which is the default) set it explicitly in vim command mode:

:setlocal cm=blowfish

You can encrypt a file in 2 ways:

  • Open the file in vim and before quitting press :X in command mode. Note that after setting the password (or key) you must apply it using :w before you quit.
  • Add password to the file using
    $ vim +X myfile

Encryption is a one time operation. You can update the file as many times as you want without changing the password. To reset a password, use any of the two methods above and just press Enter when prompted for new password. You can also empty the key from vim command mode:

:set key=

vim will ask for the password every time you open the encrypted file. You will not be able to view the original contents of the file using any other external editor either. If you enter the wrong password while opening the file in vim, you will see gibberish content. In the latest versions of vim (mine is 7.4.52) saving the file in this state does not corrupt the original content. While editing, the text in the swap file, undo file, and backup files are also encrypted; however, the text in memory is not encrypted.

Tomb: wrappers for LUKS encryption

tomb_compTomb is a Linux encryption API wrapper script providing a simple cmdline interface for end users who want to encrypt their files. Tomb manages encrypted directories protected by encrypted key files in addition to a password. While Ubuntu provides a very easy interface for volume encryption, using the cmdline to create and manage encrypted directories is still not easy for the average user. Tomb is a Zsh script which does all the work by encapsulating intimidating commands and procedures. It also provides an optional system tray icon.


  • Uses standard filesystem tools
  • Supports cryptsetup and LUKS using cryptographic API of the Linux kernel
  • Can generate machine parsable output for use inside graphical applications
  • Create, open, close, delete tombs (encrypted directories)
  • Forge keys protected by a password (GnuPG symmetric encryption) which can be stored in separate media
  • Once open, the tombs are just like normal folders and can contain different files, plus they offer advanced functionalities like bind and execution hooks and fast search, or they can be slammed close even if busy
  • Use multiple tombs simultaneously, directories and files inside them can be bound to files and directories inside home directory
  • Both the secure key and a password are required to open a tomb
  • Takes care of several details to improve user’s behaviour and the security of tombs in everyday usage
  • Open source and free


Tomb requires the following packages (available in the default repositories of most major distributions):

  • zsh
  • sudo
  • gnupg
  • cryptsetup
  • pinentry-curses (and/or -gtk-2, -x11, -qt)

Download the latest stable version of Tomb. Then execute the following commands:

$ tar -xvf Tomb-$version.tar.gz
$ cd Tomb-$version
$ sudo make install

To install a Gtk-tray skull icon for managing tombs change to directory extras/gtk-tray. Then,

  1. make sure libnotify and gtk+-3.0 dev packages are available
  2. run make inside the directory to build tomb-gtk-tray
  3. run sudo make install (default PREFIX is /usr/local)
  4. start tomb-gtk-tray tombname after the tomb is open


  • Create a 100MB tomb, generate key and lock it
    $ tomb dig -s 100 secret.tomb
    $ tomb forge secret.tomb.key
    $ tomb lock secret.tomb -k secret.tomb.key
  • Open a tomb
    $ tomb open secret.tomb -k secret.tomb.key
  • Close a tomb
    $ tomb close
  • Close all open tombs immediately, killing all applications using them
    $ tomb slam all
  • Hide a key inside an image and extract it later
    $ tomb bury -k secrets.tomb.key nosferatu.jpg
    $ tomb open -k nosferatu.jpg secrets.tomb

Full list of tomb commands and options:

Syntax: tomb [options] command [arguments]


// Creation:
dig     create a new empty TOMB file of size -s in MB
forge   create a new KEY file and set its password
lock    installs a lock on a TOMB to use it with KEY

// Operations on tombs:
open    open an existing TOMB
index   update the search indexes of tombs
search  looks for filenames matching text patterns
list    list of open TOMBs and information on them
close   close a specific TOMB (or 'all')
slam    slam a TOMB killing all programs using it
resize  resize a TOMB to a new size -s (can only grow)

// Operations on keys:
passwd  change the password of a KEY (needs old pass)
setkey  change the KEY locking a TOMB (needs old key and pass)

// Backup on paper:
engrave makes a QR code of a KEY to be saved on paper

// Steganography:
bury    hide a KEY inside a JPEG image (for use with -k)
exhume  extract a KEY from a JPEG image (prints to stout)

-s     size of the tomb file when creating/resizing one (in MB)
-k     path to the key to be used ('-k -' to read from stdin)
-n     don't process the hooks found in tomb
-o     mount options used to open (default: rw,noatime,nodev)
-f     force operation (i.e. even if swap is active)
--kdf  generate passwords armored against dictionary attacks

-h     print this help
-v     print version, license and list of available ciphers
-q     run quietly without printing informations
-D     print debugging information at runtime

Webpage: Tomb

oneway: simple file encryption

emailoneway is a simple asymmetric encryption implementation in C++ and a tool to encrypt or decrypt files without having a complex setup like GPG. oneway uses the openssl library and can be used from the cmdline. The tool is compatible with the .NET utility (for Windows) AsymmetricCrypt.

oneway is to be used for data encryption on systems where storing password or key in plaintext is not desirable. It uses one of the strongest encryption techniques, AES256, to encrypt files and the key is randomly generated. AES256 key is encrypted using 4096 bit RSA and stored with the file. The structure of the encrypted file is:

4 bytes: signature "ASCR"
16 bytes: AES IV
512 bytes: RSA 4096-encrypted AES key
rest: encrypted file contents


oneway has to be compiled from source. However, the procedure is simple due to minimal dependencies. Get the git source and compile it:

$ git clone
$ cd oneway-cpp
$ make


  • Generate private key:
    $ oneway --genkey private.key
    $ oneway --genkey >private.key
  • Extract public key component from private key:
    $ oneway --publickey private.key public.key
    $ oneway --publickey <private.key >public.key
  • Encrypt file using public key:
    $ oneway --encrypt public.key plaintext.txt encrypted.ascr
    $ oneway --encrypt public.key plaintext.txt >encrypted.ascr
    $ oneway --encrypt public.key <plaintext.txt >encrypted.ascr
  • Decrypt file using private key:
    $ oneway --decrypt private.key encrypted.ascr plaintext.txt
    $ oneway --decrypt private.key encrypted.ascr >plaintext.txt
    $ oneway --decrypt private.key <encrypted.ascr >plaintext.txt

Webpage: oneway