Portable Encryption with bcrypt
I said I would write a page about using bcrypt to encrypt files across platforms seamlessly. Because bcrypt is very small (and so is it’s required zlib.dll for Windows use — combined about 125kb), it can be thought of as portable. I’ve installed the Windows version on my USB sticks so I can encrypt and decrypt files without having to install anything on anyone else’s computer. This means I have no excuse to not encrypt files I carry with me.
One of the reasons I like bcrypt is because the default commandline is the same for encrypting and decrypting: bcrypt [options] filename. This means the Windows version is drag and drop both ways (to encrypt, to decrypt). So, too, is the rox AppRun script below.
bcrypt uses Blowfish encryption and is protected with an 8 to 56 key passphrase hashed internally to a 448 bit key. Needless to say, the stronger the pass the harder it’ll be to crack and the safer your data will be.
It removes the original file that’s encrypted and then rewrites the space of the original file three times by default to thwart recovery attempts. That feature can be tagged off (-r) or increased N-times (-sN). It also compresses the encrypted file (turned off with -c). It can also write standard output (-o).
The Windows and Linux versions are fully compatible. What’s encrypted using one operating system can be easily decrypted on the other.
It has a few limitations. First, bcrypt encrypts/decrypts individual files and not directories. The way around that is to tarball/zip and then encrypt your archive. Second, the passphrase in the Windows version isn’t masked: you will see your passphrase when you enter it (twice to encrypt, once to decrypt).
I made a standard rox application directory for bcrypt. The cool thing about it is that no special settings are required for batch encryption — just select the files to be encrypted and drag them over the appdir’s icon. The aterm window pops up prompting for the passphrase. Enter it twice and you’re done.
Since the same command will decrypt, I set a MIME-type for the bcrypt-encryped extension (bfe) and associated it with the same application directory. Now I can click on an encrypted bfe file and aterm pops up asking for the passphrase and decrypts it. I can also select multiple bfe files and drag them over the icon the same way I can batch decrypt files. It prompts me once and proceeds to decrypt en masse.
The script is just the standard appdir bash wrapper (for a CLI application anyway):
exec aterm -T “bcrypt encrypt-decrypt” -e bcrypt “$@”
I edited my own icon with a lock and a re-do swirl. The appdir can be dragged out of its usual directory onto the pinboard (desktop) or panel so you can drag and drop on it more easily. Then it can be removed from pinboard or panel (it still stays in its normal directory unless you actually move it) when finished. This makes things very fast and easy (especially when combined with an archiving script so entire directories can be dragged and dropped to make tarballs and then dragged and dropped again to encrypt — guess I need to write one script that does both tasks in one fell swoop).
Additional appdirs can also be set up to invoke options like turning off encryption or having it rewrite the area more times or not at all, depending on your needs.