Portable Encryption with bcrypt

I said I would write a page about using bcrypt to encrypt files across platforms seamlessly. Because bcrypt is very small (and so is it’s required zlib.dll for Windows use — combined about 125kb), it can be thought of as portable. I’ve installed the Windows version on my USB sticks so I can encrypt and decrypt files without having to install anything on anyone else’s computer. This means I have no excuse to not encrypt files I carry with me.

One of the reasons I like bcrypt is because the default commandline is the same for encrypting and decrypting: bcrypt [options] filename. This means the Windows version is drag and drop both ways (to encrypt, to decrypt). So, too, is the rox AppRun script below.

bcrypt uses Blowfish encryption and is protected with an 8 to 56 key passphrase hashed internally to a 448 bit key. Needless to say, the stronger the pass the harder it’ll be to crack and the safer your data will be.

It removes the original file that’s encrypted and then rewrites the space of the original file three times by default to thwart recovery attempts. That feature can be tagged off (-r) or increased N-times (-sN). It also compresses the encrypted file (turned off with -c). It can also write standard output (-o).

The Windows and Linux versions are fully compatible. What’s encrypted using one operating system can be easily decrypted on the other.

It has a few limitations. First, bcrypt encrypts/decrypts individual files and not directories. The way around that is to tarball/zip and then encrypt your archive. Second, the passphrase in the Windows version isn’t masked: you will see your passphrase when you enter it (twice to encrypt, once to decrypt).

I made a standard rox application directory for bcrypt. The cool thing about it is that no special settings are required for batch encryption — just select the files to be encrypted and drag them over the appdir’s icon. The aterm window pops up prompting for the passphrase. Enter it twice and you’re done.

Since the same command will decrypt, I set a MIME-type for the bcrypt-encryped extension (bfe) and associated it with the same application directory. Now I can click on an encrypted bfe file and aterm pops up asking for the passphrase and decrypts it. I can also select multiple bfe files and drag them over the icon the same way I can batch decrypt files. It prompts me once and proceeds to decrypt en masse.

The script is just the standard appdir bash wrapper (for a CLI application anyway):

exec aterm -T “bcrypt encrypt-decrypt” -e bcrypt “$@”

I edited my own icon with a lock and a re-do swirl. The appdir can be dragged out of its usual directory onto the pinboard (desktop) or panel so you can drag and drop on it more easily. Then it can be removed from pinboard or panel (it still stays in its normal directory unless you actually move it) when finished. This makes things very fast and easy (especially when combined with an archiving script so entire directories can be dragged and dropped to make tarballs and then dragged and dropped again to encrypt — guess I need to write one script that does both tasks in one fell swoop).

Additional appdirs can also be set up to invoke options like turning off encryption or having it rewrite the area more times or not at all, depending on your needs.

2 Responses to “Portable Encryption with bcrypt”

  1. aefavant Says:

    Hey, I got to your page searching for batching for bcrypt on Google.
    Do you think you could send me batch scripts to run bcrypt on DOS/Win and Linux?
    I would appreciate that so much. I have been trying to prog that myself but to no good!


    • lucky Says:

      I don’t know what kind of batch scripts you want (exactly what do you want to do?), nor do I think that’s necessarily the best way to use bcrypt. As I alluded in this entry, it’s probably easiest to make a tarball (or zip archive) of what you want to encrypt/decrypt since anything you’d do in bulk like that would likely be somewhat related anyway. The only script other than the AppRun file (for rox-filer) I mentioned in the entry ran a test on the file extension to determine whether it was already encrypted (and thus needed to be decrypted) or not (and thus needed to be encrypted).

      FWIW, I haven’t used bcrypt in years. I use TrueCrypt in Windows for partitions and volumes, as well as for storage media which will only be used in Windows. I now use gpg for all files which will be shared between operating systems — and gpg does have a –batch processing flag that bcrypt doesn’t.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: