Encryptor

Packagist GitLab GitHub Bitbucket Gitea

A small and simple tool to encrypt small files with with libsodium.

Installation

Install for local user with composer:

composer global require arokettu/encryptor

Install for all users by downloading prebuilt phar:

sudo wget https://github.com/arokettu/php-encryptor/releases/latest/download/encryptor.phar -O /usr/local/bin/encryptor
sudo chmod +x /usr/local/bin/encryptor

Usage

encryptor encrypt|decrypt [-o|--output=OUTPUT_FILE] [--stdout] [-k|--key=KEY]
          [-p|--password=PASSWORD] [-s|--strength=STRENGTH] [<INPUT_FILE>]
-o, --output=OUTPUT_FILE

Output file.

--stdout

Force output to stdout.

-k, --key=KEY

Encrypt/decrypt data with a binary key. The key must be 32 bytes long encoded in hexadecimal.

-p, --password=PASSWORD

Encrypt/decrypt data with password.

-s, --strength=STRENGTH

Encryption only: Key derivation strength for password encryption. (1-3, default 2)

If no input file is specified, the tool will read from stdin.

If neither --output nor --stdout are specified:

  • If data is read from stdin, output will be stdout

  • On encryption: INPUT_FILE.encrypted

  • On decryption: if input file is FILENAME.enctypted, then FILENAME, otherwise INPUT_FILE.decrypted

If neither key nor password are given in parameters, a password will be requested interactively

Key derivation strength sets opslimit/memlimit for Argon2id key derivation. Default level is MODERATE

Strength

Limit constants

1

INTERACTIVE

2

MODERATE

3

SENSITIVE

File Format

Encrypted file is a bencoded dictionary with the following keys:

key

value

description

_a

“sfenc”

Header

_v

1 or 2

Container version

salt

16 random bytes

Password salt. Unset if encrypted with a key

ops

integer

Argon2id opslimit. Unset if encrypted with a key (v2 only)

mem

integer

Argon2id memlimit. Unset if encrypted with a key (v2 only)

nonce

24 random bytes

Xsalsa20 nonce

payload

long binary string

Xsalsa20 + Poly1305 encrypted payload

The file is guaranteed to start with d2:_a5:sfenc2:_v

V1 and V2 differences:

  • V2 uses Argon2id, V1 uses Argon2i

  • V2 uses ops and mem form the container, V1 always uses SENSITIVE (ops=4, mem=1_073_741_824, hardcoded since 1.1)

  • V1 and V2 are equal when encrypting with a key except for the version header

V1 was used during early development. If you somehow used my dev version, you can still decode your files but it may break if libsodium changes the constants.

License

The library is available as open source under the terms of the MIT License.