Picocrypt

Picocrypt is a very small (hence "Pico"), very simple, yet very secure file encryption tool. It uses the modern ChaCha20-Poly1305 cipher suite as well as Argon2, making it about as secure and modern of an encryption tool as you'll ever get your hands on. It's very simple to use, which allows anyone to start encrypting private files, no matter what level of experience they have with computers. Picocrypt's focus is security, so it might be slightly slower and less attractive visually than others. Remember: your privacy and security is in your hands. Take good care of it and encrypt your files with Picocrypt. Please donate to help raise money to get Picocrypt audited.

Screenshot

# Downloads Windows Picocrypt for Windows is as easy as it gets. To download the latest, standalone, and portable executable, click here. If your machine has Windows Script Host disabled (unlikely), you can download this, extract it, and run the Picocrypt.exe inside. You can also download an installable version of Picocrypt here. Specific releases and details are available from the Releases tab. MacOS Picocrypt for MacOS is also very easy to use. Download the latest, standalone, and portable executable for MacOS here. Older versions are available under Releases. MacOS might show a notice that Picocrypt is malware (it isn't) and disable opening it. To fix this, open Finder, Ctrl and right click on Picocrypt, and hit "Open". You might have to do this twice to open Picocrypt. After opening Picocrypt, be patient while Picocrypt loads, as it might take a couple seconds. Linux (Debian-based) Picocrypt for Debian-based Linux distros is coming soon.
Note: For some reason, there's an outdated and useless piece of abandonware called PicoCrypt on the Internet, which was last updated in 2005. PicoCrypt is not related to Picocrypt (this project). Make sure you only download Picocrypt from this Github repository to ensure that you download the correct and backdoor-free software. Downloading from somewhere else could mean that you're potentially downloading malicious or hacked software! # Why Picocrypt? Why should you use Picocrypt, instead of Bitlocker, NordLocker, VeraCrypt, or 7-Zip? Here are some reasons why you should switch to Picocrypt: # Instructions Picocrypt is about as simple as it gets. Just drag and drop the file(s) and folder(s) you choose, enter a password, and start. There are some additional options that you can use for more control: # Security I have a solid understanding of cryptography, so I can say with very high confidence that Picocrypt is very secure. It uses XChaCha20-Poly1305, which is a revision of the eSTREAM winner, Salsa20. ChaCha20 has been through a significant amount of cryptanalysis and was selected by security engineers at Google to be used in modern TLS suites. It's considered to be the modern suite of symmetric encryption, and makes Picocrypt more secure than Bitlocker, NordLocker, and 7-Zip. It's used by Cloudflare, Google, and many other forward-thinking companies. In terms of practical security, I have 2FA enabled on all accounts with a tie to Picocrypt, so you can rest assured that the official Picocrypt repository won't be hacked. For key derivation, Picocrypt uses Argon2d, winner of the PHC (Password Hashing Competition), which was completed in 2015. Argon2 is even slower than Scrypt and Bcrypt (for those that don't understand crypto, this is a good thing), making GPU, ASIC, and FPGA attacks impractical due to the huge amount of RAM that is used and written to during the key derivation. For key checking, SHA3-512 (Keccak) is used. For corruption checking, BLAKE3 is used. Before decrypting, Picocrypt checks whether the password is correct by comparing the derived key to a SHA3-512 hash stored in the encrypted file. SHA3 is the latest standard for hashing recommended by the NIST. It's a modern and well-designed hash function that's open-source, unpatented, and royalty-free. XChaCha20-Poly1305, Argon2, and SHA3 are all well-recognized within the field of cryptography and are all considered to be mature and future-proof. You can rely on these ciphers and algorithms to protect your data, as they are all modern and have undergone a large amount of cryptanalysis. I did not write the crypto for Picocrypt. Picocrypt uses two Python libraries, argon2-cffi and pycryptodome to do the heavy lifting, both of which are well known and popular within the Python community. For people who want to know how Picocrypt handles the crypto, or for the paranoid, here is a breakdown of how Picocrypt protects your data:
  1. A 16-byte salt (for Argon2d) and a 24-byte nonce (for XChaCha20) is generated using a CSPRNG (Python's os.urandom())
  2. The encryption/decryption key is generated through Argon2d using the salt above and the following parameters:
  3. If decrypting, compare the derived key with the SHA3-512 hash of the correct key stored in the ciphertext. If encrypting, compute the SHA3-512 of the derived key and add to ciphertext.
  4. Encryption/decryption start, reading in 1MB chunks at a time. For each chunk, it is first encrypted by XChaCha20, and then a BLAKE3 CRC is updated.
  5. If anti-corruption is checked, the 1MB chunk will be split into 128 byte chunks and 13 additional Reed-Solomon (parity) bytes will be added. If decrypting, decode the encoded 1MB chunk to get the raw data.
  6. When encryption/decryption is finished, the MAC tag (Poly1305) will be added to the ciphertext or verified, depending on if you're encrypting or decrypting. If 'Secure wipe' is enabled, the original file is securely deleted via system internals (sdelete64 for Windows, rm -P for MacOS, and shred on Linux).
  7. Similar to above, the BLAKE3 CRC is either checked or added to the ciphertext depending on the operation.
  8. If decrypting and both the BLAKE3 CRC and Poly1305 tag are correct, decryption is considered successful and the process is done. If either don't match, decryption is unsuccessful and an error message will be displayed.
Note: the list above is simplified. A lot more is actually happening. # Roadmap See Roadmap.md for a list of new features and improvements that I'm working on. # Community Here's some places where you can see the latest news about Picocrypt and get involved: These are the official Picocrypt social groups. Be aware of scammers and hackers that might try to impersonate me and get you to download malicious software. Only trust these accounts and only download from this Github repo. # Stargazers [![Stargazers over time](https://starchart.cc/HACKERALERT/Picocrypt.svg)](https://starchart.cc/HACKERALERT/Picocrypt) # Limitations # Contribution If you find a bug or security issue, please create an Issue. If the security problem is severe or critical and could potentially be exploited by hackers if published, please contact me privately here. If one of Picocrypt's dependencies gets a critical security patch, let me know and I'll update the code (if necessary). I'm also open to suggestions and features (you can leave an Issue or write about it in Discussions). # Donations If you find Picocrypt useful, please consider donating. I've spent countless hours on Picocrypt and I'd love to get Picocrypt along with its dependencies audited by a cybersecurity firm such as Cure53. Audits typically cost thousands of dollars, so I'm asking for your support. If every person who saw this message or uses Picocrypt donated a dollar or two, I'd have enough funds to get Picocrypt audited. For more information about donating, see here. # Thank You's A huge thanks to the following list of people, who were the first people to donate and support Picocrypt: Also, thanks to Freepik from Flaticon for Picocrypt's key icon.