# ✨We've Moved!✨ In an effort to make Picocrypt more open to future developments and maintenance from the community, this repository will be moving to [github.com/Picocrypt](https://github.com/Picocrypt). While future developments will likely take place there, this repository will still exist as a trusted and reliable "backup" for people who need the highest level of security and stability. For people who are more open to experimental (and potentially less stable) software, I encourage you to move over to the new Picocrypt organization's repositories. For more details, see [here](https://github.com/HACKERALERT/Picocrypt/issues/186). Thank you all for your support along the way! # Picocrypt

Picocrypt

Picocrypt is a very small (hence Pico), very simple, yet very secure encryption tool that you can use to protect your files. It's designed to be the go-to tool for encryption, with a focus on security, simplicity, and reliability. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security, even from three-letter agencies like the NSA. Your privacy and security is under attack. Take it back with confidence by protecting your files with Picocrypt.

Picocrypt

# Funding **Please donate to Picocrypt on Open Collective (crypto is accepted) to raise money for a security audit from Cure53. Because this is a project that I spend many hours on and make no money from, I cannot pay for an audit myself. Picocrypt needs support from its community.** # Downloads **Important**: There are multiple entities under the name "Picocrypt". For example, there's an old encryption tool called PicoCrypt that uses a broken cipher. There's also an ERC-funded research project called PICOCRYPT. There are even domains related to Picocrypt that I've never registered like picocrypt.com and picocrypt.org. Please don't confuse any of these unrelated (and potentially malicious) projects/domains with Picocrypt (this project). **Make sure to only download Picocrypt from this repository** to ensure that you get the authentic and backdoor-free Picocrypt. When sharing Picocrypt with others, be sure to link to this repository to prevent any confusion. **Beware of picocrypt.org, which claims to be the official website for this project! Remember, there is no official website for Picocrypt.** Even if this self-proclaimed website is taken down, I will not remove this message; let it be a real-world warning to stay vigilant. ## Windows Picocrypt for Windows is as simple as it gets. To download the latest, standalone, and portable executable for Windows, click here. If Microsoft Defender or your antivirus flags Picocrypt as a virus, please do your part and submit it as a false positive for the betterment of everyone. If you use Picocrypt frequently, you can also download the installable version from here, which will install Picocrypt onto your system and add it to your start menu for easy access. The installer also includes extra compatibility helpers, so if the portable executable doesn't work, this likely will. ## macOS Picocrypt for macOS is very simple as well. Download Picocrypt for Apple silicon here, open the container, and drag Picocrypt to your Downloads or Applications. If you can't open Picocrypt because it's not from a verified developer, control-click on Picocrypt and hit Open to bypass the warning. If the app appears to be "damaged" and can't be opened, try manually trusting it from a terminal: ``` xattr -d com.apple.quarantine /Applications/Picocrypt.app ``` Note that Picocrypt requires OpenGL, and may not work in the future if Apple removes it. ## Linux To use Picocrypt on Linux, you can download the raw binary here. Alternatively, you can try the Snap, run Picocrypt through Wine, or compile from source using the instructions in the `src/` directory. ## CLI A command-line interface is available for Picocrypt here. It can encrypt and decrypt files, folders, and globs, and supports paranoid mode and Reed-Solomon encoding. You can use it on systems that don't have a GUI or can't run the GUI app, or to write automated shell scripts for backups, etc. ## Web A web interface for Picocrypt is available here, allowing you to use a lite version of Picocrypt on any device. Keep in mind that its functionality is very limited and you won't be able to use any advanced features or encrypt large files. It is also quite slow compared to the native app. ## Paranoid Pack The Paranoid Pack is a compressed archive that contains executables for Windows, macOS, and Linux, including the source code and dependencies. As long as you have it stored in a place you can access, you'll be able to open it and use Picocrypt on any desktop operating system in case this repository mysteriously vanishes or the entire Internet burns down. Think of it as a seed vault for Picocrypt; as long as one person has the Paranoid Pack within reach, they can share it with the rest of the world and keep Picocrypt functional in case of catastrophic events. The best way to ensure Picocrypt is accessible many decades from now is to keep a Paranoid Pack in a safe place. Get your copy here. # Why Picocrypt? Why should you use Picocrypt instead of VeraCrypt, 7-Zip, BitLocker, or Cryptomator? Here are a few reasons why you should choose Picocrypt: # Comparison Here's how Picocrypt compares to other popular encryption tools. | | Picocrypt | VeraCrypt | 7-Zip GUI | BitLocker | Cryptomator | | -------------- | -------------- | -------------- | -------------- | -------------- | -------------- | | Free |✅ Yes |✅ Yes |✅ Yes |✅ Bundled |✅ Yes | | Open Source |✅ GPLv3 |✅ Multi |✅ LGPL |❌ No |✅ GPLv3 | | Cross-Platform |✅ Yes |✅ Yes |❌ No |❌ No |✅ Yes | | Size |✅ 3 MiB |❌ 20 MiB |✅ 2 MiB |✅ N/A |❌ 50 MiB | | Portable |✅ Yes |✅ Yes |❌ No |✅ Yes |❌ No | | Permissions |✅ None |❌ Admin |❌ Admin |❌ Admin |❌ Admin | | Ease-Of-Use |✅ Easy |❌ Hard |✅ Easy |✅ Easy |🟧 Medium | | Cipher |✅ XChaCha20 |✅ AES-256 |✅ AES-256 |🟧 AES-128 |✅ AES-256 | | Key Derivation |✅ Argon2 |🟧 PBKDF2 |❌ SHA-256 |❓ Unknown |✅ Scrypt | | Data Integrity |✅ Always |❌ No |❌ No |❓ Unknown |✅ Always | | Deniability |✅ Supported |✅ Supported |❌ No |❌ No |❌ No | | Reed-Solomon |✅ Yes |❌ No |❌ No |❌ No |❌ No | | Compression |✅ Yes |❌ No |✅ Yes |✅ Yes |❌ No | | Telemetry |✅ None |✅ None |✅ None |❓ Unknown |✅ None | | Audited |❌ [Donate](https://opencollective.com/picocrypt) |✅ Yes |❌ No |❓ Unknown |✅ Yes | Keep in mind that while Picocrypt does most things better than other tools, it's not a one-size-fits-all and doesn't try to be. There are use cases such as full-disk encryption where VeraCrypt and BitLocker would be a better choice. So while Picocrypt is a great choice for the majority of people, you should still do your own research and use what's best for you. # Features Picocrypt is a very simple tool, and most users will intuitively understand how to use it in a few seconds. On a basic level, simply dropping your files, entering a password, and hitting Encrypt is all that's needed to encrypt your files. Dropping the output back into Picocrypt, entering the password, and hitting Decrypt is all that's needed to decrypt those files. Pretty simple, right? While being simple, Picocrypt also strives to be powerful in the hands of knowledgeable and advanced users. Thus, there are some additional options that you may use to suit your needs. # Security For more information on how Picocrypt handles cryptography, see Internals for the technical details. If you're worried about the safety of me or this project, let me assure you that this repository won't be hijacked or backdoored. I have 2FA (TOTP) enabled on all accounts with a tie to Picocrypt (GitHub, Reddit, Google, etc.), in addition to full-disk encryption on all of my portable devices. For further hardening, Picocrypt uses my isolated forks of dependencies and I fetch upstream only when I have taken a look at the changes and believe that there aren't any security issues. This means that if a dependency gets hacked or deleted by the author, Picocrypt will be using my fork of it and remain completely unaffected. You can feel confident about using Picocrypt. ## Signatures For the paranoid, Picocrypt is signed with PGP. The fingerprint and public key are listed below.
B342A744BDEEA57B6A583E33A247E73798946F55
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEYoGUHxYJKwYBBAHaRw8BAQdAvmQA+pdbDB/ynJxHhNDpz6Sb5tgkNuuNJIvw
HYwZtqi0CVBpY29jcnlwdIiTBBMWCgA7FiEEs0KnRL3upXtqWD4zokfnN5iUb1UF
AmKBlB8CGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQokfnN5iUb1UZ
RgEA8jbIsdqCr21DWxcqW/eLlbxRkuA8kflVYvWWUxtVqsUA/jQPSDpvA8rakvaL
PIbXjQvrAMkEVIc0HbCzLxr1k3sH
=YFwz
-----END PGP PUBLIC KEY BLOCK-----
# Community Keep an eye on r/Picocrypt. While I won't be active in this subreddit myself, it's still a great place to ask questions and help one another out, especially if something happens to me or this repository in the future. Remember to only trust this specific subreddit and be aware of hackers that might try to impersonate me on other platforms. I will never ask you for your password, and anyone who does is not me. I will never tell you to download a file from a suspicious link, and anyone who does is not me. # Donations When I was actively developing Picocrypt, I accepted donations, but now that Picocrypt is complete and production-ready, there's no need anymore. Instead, take your time and effort to share the love of Picocrypt with others. Donations are nice, but being able to help others is a lot more valuable to me than a few spare dollars. Knowing that Picocrypt is helping people secure their files is plenty enough for me. # FAQ **Is Picocrypt accepting new features?** No, Picocrypt is considered feature-complete and won't be getting any new features. Unlike other tools which try to constantly add new features (which introduces new bugs and security holes), Picocrypt focuses on just a few core features but does each of them exceptionally well. Remember Picocrypt's ideology: small, simple, and secure. **Will Android/iOS be supported?** No, I don't plan on supporting Android or iOS because they are very different from traditional desktop operating systems and require different toolchains to develop apps for. Due to the nature of open-source software, however, a community-built version of Picocrypt for Android or iOS may appear in the future. **Why is Picocrypt not updated frequently?** People seem to have the notion that software must be constantly updated to stay relevant and secure. While this may be true for a lot of the software we use today, it is not for Picocrypt. Picocrypt is "good software" and good software doesn't need constant updates to remain relevant and secure. Good software will always be good software. **Does the "Delete files" feature shred files?** No, it doesn't shred any files and just deletes them as your file manager would. On modern storage mediums like SSDs, there is no such thing as shredding a file since wear leveling makes it impossible to overwrite a particular sector. Thus, to prevent giving users a false sense of security, Picocrypt doesn't include any shredding features at all. **Is Picocrypt quantum-secure?** Yes, Picocrypt is secure against quantum computers. All of the cryptography used in Picocrypt works off of a private key, and private-key cryptography is considered to be resistant against all current and future developments, including quantum computers. # Acknowledgements A thank you from the bottom of my heart to the significant contributors on Open Collective: Also, a huge thanks to the following people who were the first to donate and support Picocrypt: Finally, thanks to these people/organizations for helping me out when needed: