Good Enough Cryptography (gecrypt) is an attempt to create a simple, passphrase-based file encryption tool founded on sound theory and realistic assumptions. The program derives its keys using PBKDF2, it encrypts using AES256-CBC, and it authenticates using HMAC-SHA256. Unlike with some other encryption programs, authentication is part of the design, rather than an afterthought.
Good Enough Cryptography aims for strong notions of security: IND-CCA2, INT-CTXT and INT-PTXT. Criticism and cryptanalysis are welcome.
Note: The file format is in flux. Versions of gecrypt prior to 0.5 are incompatible with the current version.
File format change: The "encrypted header" approach used in previous releases added unnecessary complexity to the file format, and it relied on the ability to generate good, unpredictable random numbers. Today, random number generator weaknesses are being discovered fairly often, so it might be wise to avoid relying too much on random numbers.
We now derive the payload authentication and encryption keys directly from the passphrase and a 256-bit nonce; The approach of storing randomly-generated payload keys in an encrypted header is no longer used.
In this version of the file format, the only randomness requirement (aside from the requirement that the passphrase must be unpredictable) is that the nonce must be unique (for a given passphrase). The nonce is not secret and it does not need to be "random-looking".
We now also use CBC mode instead of CTR mode, since CBC mode leaks less information if an IV does happen to get reused. The downside is that the --fixed-size option now only works with multiples of 16 bytes.
Additionally, the minimum PBKDF2 iteration count (kdf-cost) has been reduced from 10 to 1. The minimum of 10 iterations was arbitrary and unnecessary. If people use weak passphrases with gecrypt, 10 iterations is not enough to provide any significant level of security, and using a single iteration should help increase performance when the passphrase is generated by some other automatic process (e.g. authenticated Diffie-Hellman key exchange).
usage: gecrypt [options] [FILE] options: --version show program's version number and exit -h, --help show this help message and exit -v, --verbose verbose mode -d, --decrypt decrypt -o FILE, --outfile=FILE write output to FILE (default: stdout) -k FILE, --keyfile=FILE read key from FILE --keyfd=FD read key from file descriptor --fixed-size=SIZE pad output to a fixed size. this prevents an adversary from determining the size of the plaintext. must be a multiple of 16. [encrypt only] --kdf-cost=ITERATIONS advanced: specify how slow the PKCS#5 key derivation should be (min: 1, default: 1000, max: 65535) [encrypt only]