Due to the encryption algorithm in use here, large files should not be encrypted with this tool. Robocrypt keeps data in memory while encrypting/decrypting, so depending on the RAM in your system there will be a limit on the size of files you can handle with this tool.
Robocrypt is amazing for encrypting small files and folders with sensitive data. It uses symmetric key encryption, plus a salt of random bytes. I guarantee that ain't nobody gonna break the encryption, unless you use a sub-par password.
pip3 install robocrypt
Create a secure
directory in /var
that only your user can read/write too:
$ sudo mkdir /var/secure
$ sudo chmod 740 /var/secure
If you're using Windows, do the same thing but in C:\secure
.
Generate a salt to use when encrypting stuff:
$ robocrypt generate-salt 69173
Make sure that you decrypt anything you've encrypted with your current salt(or back it up) before you change it! Otherwise you will never be able to recover files that you encrypted. If you intend to share encrypted files with someone, you also need to share your salt with them, or they will have serious trouble trying to decrypt the files.
def command_line()
This is the command line entry point of robocrypt
.
This contains information about the module such as version and author.
This contains all the core functions used by robocrypt
.
def decrypt( message: bytes, password: bytes ) ‑> bytes
Decrypt a chunk of bytes with a password.
Args
message
: bytes
: The bytes to decrypt
password
: bytes
: The password to decrypt the message with
Returns
bytes
: the decrypted bytes
def decrypt_file( filepath: str, password: str )
Decrypts a file and saves it without its robo extension.
Args
filepath
: str
: The encrypted file to decrypt
password
: str
: The password to decrypt the file with
def encrypt( message: bytes, password: bytes ) ‑> bytes
Encrypts a bytes message using the specified bytes password.
Args
message
: bytes
: the message to encrypt
password
: bytes
: the password to encrypt the message with
Returns
bytes
: the encrypted bytes
def encrypt_file( filepath: str, password: str )
Encrypts a file and saves it with a .robo
for file or .robodir
extension for directories. I strongly advise that you not mess with the extensions if you want to be able to properly decrypt your files.
Args
filepath
: str
: The file or directory to encrypt
password
: str
: the password to encrypt the file with
def generate_salt( length: int )
Generates a salt and stores it in the file indicated by the ENV var ROBO_SALT_FILE
.
Args
length
: int
: the number of bytes to contain in the salt
Returns
str
: the location of the new salt file
def get_kdf()
Gets a KDF object to perform cryptography with.
Returns
PBKDF2HMAC
: the KDF to perform encryption/decryption with
def get_salt( salt_file: str = None ) ‑> bytes
Gets the salt bytes used to encrypt and decrypt things.
If a salt file is not specified and the env var ROBO_SALT_FILE
is not set, a default salt location for your OS will be used. If there is not a salt at that location, robocrypt will raise an error.
The salt file location is stored in the environment variable ROBO_SALT_FILE
. You can modify this environment variable to point to different salt files if desired.
Args
salt_file
: str
: a custom file to read the salt from.
Returns
str
: the salt bytes
def get_salt_file() ‑> str
Returns the location of the salt file used for cryptography.
On Unix systems the salt file is at /var/secure/robocrypt.salt
, and on Windows the salt is at C:/secure/robocrypt.salt
. If a custom salt is specified in the environment variable ROBO_SALT_FILE
, it will be used instead of the OS default.
Returns
str
: the path the to salt file
def read_encrypted_file( filepath: str, password: str ) ‑> bytes
Returns the decrypted content of an encrypted file without decrypting the file itself.
Args
filepath
: str
: the encrypted file to read
password
: str
: the password to use to read the file
Returns
bytes
: the file's decrypted content in bytes
class DecryptionError
This occurs when an invalid password is used to try to decrypt something, or the wrong salt is used.
Generated by pdoc 0.10.0 (https://pdoc3.github.io). That's why the documentation looks like crap.
Here is the help
for the robocrypt CLI:
usage: robocrypt [-h] [-s SALT_FILE] [-v] {generate-salt,gs,encrypt,en,decrypt,de} ...
____ __ __ __
/ __ \____ / /_ ____ / // /
/ /_/ / __ \/ __ \/ __ \ / // /_
/ _, _/ /_/ / /_/ / /_/ / /__ __/
/_/ |_|\____/_.___/\____/ /_/
positional arguments:
{generate-salt,gs,encrypt,en,decrypt,de}
generate-salt (gs) generate and save a new random salt of a given length
encrypt (en) encrypt a file or directory
decrypt (de) decrypt a file or directory
optional arguments:
-h, --help show this help message and exit
-s SALT_FILE, --salt-file SALT_FILE
specify a salt file to use
-v, --version show program's version number and exit
The commands you can use are these:
generate-salt
or shortcutgs
encrypt
or shortcuten
decrypt
or shortcutde
To specify a salt file to generate, encrypt, or decrypt, use the argument --salt-file /path/to/saltfile
.
Generate a salt in the default location:
$ sudo robocrypt generate-salt 5829
Overwriting your old salt will render anything encrypted with it absolutely un-readable, unless you back it up.
Are you sure you want to do this? yes
Successfully saved a salt of length 5829 to /var/secure/robocrypt.salt
Robocrypt will ask you if you really want to overwrite any existing salt files. Answering no
at the prompt will exit the program without touching the salt.
Generate a salt to a specific file:
$ sudo robocrypt --salt-file /var/secure/myother.salt generate-salt 5829
Successfully saved a salt of length 5829 to /var/secure/myother.salt
Here we were not prompted to confirm because there was no previous file at /var/secure/myother.salt
.
Encrypt a file:
$ robocrypt encrypt tests/data/Dictionary.java
Enter password to encrypt: 🔑
Successfully encrypted /path/tests/data/Dictionary.java!
$ ls tests/data/
Dictionary.java.robo src
You can see that Dictionary.java
was encrypted and saved as Dictionary.java.robo
.
Encrypt a folder with a specified salt:
$ robocrypt --salt-file /var/secure/alternate.salt encrypt tests/data/src/
Enter password to encrypt: 🔑
Successfully encrypted /path/tests/data/src!
$ ls tests/data/
Dictionary.java.robo src.robodir
The src
directory was encrypted and saved as src.robodir
using the alternate.salt
.
Decrypt a file:
$ robocrypt decrypt tests/data/Dictionary.java.robo
Enter password to decrypt: 🔑
Successfully decrypted /path/tests/data/Dictionary.java.robo!
$ ls tests/data/
Dictionary.java src.robodir
Dictionary.java
was restored to its original state with only the .java
extension.
Decrypt a folder with a specified salt:
$ robocrypt --salt-file /var/secure/alternate.salt decrypt tests/data/src.robodir
Enter password to decrypt: 🔑
Successfully decrypted /path/tests/data/src.robodir!
$ ls tests/data/
Dictionary.java src
Now the src
directory is back to normal, with no .robodir
extension.
When using the tool, don't jack around with the output files' extensions (.robo
and .robodir
). Robocrypt uses these extensions to tell what type of file is encrypted and if change them, you will regret it. Also, I would recommend not double-encrypting anything. Because of the way the program works with extensions, you'll end up screwing yourself. Encrypt your shit one time with a strong password.