lemmacmd: simple file encryption tool
Occasionally we all find the need to encrypt files as part of our job. The need to encrypt files comes up for a variety of reasons: the need to commit sensitive information into a repository, the need to transfer information over an insecure medium, or the need to leave something on disk that requires stronger access controls than the operating system provides.
While a variety of options exist, most of them are clunky, confusing, or worse yet, give a false sense of security. For example GPG is often recommended to encrypt files, but it ships with a variety of outdated ciphers and usability has never been it’s strong suit. OpenSSL comes with a convenient command line tool called “openssl enc”, but it actually doesn’t support any form of authenticated encryption.
Mailgun has written a simple tool called lemmacmd that uses NaCl and PBKDF#2 under the hood to encrypt and decrypt small files on disk. It gets a lot of things right:
- Easy to use:
lemmacmd encrypt -in foo.txt -out foo.txt.enc
- Supports both keys and passphrases so it can be used in a automated manner or interactively.
- When it’s used with a passphrase, it uses a KDF (PBKDF#2) with a large iteration count: 524,288.
- It uses a authenticated cipher: Salsa 20 with Poly1305 as a Message Authentication Code (MAC) from the NaCl library.
- It’s a small statically linked 4 MB binary that can be dropped anywhere and it will work.
- It’s fast: encrypting a 10 MB file takes a little bit over a second.
- It’s easily auditable, lemmacmd is only 222 lines, lemma the library is only 365 lines, and the actual crypto code from NaCl and PBKDF#2 is only 226 lines.
As always, if you find any issues (or security vulnerabilities!) please reach out to us via GitHub.
Tags: EncryptionModified on: March 13, 2019
Stay up-to-date with our blog & new email resources
We'll let you know when we add new email resources and blog posts. We promise not to spam you.