IT & Engineering

Lemmacmd: Simple file encryption tool

Occasionally we all find the need to encrypt files as part of our job. The need to encrypt files comes up for a variety of reasons: the need to commit sensitive information into a repository, the need to transfer information over an insecure medium, or the need to leave something on disk that requires stronger access controls than the operating system provides.
Image for Lemmacmd: Simple file encryption tool

Share to

July 16, 2019

Occasionally we all find the need to encrypt files as part of our job. The need to encrypt files comes up for a variety of reasons: the need to commit sensitive information into a repository, the need to transfer information over an insecure medium, or the need to leave something on disk that requires stronger access controls than the operating system provides.

While a variety of options exist, most of them are clunky, confusing, or worse yet, give a false sense of security. For example GPG is often recommended to encrypt files, but it ships with a variety of outdated ciphers and usability has never been it’s strong suit. OpenSSL comes with a convenient command line tool called “openssl enc”, but it actually doesn’t support any form of authenticated encryption.

Mailgun has written a simple tool called lemmacmd that uses NaCl and PBKDF#2 under the hood to encrypt and decrypt small files on disk. It gets a lot of things right:

  • Easy to use: lemmacmd encrypt -in foo.txt -out foo.txt.enc
  • Supports both keys and passphrases so it can be used in a automated manner or interactively.
  • When it’s used with a passphrase, it uses a KDF (PBKDF#2) with a large iteration count: 524,288.
  • It uses a authenticated cipher: Salsa 20 with Poly1305 as a Message Authentication Code (MAC) from the NaCl library.
  • It’s a small statically linked 4 MB binary that can be dropped anywhere and it will work.
  • It’s fast: encrypting a 10 MB file takes a little bit over a second.
  • It’s easily auditable, lemmacmd is only 222 lines, lemma the library is only 365 lines, and the actual crypto code from NaCl and PBKDF#2 is only 226 lines.

If you are interested in checking out the source or contributing, it’s available via GitHub as is the latest release.

As always, if you find any issues (or security vulnerabilities!) please reach out to us via GitHub.

Photo of The Sinch Mailgun team

The Sinch Mailgun team The Sinch Mailgun team shares news, best practices, and strategies to take your products and apps to the next level using email. Subscribe to our newsletter to get all the articles in your inbox!

Related articles

Image for How to prepare your Infrastructure for Black Friday
IT & Engineering

How to prepare your Infrastructure for Black Friday

Photo of James Tetler James Tetler
Image for What are SYN flood attacks and how can you defend against them?
IT & Engineering

What are SYN flood attacks and how can you defend against them?

Photo of Em Blitstein Em Blitstein
Image for Software bugs and how to fix them faster
IT & Engineering

Software bugs and how to fix them faster

Photo of Derrick Wippler Derrick Wippler
See more articles