Occasionally we all find the need to encrypt files as part of our job. The need to encrypt files comes up for a variety of reasons: the need to commit sensitive information into a repository, the need to transfer information over an insecure medium, or the need to leave something on disk that requires stronger access controls than the operating system provides.
While a variety of options exist, most of them are clunky, confusing, or worse yet, give a false sense of security. For example GPG is often recommended to encrypt files, but it ships with a variety of outdated ciphers and usability has never been it’s strong suit. OpenSSL comes with a convenient command line tool called “openssl enc”, but it actually doesn’t support any form of authenticated encryption.
Mailgun has written a simple tool called lemmacmd that uses NaCl and PBKDF#2 under the hood to encrypt and decrypt small files on disk. It gets a lot of things right:
Easy to use:
lemmacmd encrypt -in foo.txt -out foo.txt.enc
Supports both keys and passphrases so it can be used in a automated manner or interactively.
When it’s used with a passphrase, it uses a KDF (PBKDF#2) with a large iteration count: 524,288.
It uses a authenticated cipher: Salsa 20 with Poly1305 as a Message Authentication Code (MAC) from the NaCl library.
It’s a small statically linked 4 MB binary that can be dropped anywhere and it will work.
It’s fast: encrypting a 10 MB file takes a little bit over a second.
It’s easily auditable, lemmacmd is only 222 lines, lemma the library is only 365 lines, and the actual crypto code from NaCl and PBKDF#2 is only 226 lines.
As always, if you find any issues (or security vulnerabilities!) please reach out to us via GitHub.
Last updated on August 24, 2019