ECRYPTO transforms folders and files into tamper-proof encrypted containers using XChaCha20-Poly1305 and Argon2id. Enterprise security made accessible.
A five-stage process transforms your data into an encrypted container. Argon2id strengthens passphrases, while key files provide maximum entropy.
Understanding the cryptographic operations at each stage
Argon2id (memory=256MB, iterations=3, parallelism=1) transforms passphrases into 256-bit keys. Key files bypass this step for maximum performance.
Folder hierarchy compressed as ZIP archive. File names and metadata encrypted within ciphertext for privacy.
XChaCha20-Poly1305 AEAD cipher provides authenticated encryption. Headers and payload both protected by authentication tag.
Single .ecrypt container includes header metadata, encrypted payload, and Poly1305 authentication tag.
Reversing the pipeline to restore your data
Extract version, KDF parameters, salt, and nonce from container header.
Regenerate 256-bit key using stored salt or load key file directly.
Verify Poly1305 tag ensures data integrity before decryption begins.
Decrypt payload, decompress ZIP, and reconstruct folder hierarchy.
Understanding what ECRYPTO protects and operational security considerations
| Protected Against | Implementation |
|---|---|
| Unauthorized Access | 256-bit XChaCha20-Poly1305 encryption |
| Data Tampering | Poly1305 authentication tag verification |
| Metadata Exposure | File names encrypted within container |
| Brute Force Attacks | Argon2id memory-hard key derivation |
| User Responsibility | Best Practice |
|---|---|
| Weak Passphrases | Use 16+ character passphrases or key files |
| Key Management | Store keys in password managers or secure vaults |
| System Security | Maintain clean OS, use full-disk encryption |
| Key Loss | No recovery possible — backup keys securely |
Tune Argon2id parameters to balance security and performance for your hardware
ecrypto encrypt --in folder \ --out backup.ecrypt \ --pass "password" \ --argon-m 131072 --argon-t 2
128MB memory, 2 iterations — suitable for older hardware
ecrypto encrypt --in folder \ --out backup.ecrypt \ --pass "password" \ --argon-m 262144 --argon-t 3
256MB memory, 3 iterations — recommended for most users
ecrypto encrypt --in folder \ --out backup.ecrypt \ --pass "password" \ --argon-m 524288 --argon-t 5
512MB memory, 5 iterations — maximum passphrase protection
ecrypto encrypt --in folder \ --out backup.ecrypt \ --key-file key.txt
Key files skip KDF entirely — instant encryption/decryption
Internal structure of .ecrypt files — authenticated headers with encrypted payload
.ecrypt Container (v1) ┌───────────────────────────────────────── │ HEADER (Authenticated) ├───────────────────────────────────────── │ Magic Bytes ECRYPT01 │ Version 1 │ KDF Type 0=raw key | 1=argon2id │ Argon2 Params memory, iterations, parallelism │ Salt 16 bytes (random) │ Nonce 24 bytes (random) ├───────────────────────────────────────── │ ENCRYPTED PAYLOAD ├───────────────────────────────────────── │ Compressed ZIP archive (encrypted) │ ├─ File hierarchy │ ├─ File contents │ └─ Metadata ├───────────────────────────────────────── │ AUTHENTICATION TAG ├───────────────────────────────────────── │ Poly1305 MAC 16 bytes └─────────────────────────────────────────
Essential commands for encryption, decryption, and key management
ecrypto encrypt \ --in folder \ --out backup.ecrypt \ --pass "SecurePass123!"
ecrypto keygen \ --out encryption.key ecrypto encrypt \ --in folder \ --out backup.ecrypt \ --key-file encryption.key
ecrypto decrypt \ --in backup.ecrypt \ --out restored \ --pass "SecurePass123!"
ecrypto info \ --file backup.ecrypt
View container version, KDF settings, and timestamps
Incorrect passphrase/key or corrupted container file
Output must be a file path, not a directory
Reduce --argon-m parameter value
Use SSD storage or switch to key files