Picocrypt: A Simple, Powerful Encryption Tool

Two years ago, I wrote an article about hacking attempts on my home network, and the steps I took to address the situation. You can read that article here.  One step I took was to go through both my computer and network-attached storage (NAS) and encrypt all files that contained personal or sensitive data. I wrote, “I will have an upcoming article on the secure encryption tool I used.” Well, it has been a while but here is that article.

Picocrypt

Picocrypt is a small (i.e. Pico), simple, and secure encryption tool. You can use it to encrypt files and folders comparable to how you would use an archive utility. Unlike an archive utility, Picocrypt is designed from the ground up for encryption, with a focus on security, simplicity, and reliability. You can get Picocrypt here. It is available in Windows (what I am using), MacOS, and Linux versions. There is a Command Line Interface (CLI) app available and even a Web app version (which allows encryption and decryption on any modern browser).

Features

• Picocrypt and its dependencies are completely open-source
• Is tiny at less than 3 MiB
• Uses the secure XChaCha20 cipher
• Uses the Argon2id key derivation function (I wrote about the Argon2id key derivative and how to set it in Bitwarden in this article)
• Is portable (does not need to be installed)
• Standard privileges – does not require administrator/root privileges
• Authenticates data in addition to protecting it (useful for sending encrypted files over an insecure channel and ensuring that it arrives untouched)
• Allows Keyfiles – the use of a file as an additional form of authentication
• Has a Reed-Solomon option – an error correction code to add 8 extra bytes for every 128 bytes of data to prevent file corruption. Useful for long-term storage on a cloud provider or external medium
• Has a Paranoid mode – encrypts data with both XChaCha20 and Serpent ciphers in a cascade fashion and uses HMAC-SHA3 to authenticate data instead of BLAKE2b. Also, the Argon2 parameters are significantly increased. This provides the highest level of practical security attainable. For a hacker to break into your encrypted data, both the XChaCha20 cipher and the Serpent cipher must be broken. In this mode, your files are virtually impossible to crack. Note that using this mode will be slower
• Has a Compress files option – to compress files, the standard Deflate compression algorithm will be applied during encryption
• Deniability – volumes typically follow an easily recognizable header format. This option provides plausible deniability. The output volume will be indistinguishable from a stream of random bytes. Note: This mode slows down encryption and decryption speeds, requires manually renaming the volume, renders comments useless, and also voids the extra security precautions of the paranoid mode. Only use it if absolutely necessary
• Has a Recursive option – goes through every file and encrypts/decrypts separately (useful if encrypting thousands of large documents and want to be able to decrypt any one of them without having to download and decrypt the entire set of documents)

Easy To Use

Picocrypt is easy to use.

To Encrypt

1. Open Picocrypt
2. Select the file(s) or folders in a file manager
3. Drag them into the Picocrypt window
4. Select your options and enter a password
5. Click Encrypt

To Decrypt

1. Open Picocrypt
2. Select and drag the Picocrypt encrypted volume into the Picocrypt window
3. Enter the password
4. Click Decrypt

Compared To Popular Encryption Tools

Picocrypt VS Disk Encryption?

Disk Encryption (e.g. BitLocker) is an option but, I don’t use it. I don’t need full disk encryption. Even if I did, disk encryption would not work if I copied a file to the cloud or my NAS.

Picocrypt VS Volume Encryption?

Picocrypt is easier and more productive to use than volume encryption software like VeraCrypt, TrueCrypt, and Cryptomator. To encrypt files with volume encryption software, the volume must be set up in advance. When using it, the volume must be mounted. Also, the files must be stored on these volumes, not together with the unencrypted data. With Picocrypt, you can simply encrypt what you want and store it anywhere.

Picocrypt VS Archive Utility?

Archive utilities (7-Zip, RAR, PKZip) are great for archiving data but they have drawbacks when it comes to encrypting data. Archive utilities are not encryption tools. I wrote about how Microsoft scans password-encrypted Zip files here. Their focus is archiving, not encryption. Picocrypt is designed with security and cryptography as its top priority. 7z, for example, was designed with compression in mind, not encryption. Its key derivation is relatively weak compared to Picocrypt, and it does not offer authenticated encryption. Does it handle the deletion of secure information from memory correctly? Unknown. There is also no protected mode or Reed-Solomon mode.

WTF John! Two Years?

I know… it took two years from when I said I had this article coming to when I wrote it. But I had a good reason. Picocrypt was a relatively new one-man project. At the time, the Picocrypt community was raising funds to pay for an audit. I didn’t feel comfortable recommending a security tool to DCT readers until that audit was done. Well, the audit has been completed. You can read the details of the code audit and penetration testing here.

Bottom Line

Picocrypt is a small, simple, and secure multi-platform encryption tool.  Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function. Picocrypt has optional paranoid and Reed-Solomon modes to provide the highest level of encryption and security. You can use it to encrypt files and folders, similar to how you would use an archive utility.  Unlike an archive utility, Picocrypt is designed from the ground up for encryption, with a focus on security, simplicity, and reliability.

—