Skip to content

alexylon/ferrocrypt

BranchesTags

Repository files navigation

clavirio

FerroCrypt

  crate: ferrocrypt   docs.rs   crate: ferrocrypt-cli

Multiplatform file encryption tool with CLI and desktop interfaces. Written in Rust.

FerroCrypt
FerroCrypt

About

FerroCrypt encrypts and decrypts files and directories. It supports two modes:

  • Symmetric — Password-based. Uses XChaCha20-Poly1305 with Argon2id key derivation and HKDF-SHA3-256 subkey expansion. Same password encrypts and decrypts.
  • Hybrid — Public/private key based. Combines RSA-4096 (key encryption) with XChaCha20-Poly1305 (data encryption). Each file gets a unique random key sealed with the recipient's public key. Decryption requires the private key and its passphrase.

Both modes produce .fcr files. Decryption is based on magic bytes in the file header, not the file extension — renaming a file won't break anything.

Security

  • XChaCha20-Poly1305 via the audited chacha20poly1305 crate
  • HMAC-SHA3-256 header authentication — tampering is detected before decryption begins
  • Passphrases handled via the secrecy crate (zeroized on drop, hidden from Debug/Display)
  • Triple-replicated headers with majority-vote decoding for error correction
  • Versioned file format with magic bytes — corrupted or incompatible files produce clear errors

Project Structure

Crate Description
ferrocrypt-lib Core encryption library (crates.io)
ferrocrypt-cli CLI binary (crates.io)
ferrocrypt-desktop Desktop app built with Slint

Installation

CLI

cargo install ferrocrypt-cli

Or build from source:

cargo build --release

Binary output: target/release/ferrocrypt (macOS/Linux) or target\release\ferrocrypt.exe (Windows).

Library

cargo add ferrocrypt

CLI Usage

Subcommands

Subcommand Alias Purpose
symmetric sym Encrypt/decrypt with a password
hybrid hyb Encrypt/decrypt with RSA keys
keygen gen Generate an RSA key pair

Run without arguments to start an interactive REPL. Aliases are available in interactive mode.

Symmetric

# Encrypt
ferrocrypt symmetric -i secret.txt -o ./encrypted -p "my password"

# Decrypt
ferrocrypt symmetric -i ./encrypted/secret.fcr -o ./decrypted -p "my password"

# Encrypt with custom output filename
ferrocrypt symmetric -i secret.txt -o ./encrypted -p "my password" -s ./encrypted/backup.fcr

Hybrid

# Generate keys
ferrocrypt keygen -o ./keys -p "key password"

# Encrypt with public key (no passphrase needed)
ferrocrypt hybrid -i secret.txt -o ./encrypted -k ./keys/rsa-4096-pub-key.pem

# Decrypt with private key
ferrocrypt hybrid -i ./encrypted/secret.fcr -o ./decrypted -k ./keys/rsa-4096-priv-key.pem -p "key password"

Interactive Mode

$ ferrocrypt
FerroCrypt interactive mode
Commands: symmetric (sym), hybrid (hyb), keygen (gen), quit

ferrocrypt> sym -i secret.txt -o out -p "my password"
ferrocrypt> quit

Flag Reference

symmetric

Flag Description
-i, --inpath Input file or directory
-o, --outpath Output directory
-p, --passphrase Password for encryption/decryption
-s, --save-as Custom output file path (encrypt only, optional)

hybrid

Flag Description
-i, --inpath Input file or directory
-o, --outpath Output directory
-k, --key Public key (encrypt) or private key (decrypt)
-p, --passphrase Private key passphrase (decrypt only)
-s, --save-as Custom output file path (encrypt only, optional)

keygen

Flag Description
-o, --outpath Output directory for the key pair
-p, --passphrase Passphrase to encrypt the private key
-b, --bit-size RSA key size in bits (minimum: 2048, default: 4096)

Desktop App

Build

Requires Rust. Navigate to the ferrocrypt-desktop directory.

Linux only — install rendering dependencies:

# Debian/Ubuntu
sudo apt install libfontconfig1-dev libfreetype-dev

# Fedora
sudo dnf install fontconfig-devel freetype-devel

macOS and Windows need no extra dependencies.

cargo run              # dev build
cargo build --release  # release build

Binary output: target/release/ferrocrypt-desktop (macOS/Linux) or target\release\ferrocrypt-desktop.exe (Windows).

Usage

Select a file or folder, then choose the encryption mode. The app auto-detects encrypted files by reading the file header, regardless of extension.

  • Symmetric — Enter a password. The output path is auto-filled as {name}.fcr and can be changed with "Save As". Decryption uses a directory picker.
  • Hybrid — Use an existing public key to encrypt, or create a new RSA-4096 key pair inline. After key generation, the app switches to encryption with the new public key pre-filled. Decryption requires a private key + passphrase.

A password strength indicator (based on Proton Pass implementation) is shown during encryption and key generation.

Acknowledgments

The desktop app is built with Slint.

Password strength scoring is adapted from Proton Pass (GPLv3).

forthebadge

About

CLI and GUI encryption/decryption tool built in Rust, using XChaCha20-Poly1305 and RSA-4096

Topics

rust cli security gui cryptography encryption rust-lang rustlang decryption file-encryption security-tools hybrid-encryption symmetric-encryption tauri dioxus

Resources

Readme

License

GPL-3.0 license
Activity

Stars

14 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages