Skip to content
/ eddy Public

Simple, fast CLI file encryption tool

License

Notifications You must be signed in to change notification settings

70sh1/eddy

Repository files navigation

eddy 🌪️

Go version Go code report card Tests status License: MIT

demo

eddy is a simple and fast CLI file encryption tool. It features concurrent file processing while ensuring data authenticity and plausible deniability. It is also capable of generating secure passphrases.

Commands

encrypt, enc, e - encrypt provided files.

decrypt, dec, d - decrypt provided files.

generate, gen, g - generate a passphrase.

Flags

--output, -o - specify output directory.

--passgenlen, -g - specify generated passphrase length (6 is the minimum). Ignored in decryption mode.

--overwrite, -w - enable overwrite existing files.

--no-emoji, -n - disable emojis and color in output.

--force - force decrypt. Bypasses file authentication and, inherently, the password check. Useful if the encrypted file is corrupt (damaged) but you still want to decrypt it.

--unsafe-password - replace interactive password prompt with the provided value. Intended for scripts/automation and reading password from environment variables. The "unsafe" prefix here is to indicate that the provided value will likely stay in the shell command history which is not safe.

Examples

eddy e secret.txt
eddy e secret.txt secret2.png secret3.mp4
eddy -g 8 enc secret.txt
eddy --overwrite encrypt secret.txt
eddy -wo ./Documents dec secret.txt.eddy
eddy --unsafe-password supeR-$ecr3t --no-emoji -o . enc "D:/stuff/secret.txt" secret2.txt
eddy gen 10

Installation

Prebuilt binaries are available for Windows, Linux, and macOS (both x86 and ARM): download the latest release from the releases page for the desired OS.


If you have Go installed, the simplest way to get eddy is to run:

go install github.com/70sh1/eddy@latest

If you are on Linux and using this method, make sure that go bin path is added to your PATH environment variable: e.g. export PATH=$PATH:$HOME/go/bin

Passphrase generation

If no password (empty one) was provided during encryption (this includes lack of --unsafe-password flag and leaving interactive password prompt empty), eddy will generate and use a secure passphrase (length of 6 words by default). The length can be adjusted using --passgenlen (-g) flag. Additionally, if the -g flag is provided, the password prompt will be skipped automatically. The passphrase is generated using cryptohraphically secure PRNG provided by the OS and EFF's long wordlist. The generate command is also available for standalone generation.

You can read more about passphrases here.

What this tool doesn't do

  • eddy doesn't delete input files.
  • eddy doesn't preserve file timestamps (creation date and date modified).
  • eddy doesn't use any methods to increase the resilience of a file, such as error correction code. Therefore, regular backups of important files are recommended.

Tips & notes

  • The maximum file size is 256 GiB.
  • It is safe to rename any files that are encrypted with eddy. This means that decryption does not require .eddy file extension.

How it works

eddy leverages ChaCha20 for encryption paired with keyed BLAKE2b for data authentication (MAC). The scrypt KDF is used for producing keys. You can read more about the internals in the spec file.

Acknowledgements

urfave/cli - CLI framework.

pb - Progress bars.