LockFS is an open-source, end-to-end file encryption tool designed with privacy and user control in mind. It lets you encrypt individual files securely, giving you full control over your data without forcing you into rigid vaults or containers.
Why LockFS?
Traditional encrypted vaults often make privacy harder to manage:
Bundled archives: Combining multiple files into a single encrypted archive can slow access and make it harder to handle large or growing datasets.
Containerized storage: Tools that store encrypted files inside virtual drives or containers create extra layers that can complicate access and data portability.
Centralized config files: Vaults that rely on a single configuration file can introduce single points of failure, limiting flexibility and control over your encrypted files.
LockFS addresses these issues while prioritizing privacy:
Encrypts files individually: Each file is encrypted separately, giving you granular control and reducing the risk of exposure if part of a vault is compromised.
No centralized references: Files are self-contained, so you can securely manage them across multiple devices or storage systems without being tied to a single vault or configuration.
Open-source transparency: Everything is auditable and verifiable, so you can trust that your data is protected without hidden backdoors or opaque processes.
LockFS is built for people who care about true privacy and control over their data, not just convenience.
If you’re interested, you can check out the repository or get the latest release here:
And looking at Github, I have no idea how to use it. Please provide instructions or any easy to understand details for non technical people so they can use it too. It is also not obvious for which OS this is for.
Actually description reminds me of Cryptomator. Picocrypt puts everything into a single volume. Cryptomator allows encryption to only run on changed files, more feasible for cloud storage.
Cryptomator encrypts many files and folders at once. This tool is only to encrypt individual files as I read the post. So, I feel it is more Picocrypt than Cryptomator. I don’t believe you could encrypt more than just a single file/directory at a time with Picocrypt.
I can see why it reminds you of PicoCrypt. LockFS takes a slightly different approach though. It’s designed to be minimal, with secure defaults, rather than focusing on a lot of advanced or open-ended features.
As for platforms, it works on desktop operating systems like Windows, macOS, and Linux as long as Java 21+ is installed.
I’ll also make the instructions section a bit clearer so the steps are easier to follow. Thanks for the feedback.
I think the fact that you build it on Java is a significant drawback unfortunately. Nobody has that installed anymore these days. I get Java is probably the language you are familiar with but not an architectual decision.
I don’t understand the decision to use PBKDF2-HMAC-SHA256 rather than Argon2id or scrypt. Worse is only using 100,000 iterations. You should be using at least 600,000 iterations, and that recommendation is a couple years old at this point.
That’s a fair point, Picocrypt is minimal as well. The main difference I am aiming for with LockFS is the design approach, which is keeping things simple, focusing on secure defaults, and encrypting files individually rather than expanding into many optional modes.
Regarding Java, the choice wasn’t just familiarity. I chose it because it offers a good balance for this project in terms of portability, mature cryptographic libraries, and development speed. It also allows distributing the same build across Windows, macOS, and Linux with a single JAR, and the managed runtime helps avoid some classes of memory-related issues you can run into with lower-level languages.
I understand the runtime dependency can be a drawback for some users though, and I’m looking at ways to improve distribution over time.
As for audits, the project is still in active development right now, so the priority is stabilizing the design and implementation first. Once it’s more mature, I will definitely like the code to be reviewed or audited. Keeping the design small and documented is part of making that easier.
Right now LockFS uses PBKDF2-HMAC-SHA256 mainly for portability and availability within the standard Java cryptography libraries. Since the project is still early in development, I prioritized using well-supported primitives that are widely available across environments.
Regarding the iteration count, that’s something I am still evaluating and tuning. The current value is not intended to be final, and feedback like this is helpful while the design is still being refined.
I am also looking into stronger password hashing approaches such as Argon2id or scrypt as the project evolves, especially since memory-hard KDFs provide better resistance against GPU/ASIC attacks. The goal is to choose something that balances security, reviewability, and cross-platform reliability.
I would like to invite everyone to try the latest version of LockFS 2.0.0-dev.2. This is the version where all features will be finalized.
Please give it a try, and if you have any suggestions or feedback, now this is your chance. Final adjustments will be made before the next General Release.
The program runs step by step on any system with Java. Try running java -jar lock.jar to encrypt or java -jar unlock.jar to decrypt. Do you mind sharing which part was unclear?
