New Picocrypt feature: web SFX

Hello all,

This feature is a bit niche but I think some of you will find it useful and interesting. I know I’ve stated I’m taking a break from Picocrypt, which I am, but exam season is over so I took a few hours to cobble this together.

Web-SFX

tl;dr: you can now embed a .pcv into the web app for ultimate portability

Longer description:
The web app is cool, but you need to go to a webpage to use it. If you’re sharing a file with someone, that person also has to go there. With this new tool, it can embed a .pcv into a single self-contained .html file that contains the volume content and the decryption code. In other words, the .html is a self-extracting archive, except unlike other SFX implementations that are platform-specific, .html runs anywhere, including on mobile devices. So long story short, you can now encrypt your files into a single self-contained, future-proof, fully offline, cross-platform .html file (yes, lots of adjectives I know) that you can open in any browser to decrypt your files. All it takes is one additional command if you’re a CLI user:

picocrypt secret.txt
picocrypt-sfx secret.txt.pcv
-> creates secret.txt.pcv.html

(Copied from the readme)

  • Long-term file storage: because the decryption code is now bundled with the volume data into a single .html file, everything you need to access your encrypted files is present and self-contained. Due to the web and WebAssembly being standardized and stable, this single .html file will be able to decrypt your files on any platform with any modern browser indefinitely far into the future. This is arguably one of the safest and most reliable long-term encryption solutions as there’s no external dependencies at all.
  • File sharing: easily share encrypted files to others without having them download software (that they may not trust or know how to use).

Now there are limitations that are the same as the web app (no advanced features or keyfiles, must be <1 GiB). The size requirement is currently unpreventable because decoded >1GiB of base64 is going to be atrocious for resource consumption and WebAssembly only supports up to 4 GiB of memory (at least without Memory64 which isn’t standardized yet).

Let me know what you think! And what you might use it for.

And since I’m already here, I might as well leave a note that not updating Picocrypt does not mean it is automatically insecure. Unless you can point out a major security issue (no one has for 3+ years, ROS audit only discovered some minor issues), “unmaintained” Picocrypt one year from now is no less secure than it is now. If anything, it would’ve withstood another year of public scrutiny and actually be more secure if you want to go down that path of reasoning. So I wouldn’t worry about this stuff too much. I’m always here, even if busy with my own things, but I’ll be alive probably longer than most of you here, so if anything bad does happen, you can always contact me directly by the contacts on my website and I will work to fix things asap. This new SFX feature is just another piece of work toward future-proofing the project, as I have already been doing with the CLI and web interface previously.

I’ll monitor this post for a day or two before hopping off. If you encounter any bugs, please create an issue! Or just feedback in general can go into the issues. All feedback is welcome. Thanks and have a great holiday y’all!

~ Evan

9 Likes

I’ll have binaries up shortly for people who don’t want to install Go.

1 Like