I see PG recommended it, so I took a look on it. It seems really easy and multifunctional. But I have some questions to community:
Will it be suitable for everyday use (like data loss, frequent bugs etc)
Will it protect me if I need to store encrypted files on EXTERNAL drive (for example flash) and be able to decrypt it directly from it without issues?
I know that this question can be making mountain out of a molehill but, is it suitable for Mint? As I know in different distributions of Linux there is some troubles with apps wich can lead to vulnerabilities.
And I will be really grateful if you will share your experience with it (if so).
To help you help me (yeah it’s pun) there is what I wanna achieve:
Extremely strong (better quantum resistant) encryption for external drives where I will store sensitive backups. Like documents etc.
No-pain-in-ass decryption and encryption even if: moved to another drive/shared/send or transfered in other way.
Instead of answering all your questions directly because I am not quite sure what you’re eventually trying to accomplish -
I would recommend you look at Cryptomator instead for your file and document encryption needs. You can easily sync with any cloud storage service provider and it works really well and is stable.
With Picocrypt, you’ll have to encrypt and decrypt every file/folder to access it. It is not always ideal for this to be the case. This only mostly works for archived files and documents. Hence my recommendation for Cryotomator instead.
This does not make sense with Cryptomator because of nature of Cryptomator. If you are somehow for whatever reason skeptical, there are only two reasons you may be: 1. You don’t want to risk data corruption with cloud storage and sync with large backups. 2. If you have illegal content you’re trying to safeguard.
Either way, Cryptomator has never once failed me. That’s still my recommendation - cloud storage or not.
I don’t use clouds as they log IP. I don’t know any cloud that will be free (ore once paid, forget forever), have 1Tb and more, support Tor (or at least don’t BAN VPN registrations). Yeah, we have Proton and Mega but my requests are simply exceeding 1Tb. And it is mostly backups.
Large backups. Like documents, system, etc etc.
I hate subscriptions. Even if lifetime one will be more expensive i will choose it.
And even if cloud will allow me to use Tor, and have 1 Tb fir free… Speeds… Uploading several gigabytes via Tor is torture.
Picocrypt uses symmetric encryption (more specifically, stream ciphers such as XChaCha20 and Serpent) and uses Argon2 for key derivation from the passphrase. And yes, they are quantum-safe (AFAIK, post-quantum safety is mostly a concern for asymmetric encryptions rather than symmetric encryption algorithms). As long as you set a sufficiently long and random password, and do not leave a trace of the unencrypted copy elsewhere, it is practically unbreakable (no ciphers other than the One-time password(OTP) is in theory, unbreakable).
Encryption/decryption time mostly depends on the file size and the computational capability of your CPU (unlike AES, which supports hardware-level instruction sets, stream ciphers do not have such compatibility). I usually encrypt files smaller than 1GB and haven’t felt any inconvenience. Keep in mind that using the Paranoid mode, which increases multiple parameters will greatly prolong the encryption/decryption time in proportion to the file size.
regarding your questions,
I guess so? At least for me, it was great.
This is where you should distinguish between FBE(file based encryption) and FDE(full disk encryption). Picocrypt is designed solely for individual file encryption. If you intend to use the drive for storing only sensitive files, I recommend using Veracrypt to perform a full-disk encryption. This is not just for convenience, but full-disk encryption must be used if your threat model includes forensics. A drive that previously stored an unencrypted copy of your file may still store that data even after deleting the plaintext version (this is called data remanence), and it is extremely difficult for SSDs to securely erase a single file (mainly due to wear-leveling). Encrypting the whole device using Veracrypt BEFORE you store any senstive files would be the best (after encrypting the whole drive, there is generally no need to encrypt individual files). Veracrypt, by default, uses AES-256 which is faster (due to AES-NI) and has gone through more scrutiny than any other encryption algorithms.
I haven’t used Picocrypt in Linux so can’t say much about that.
Please let me know if there’s anything incorrect.
I afraid using VeraCrypt as this drive should be available even from completely reinstalled system. Because as I said, one drive is solely backups, another personal info.
That is the main concern for me. Because of this I am asking how to encrypt file BEFORE uploading to SSD
So you’re saying that your backup drive should be accessible on any PC? As I said, it’s best to encrypt the whole drive with Veracrypt, but this requires Veracrypt to be installed on the computer to mount the encrypted drive. Is it possible for you to just install Veracrypt on whichever PC you’re planning to use? If you can’t install custom software on PC, then encrypting files individually with Picocrypt also wouldn’t be a valid option since it needs the Picocrypt software to decrypt/encrypt files (though Picocrypt is technically a portable app, you know what I mean).
You can simply encrypt the file with your PC, and then copy paste the encrypted file to the SSD. The only drawback of this option is that the unencrypted copy of the original file may still remain on the disk (where you created/downloaded the file in the first place).
Alternatively, you can perform a FDE of your system partition (partition that has your OS installed), encrypt the file with Picocrypt, and then copy paste that file. This way, both your system drive and the external SSD (or whatever backup drive) has NEVER written unencrypted data of that file.
Still, decrypting the file using Picocrypt with a PC that has unencrypted system partition will leave traces of plaintext.
Put it simple, each and every drive/disk in which the file exists, or had been existing should be encrypted prior to writing plaintext data.