Picocrypt has been archived, and Picocrypt-NG seems to be the logical replacement. it’s cross platform and still active, so i don’t see a reason not to replace it. if for some reason picocrypt-NG can’t be added (maybe because of this claim from the dev) at least remove picocrypt.
2 Likes
Is it bad to use old version? I’m still using CLI version and works great. But I don’t know much, so let me know guys if I should change to NG or cryptomator?
There’s no experience with the new version and we should probably wait a few months and see how it goes before making any recommendations.
Using the “old” version is fine for now.
7 Likes
How is it better than Veracrypt?
From the project Readme:
Here’s how Picocrypt NG compares to other popular encryption tools.
1 Like
I liked picocrypt a lot but stopped using it when it was archived. Do we know how similar Picocrypt-NG is? I agree it should be added if it meets criteria.
It’s essentially a fork of the original Picocrypt. I use it on Linux. works great.
so picocrypt is getting removed? what is the issue with ng? is it too new?
The founder and primary developer announced they were stepping away and no longer updating the project. It has been approved for removal already from PG.
Picocrypt NG is now the community fork.
1 Like
The old version still works fine, and I’d trust it over the new one, unless you’re just experimenting for fun rather than protecting anything serious.
The only reason it was archived here is policy: this site only recommends active projects, and the author stopped maintaining it. That doesn’t mean the software suddenly became unsafe. It’s audited encryption software, so it remains a solid option until one of two things happens:
-
Your OS stops running it.
-
A new exploit is found.
That’s why I’m still comfortable with it now, but I also plan to move on for those exact reasons. Long term, I need something that feels more future-proof. Working at a nonprofit, I don’t want to set up tools that make colleagues wonder what I was thinking. For us, 7-zip is the practical choice.
2 Likes
can someone using macOS 26 Tahoe confirm whether both versions (v1.49 and v2.00) are working after update? Or is it just me? I have already granted the trust manually using the command xattr -d com.apple.quarantine. But when launched, the app silently closes itself without any warning or error.
The old version is fine. It’s the best the app is going to be, and they were no known bugs on the security side of the app.
The old version is no longer supported or being maintained so it’s better to move to the new version. 
EDIT:
I just found this and I think it’ll help people on here who aren’t sure:
Currently, Picocrypt-NG is focused on implementing all the recommendations of the Picocrypt security audit, which could not have been implemented earlier due to a violation of backward compatibility (for more information, see the screenshot). The original Picocrypt is still secure and takes advantage of many encryption tools in terms of file encryption. The Picocrypt-NG 2.0 release took into account the recommendations of PCC-001 and PCC-006 (replacing SHA3-512 hash of Argon2id master key with HMAC-SHA3-512). Thanks to this change, the authenticity of the binary header of the file has been ensured, which provides an additional level of protection against tampering.
Due to the different password verification process for decryption, Picocrypt cannot decrypt Picocrypt-NG files in a “standard” manner. Picocrypt calculates the sha3-512 of the Argon2id key, Picocrypt-NG calculates the hmac-sha3-512 of all header data except for the hmac field itself, and the secret key for hmac is the Argon2id secret key. Because of this, when decrypting Picocryp-NG volumes, the original Picocrypt will say “The password is not correct”. However, when the “Force decrypt” option is enabled, the decryption process will take place, but you will receive a notification that “the original file has been changed, be careful.” This is because Picocrypt cannot verify the password, which means it cannot verify the integrity of the files. However, if you decrypt the Picocrypt-NG volume in Picocrypt with the correct password, your decrypted data will be identical to the original data, even though you will receive a notification of their change. But be aware, there will be no integrity check when “Force decrypt” is provided!
First of all, the original Picocrypt has not stopped working on macOS yet. OpenGL has not disappeared yet. But there is a risk that Apple will get rid of it. There is a work on Picocrypt-NG on translating the GUI to a new toolkit (thanks to @any1here and @njhuffman), which will also be cross-platform, but in turn will use main graphics renderers for operating systems. (Metal2 for macOS, DirectX12 for Windows, Vulkan/OpenGL for Linux).
Maybe I’m missing something here but why is there any need to stop using Picocrypt or should I say stop recommending it? In a strange way since development stopped, isn’t it now like even better? I’ll get back to that point later.
I know it’s an awful analogy but it’s like someone inventing the wheel then that person suddenly says “you know what I actually want to go design something else now” and other people reply with “whelp time to reinvent the wheel… let’s make it square now.”
My point is just because the person abandoned the design of the wheel doesn’t mean you should instantly try to fix it or vastly change it for any reason. A wheel is pretty good for the purpose it was invented for.
Picocrypt from what I know just works right. You can get it to create ridiculosly strong passwords that nothing is going to ever crack unless there is some weird stupid flaw in the design which at this point I feel like someone would have came across by now.
Brings me to my main point in the beginning. It’s now 2032 and you kept with Picocrypt. If you do stay with such an obscure old version program, what person is actually going to spend however long it takes them (years?) to find some flaw in the code that maybe a couple hundred people in the world still have compared to looking at projects that are still actively maintained that probably have a couple million people. If I’m an attacker and see a couple million users vs a couple hundred I know what I’m going for.
I’d like to know where I could be going wrong here but this all boils down to the fact that Picocrypt ticked all the boxes before for privacy concerns (arguably even more now since no nasty updates will suddenly change the program) and as long as some ridiculously stupid bug that just instantly cracks say 100+ character passwords isn’t found then probably keep it.
I think it mostly comes down to street-cred in the FOSS community.
It’s like having a cool restaurant where the meals are amazing. It can be awarded a Michelin star, but then if the owner steps down: you have no guarantee that the meals will be as good.
Time will rebuild the trust into the new maintainers and it will probably come back as a recommendation here again.
I guess that PG prefers to be too strict rather than the opposite, doesn’t make it a bad tool per-se.
Plenty of tools from awesome-selfhosted are not recommended here, not because they are bad or unsafe, they maybe don’t check all the boxes (and also require some code/hosting knowledge haha). 
1 Like
Let’s please be respectful/patient with people doing work on their free time for free, FOSS is not easy.
4 Likes