eddy is a simple and fast CLI file encryption tool. It features concurrent file processing while ensuring data authenticity and plausible deniability. It is also capable of generating secure passphrases.
encrypt
, enc
, e
- encrypt provided files.
decrypt
, dec
, d
- decrypt provided files.
generate
, gen
, g
- generate a passphrase.
--output, -o
- specify output directory.
--passgenlen, -g
- specify generated passphrase length (6 is the minimum). Ignored in decryption mode.
--overwrite, -w
- enable overwrite existing files.
--no-emoji, -n
- disable emojis and color in output.
--force
- force decrypt. Bypasses file authentication and, inherently, the password check. Useful if the encrypted file is corrupt (damaged) but you still want to decrypt it.
--unsafe-password
- replace interactive password prompt with the provided value. Intended for scripts/automation and reading password from environment variables. The "unsafe" prefix here is to indicate that the provided value will likely stay in the shell command history which is not safe.
eddy e secret.txt
eddy e secret.txt secret2.png secret3.mp4
eddy -g 8 enc secret.txt
eddy --overwrite encrypt secret.txt
eddy -wo ./Documents dec secret.txt.eddy
eddy --unsafe-password supeR-$ecr3t --no-emoji -o . enc "D:/stuff/secret.txt" secret2.txt
eddy gen 10
Prebuilt binaries are available for Windows, Linux, and macOS (both x86 and ARM): download the latest release from the releases page for the desired OS.
If you have Go installed, the simplest way to get eddy is to run:
go install github.com/70sh1/eddy@latest
If you are on Linux and using this method, make sure that go bin path is added to your PATH environment variable: e.g.
export PATH=$PATH:$HOME/go/bin
If no password (empty one) was provided during encryption (this includes lack of --unsafe-password
flag and leaving interactive password prompt empty), eddy will generate and use a secure passphrase (length of 6 words by default). The length can be adjusted using --passgenlen (-g)
flag. Additionally, if the -g
flag is provided, the password prompt will be skipped automatically. The passphrase is generated using cryptohraphically secure PRNG provided by the OS and EFF's long wordlist. The generate
command is also available for standalone generation.
You can read more about passphrases here.
- eddy doesn't delete input files.
- eddy doesn't preserve file timestamps (creation date and date modified).
- eddy doesn't use any methods to increase the resilience of a file, such as error correction code. Therefore, regular backups of important files are recommended.
- The maximum file size is 256 GiB.
- It is safe to rename any files that are encrypted with eddy. This means that decryption does not require
.eddy
file extension.
eddy leverages ChaCha20
for encryption paired with keyed BLAKE2b
for data authentication (MAC). The scrypt
KDF is used for producing keys. You can read more about the internals in the spec file.
urfave/cli - CLI framework.
pb - Progress bars.