What's the use of it?
- The mindcrypt applet encrypts one or more files and / or folders and creates an encrypted archive (*.mc) from the given source files.
Folders will be processed recursively and the folder's tree structure will be maintained in the archive file.
The archive can either be encrypted with a password-derived key or with the public key from a certificate file.
- The mindcrypt applet decrypts an encrypted archive file (*.mc) and restores the original files / folders to a specified
The decryption key is either derived from a password or - in case of certificate based encryption - decrypted with the private key
from a key file.
- Two persons may exchange secret documents securely (e.g. by e-mail) without having installed a special software on the local PCs.
In case of a password-derived encryption key the password has to be communicated to the recipient on a secure path (e.g. on the phone).
Otherwise - in case of certificate based encryption- the sender needs the recipient's certificate already before encryption.
- You can encrypt your sensitive data before uploading it on a server in the 'cloud' or copy it onto a USB-stick.
The data can be decrypted on every internet-capable PC without having installed special software on it.
How does it work?
- On encryption the source files are stored within a container file (*.mc).
Except from a short plain text header the whole container file is encrypted with AES 256 bit in CBC mode.
The encryption key is either derived from a password, that has been assign by the user, or a random key is generated
and encrypted with the public RSA key from a certificate file (*.der, *.cer, *crt, *.pem).
In the latter case the RSA encrypted key is also added to the archive file.
- On decryption the decryption key has to be recovered first.
The decryption key has either to be derived from a password or decrypted with the private RSA key from a key file (*.p12, *.pfx, *.jks).
After decryption the archived files are restored to a specified destination directory.
Thereby the original folder tree structure will be restored.
Questions and Answers
- Is it secure?
Yes. The mindcrypt applet uses the AES 256 bit algorithm, which is generally seen as secure.
The key derivation has been implemented according to PKCS#5,
but the underlying hash function has been replaced from SHA-1 to the more secure SHA-256 algorithm.
The whole container file is encrypted in CBC mode ('Cipher block chaining') with a random IV.
As the file descriptor list is encrypted too, it is not possible to discover the file names of the source files contained in the archive.
Sensitive data (e.g. password, key) is explicitly overwritten as soon as it is not longer needed.
- Does the mindcrypt applet compress files?
Yes. Large files (> 16K) will be compressed before encryption.
Hereby the ZLIB compression algorithm (Deflate) is used.
Smaller files remain uncompressed due to performance considerations.
- What is the difference to other file encrypting tools?
The main objectives of the mindcrypt applet are security and simplicity.
The benefit is that it runs on every PC that has a browser and a JAVA runtime installed.
There is no need to install any additional software on your PC.
- How can I trust the mindcrypt applet?
The mindcrypt applet only accesses local resources (file system) but does NOT transmit any data to the network.
If you have concerns, that the mindcrypt applet spies on your sensitive data, feel free to decompile the java archive
(e.g. http://java.decompiler.free.fr) and inspect the source code within.
- What if you discontinue your service?
Download the standalone mindcrypt application. Now you are indepented from the mindcrypt web page.
- How do I create a key file / certificate?
Besides of other methods (e.g. use OpenSSL) a key file can easily be created with the keytool utility (/bin/keytool)
that is part of the Java Runtime ('<>' prefixes placeholders for your individual values):
keytool -genkey -alias <keyname> -keystore <storename> -storepass <password> -keypass <password>
-keyalg rsa -keysize 2048 -validity 1825 -dname "CN=<creator>"
The self-signed certificate can be created as follows:
keytool -export -alias <keyname> -keystore <storename> -storepass <password> -file <storename>.crt
- Who is mindcrypt?
sven.kaltschmidtPAUL@mindcrypt.de (remove PAUL)