Krypton Help

Krypton
Personal Privacy Agent

Krypton for iOS is a privacy tool that uses strong encryption to securely protect personal and confidential information resident on your Apple computer, iPod touch, iPhone and iPad. Krypton is not a password manager: it encrypts and decrypts entire documents (text, spreadsheets, images, recipes, emails, anything).

Topics

Terminology
  • Plaintext refers to any item, whether a text file, image, Word or Pages document, spreadsheet, HTML or sound file, etc., in its normal format.
  • Ciphertext refers to a plaintext item that has been encrypted, and is thus unrecognizable.
  • A passcode is a string of words and characters used as a key during encryption and decryption. The only way to decrypt a Krypton item is by knowing the passcode used to encrypt it.

Topics

The Vault

Metaphorically, Krypton keeps your ciphertext items in a special vault, with each item contained in their own deposit box; to gain access to a ciphertext item the vault must be open and the passcode key must be used to unlock the deposit box before you can discern the plaintext contents inside. In iOS the vault may be open or closed, while on macOS the vault opens upon Log In. When the App first runs the vault opens automatically and all your ciphertext items are displayed, each represented by its name, creation date, size and one of these icons:

Safety Deposit Box Image

A vault document resides on your device; an iCloud Drive or Dropbox document resides on the cloud and must be downloaded to the vault before it can be decrypted.

Settings is where you enable the vault's five-number combination lock. With the vault closed and secured, prying eyes cannot even see the names of your ciphertext items. If you enable the vault lock, please do not forget the combination - no one can help you back in.

If Vault Security is enabled, when entering the background the vault is auto-locked.

Enter the vault's combination either by manipulating the lock mechanism, or touching the keyboard icon and entering your 5-number combination in the text field, separating each number by one or more non-digit characters (use more non-digit characters for obfuscation if someone is watching).

If Touch/Face ID is enabled on your device you may use that feature to unlock the vault. Select Cancel to unlock the vault the old fashioned way.

Topics

Decrypt Ciphertext, View Plaintext

To decrypt and view a ciphertext item, simply touch it and enter the encryption passcode. Krypton decodes the ciphertext and then tries to display the plaintext in a Viewport. Common file formats are supported, such as text, images, Office and iWork documents, HTML, and so on.

Plaintext items that are simple text files are displayed with long lines wrapped in the Viewport. If you double-tap a text item its lines are not wrapped in the Viewport, but may be horizontally scrolled. A text file is any file with a .txt or .html extension, or that iOS recognizes as Unicode strings.

In Krypton's world, plaintext data is meant to be ephermeral and fleeting, to exist for as little time as possible, and then to be shredded. You may choose to shred the plaintext data you are examining as soon as you leave the Viewport, or you may choose to keep it around temporarily. If you elect to keep the plaintext when exiting the Viewport and returning to the vault, the item's icon changes to a red alert triangle:

Alert Image

Temporarily retaining the plaintext may be a good choice for items that decrypt slowly and that you plan to revisit several times while in the vault. However, plaintext data is always shredded when Krypton terminates or enters the background, unless you disable this feature - it's your choice, selectable in Settings.

Topics

Even Plaintext Is Encrypted

When you Passcode Lock your device (in iOS Settings / General), any exposed plaintext is automatically protected by the device's hardware encryption mechanisms. This protection even extends to iTunes backups when encryption is enabled.

Topics

Search Plaintext

Available from the Viewport Action menu, Krypton can search various types of plaintext, including simple text files, HTML, and Office and iWork documents (technically, anything that is internally represented as HTML) if a search tool is visible. Examples of plaintext that cannot be searched include PDFs and images.

Matched text is displayed in black against a yellow background.

Topics

Edit Plaintext (Text Files Only)

Available from the Viewport Action menu, Krypton can edit plaintext files if a pencil tool is visible. Touch the pencil to open the edit Viewport, make your changes and touch Encrypt.

Topics

Print Plaintext

Available from the Viewport Action menu, Krypton can print plaintext files if a printer tool is visible.

Topics

Export Plaintext

Available from the Viewport Action menu, Krypton can export plaintext if an export plaintext tool is visible.

Topics

Shred Plaintext

Available from the Viewport Action menu, the shred tool destroys the plaintext.

When Krypton shreds a plaintext item it first overwrites the file with a pattern of all ones, followed by a second pass of all zeros, before deleting the file. Any files that, for whatever reason, escape shredding at App termination are shredded the next time Krypton runs.

Topics

Ciphertext Versioning

This Settings option, which defaults to ON, is designed to protect existing ciphertext items in the vault. When importing ciphertext, Krypton does not replace an existing ciphertext item, but rather gives the new item a different name by appending a unique number of the form -nnn, where nnn ranges from 000 to 999. If Ciphertext Versioning is turned OFF then Krypton silently replaces duplicate items.

Topics

Import Ciphertext and Plaintext

There are various ways to import items into Krypton's vault: using the pasteboard, via File Sharing, from other Apps' Open In menu, from iCloud Drive or from Dropbox. Note: if the imported item is plaintext it's encrypted and then stored in the vault.

To use the pasteboard to copy-and-paste, first select the text or image (PNG or JPEG) to encrypt and copy it to the pasteboard. Then open the vault, touch the Encrypt From Pasteboard button, and follow the instructions. The pasteboard is automatically erased. Note: You cannot import and encrypt pasteboard data if you have Vault Security enabled and use Face ID to unlock the vault, because the pasteboard is temporarily unavailable. The workaround is to unlock the vault via the keyboard or combination control. This limitation does not exist for Touch ID devices.

If you copy a URL to the pasteboard, the Encrypt From Pasteboard button changes to an Import button that downloads the item over the network and stores it in the vault.

The pasteboard is erased after any encryption attempt, successful or unsuccessful.

To use File Sharing, connect your device to your computer, and the vault appears in iTunes' File Sharing tab for the application named Krypton. Simply drag files to/from the File Sharing pane.

Opening an item from another App's Open In menu (like Mail and Dropbox) effectively imports the file into Krypton.

Finally, if you see the iCloud Drive or Dropbox icon touch Action to copy the document to the vault.

Topics

Export Ciphertext

You can share ciphertext items in the vault by tapping Action and selecting Email, Open In Another App, Send To iCloud Drive or Send To Dropbox from the menu, or via File Sharing as described in Import Ciphertext and Plaintext.

Topics

Delete Ciphertext

To remove an item from the vault use the Action menu (or swipe left on the vault item) and touch Delete. If the plaintext exists it is shredded as well. Deleting an iCloud Drive / Dropbox item removes the ciphertext from your device, iCloud Drive / Dropbox and all synchronized devices.

Topics

Ciphertext Encryption Strength Levels

Crypto best practices are constantly evolving, and occassionally Krypton's encryption algorithm is strengthened accordingly. Once Krypton has incorporated a stronger encryption methodology all newly encrypted documents are generated in this format, such that, over time, you may collect a mixture of encrypted documents of various security strength levels.

Krypton indicates this strength level using a small LED in the ciphertext item's deposit box door. For vault items that are in the cloud and not resident on the device the LED is unlit and not visible. Otherwise the LED is lit, and for vault items with the highest security level the light glows green. For vault items encrypted with an older algorithm the LED glows orange; but keep in mind that this does not mean the item is insecure, only less secure relative to Krypton's latest encryption standard. Although we guarantee that in the future Krypton will decrypt a document of any security level, it is in your best interest to re-encrypt older items with the latest encryption algorithm: the higher the security level the better.

Alert Image

For you technical folks, here are implementation details on the current Level 2 encryption format.

  • All encryption uses AES with 256-bit keys, CBC and PKCS7.
  • All keys are generated using PBKDF2, SHA-512, random salts and random rounds.
  • Every vault item has its own random master key and random IV, used to encrypt the plaintext.
  • The master key is itself encrypted.
  • The encrypted plaintext and encrypted master key are authenticated with a MAC (Encrypt-Then-MAC).

Additionally, when your iDevice is locked (passcode or finger print) every Krypton file is encrypted by iOS, so bad guys have to defeat this first level of encyption before they can even think of cracking a Krypton vault item.

Topics

Change Passcode

You can change the passcode for ciphertext items at encryption strength level 2 (created by Krypton for iOS version 4, or macOS version 3) and higher. Touch Action, select Change Passcode, and enter your current and new passcodes. Krypton uses the current passcode to first authenticate the ciphertext, and assuming that is succesful, the passcode change operation commences. For a 4 GB file this will take approximately 40 seconds on a iPhone 5s ... if you do not have a spare minute do not attempt a passcode change!

WARNING!

Because your encrypted file is randomly re-written in-place, you must NOT interrupt the change process. Do not leave Krypton, do not lock your screen or power-off your iDevice. Doing so will almost certainly lead to irrecoverable data loss.

WARNING!

Topics

iCloud Drive and Dropbox Documents

iCloud Drive support is controlled by iOS in Settings / iCloud / iCloud Drive. Dropbox support is controlled by Krypton in Info / Settings.

iCloud Image

Krypton documents on iCloud Drive (or Dropbox) must first be imported before they can be decrypted and viewed. After touching Action and selecting Import From iCloud Drive (or Import From Dropbox) the item is marked busy until the download completes and the ciphertext is stored in the vault. At that point you use the item as you normally would. If you swipe to delete the vault copy of an iCloud Drive-backed (or Dropbox-backed) document only the vault item is removed. But if you swipe to delete the iCloud Drive (or Dropbox) item then the ciphertext is removed from your device, iCloud Drive (or Dropbox) and all synchronized devices.

To move an item from the vault to iCloud Drive (or Dropbox) touch Action and select Send To iCloud Drive (or Send To Dropbox).

Krypton handles iCloud Drive (and Dropbox) version conflicts simply: the last document pushed to iCloud Drive (or Dropbox) wins. So, if you create encrypted documents having identical names on two offline iDevices and/or Macintoshes, then as each device connects to the Internet it stores its version of the document on iCloud Drive (or Dropbox); consequently, the second copy overwrites the first and becomes the true copy.

Krypton distinguishes vault items that have duplicate names by displaying a tiny overlay indicating the item's cloud repository source.

Cloud Name Resolution

Topics

Advanced Kryptonology

Krypton's simple document model works well for most folks, most of the time. However, if you want to use folders, or deal with large documents (ranging from about 10 MB up to about 4,000 MB), some additional work on your part may be required. But first, here's a brief internals overview on ZIP files, the shredder, and the scanner that are relevant to all topics.

Encrypting plaintext (a document or folder) or decrypting a Krypton item is a two step process. For encryption, the plaintext is first zipped to a temporary file, and that temporary file is then AES encrypted for security (hence the "zip" in the Krypton extension zip-aes-256-cbc-pkcs7-kry). For decryption, the item is first decrypted to a temporary file, and that temporary file is then unzipped, thus re-creating the plaintext. Using the ZIP format as an intermediary is convenient for several reasons:

  • everything is compressed
  • folders are flattened into a single unit for easy manipulation
  • the format is universal, so you can create ZIP files on your Mac, PC or Linux computer

But those intermediate ZIP files are by definition plaintext and need to be shredded; which leads us to the next topic, shredding files.

The shredder runs as a background thread, dutifully destroying plaintext data, either yours or those intermediate ZIP files. When the shredder is active you'll see this spinner in the vault's title bar:

Shredding is an expensive operation and you'll become aware of it as document sizes increase. So don't be alarmed if the shredder activates while decrypting a large document, it's probably just disposing of the intermediate ZIP file.

There's another task that runs on demand, called the scanner, whose job is to update the list of Krypton items in the vault. The scanner is not allowed to run during encryption, decryption or shredding, so if you are expecting an item to appear in (or disappear from) the vault, wait for an idle time.

1) Folders

Sometimes it's more convenient to collect related documents in a single folder and store that folder in the vault. Then, with a single decryption operation, the entire document collection is opened for browsing. It's simple to do this, here's what's involved in a nutshell:

  1. Create a single folder on your computer and fill it with documents, or even other folders.
  2. Zip-compress the folder and ensure that it has a .zip extension.
  3. Import the Zip archive into the vault.

Krypton imports the Zip archive but, noticing the .zip extension, bypasses its normal compression step and proceeds to directly encrypt the archive. Once in the vault, you can navigate the folder hierarchy and view plaintext as you are accustomed to doing.

Creating the Zip-compressed archive is easy too. Assume the folder is named ProjectDocuments:

  • Mac OS X : right click (or control click) on the folder and select Compress "ProjectDocuments".
  • Windows : right click the folder, point to Send To, and click Compressed (zipped) Folder.
  • Linux : zip -r ProjectDocuments.zip ProjectDocuments/

Any Zip folders that you create manually can be exported after decryption by touching the export Zip plaintext icon:

Alert Image

2) Large Documents

Krypton has been carefully crafted to handle arbitrarily large documents. The upper limit is undefined, but for practical purposes let's say about 500 - 4,000 MB. Anything more is probably too large for most other Apps to handle, and prohibitively slow during encryption and decryption.

A document is defined as being large if it's 10 MB or greater in size. That's not a firm value, you may find that your 60 MB document works perfectly. But at some point, to encrypt plaintext only, you'll have to assist Krypton:

You must pre-ZIP large documents prior to on-device encryption

That's it: if the plaintext to encrypt is too large to handle, pre-ZIP it! Krypton can encrypt, unzip and decrypt arbitrarily large files, it just cannot ZIP a large file without exhausting memory. See the text on Folders above for more ZIP information.

Tip: The most efficient way to import your newly created ZIP file is via iTunes File Sharing, but the shredder could create an issue. Consider disabling the Settings option Shred Plaintext to prevent the shredder from mistaking the file as plaintext. But remember to turn Shred Plaintext back on after the ZIP file has been imported and encrypted.

Topics

Gesture Summary
  • For iPad twist knob with 2 fingers to manipulate the combination and unlock the vault.
  • Single tap a vault item to display plaintext with lines wrapped in Viewport.
  • Double tap a vault item to display plaintext with lines not wrapped in Viewport.
  • Drag the vault contents downwards to force a content refresh from data sources such as iCloud Drive / Dropbox and iTunes File Sharing.
  • Swiping left on a vault item is the generalized destruction gesture; depending upon context it deletes plaintext, a vault item or a cloud item, or cancels a Drobox transfer.
  • When Settings / Vault Item Order is set to Manual, touch and hold a vault item to activate re-ordering. For iPad drag the item to its new location and release. For iPhone grab the drag pad and re-order the item, then touch and hold to deactivate re-ordering.

Topics

Support

Copyright (©) 2009 - 2019 BigCatOs. All rights reserved.   |   Contact

Topics