Krypton/X Help

Krypton
Personal Privacy Agent
Krypton for macOS is a privacy tool that uses strong encryption to securely protect personal and confidential information resident on your Apple computer, iPod touch, iPhone and iPad. Krypton is not a password manager: it encrypts and decrypts entire folders and documents (text, spreadsheets, images, recipes, emails, anything).

Topics

Terminology
  • Plaintext refers to any item, whether a text file, image, Word or Pages document, spreadsheet, HTML or sound file, etc., in its normal format.
  • Ciphertext refers to a plaintext item that has been encrypted, and is thus unrecognizable.
  • A passcode is a string of words and characters used as a key during encryption and decryption. The only way to decrypt a Krypton item is by knowing the passcode used to encrypt it.

Topics

The Vault

Metaphorically, Krypton keeps your ciphertext items in a special vault, with each item contained in their own deposit box; to gain access to a ciphertext item the vault must be open and the passcode key must be used to unlock the deposit box before you can discern the plaintext contents inside. In iOS the vault may be open or closed, while on macOS the vault opens upon Log In. When the vault is open ciphertext items are displayed in alphabetical order, each represented by its name, creation date, size and one of these icons:

Safety Deposit Box Image

A vault document resides on your Macintosh; an iCloud Drive or Dropbox document resides on the cloud and must be downloaded to the vault before it can be decrypted. Double-clicking a vault item performs the default action upon that item: for a vault document the decryption process is initiated; for an iCloud Drive or Dropbox document it is imported and a copy is stored in the vault.

To encrypt a document and add it to the vault use the File menu item Add To Vault (⌘N).

Safety Deposit Box Image

For further actions, double-click a vault item's Action icon. Here, for the Pages document ASTR 301 Homework 7, we can export or delete it from the vault, upload it to iCloud Drive, decrypt it, and change its passcode. You may enable Send To Dropbox in Preferences.

Safety Deposit Box Image

Topics

Decrypt Ciphertext

To decryypt a ciphertext item simply double-click it. Krypton asks where to store the plaintext and prompts for the item's passcode, then decodes the ciphertext. Unlike the iOS version of Krypton that automatically opens a viewport to display the plaintext, you are responsible for manually opening the plaintext file.

Topics

Import Ciphertext and Plaintext

You can import items into Krypton's vault using the File / Add To Vault (⌘N) menu, dropping a single file/folder onto the App's icon or vault, or from iCloud Drive or Dropbox. Note: if the imported item is plaintext it's encrypted and then stored in the vault.

You can import/encrypt any number of files and/or folders via the File / Add To Vault (⌘N) menu. You are asked once for a passcode that is used to encrypt all the chosen items. Already encrypted items are simply copied to the vault, they are not re-encrypted.

Finally, double-clicking an iCloud Drive or Dropbox document or selecting the action Import From iCloud Drive or Import From Dropbox copies the ciphertext document to the vault.

Topics

Export Ciphertext

You can share ciphertext items in the vault by double-clicking the Action icon and selecting Export from the list of actions.

Topics

Delete Ciphertext

To remove an item from the vault double-click the Action icon and select Delete. Deleting an iCloud Drive (or Dropbox) item removes the ciphertext from your device, iCloud Drive (or Dropbox) and all synchronized computers and mobile devices.

Topics

Ciphertext Encryption Strength Levels

Crypto best practices are constantly evolving, and occassionally Krypton's encryption algorithm is strengthened accordingly. Once Krypton has incorporated a stronger encryption methodology all newly encrypted documents are generated in this format, such that, over time, you may collect a mixture of encrypted documents of various security strength levels.

Krypton indicates this strength level using a small LED in the ciphertext item's deposit box door. For vault items that are in the cloud and not resident on the device the LED is unlit and not visible. Otherwise the LED is lit, and for vault items with the highest security level the light glows green. For vault items encrypted with an older algorithm the LED glows orange; but keep in mind that this does not mean the item is insecure, only less secure relative to Krypton's latest encryption standard. Although we guarantee that in the future Krypton will decrypt a document of any security level, it is in your best interest to re-encrypt older items with the latest encryption algorithm: the higher the security level the better.

Alert Image

For you technical folks, here are implementation details on the current Level 2 encryption format.

  • All encryption uses AES with 256-bit keys, CBC and PKCS7.
  • All keys are generated using PBKDF2, SHA-512, random salts and random rounds.
  • Every vault item has its own random master key and random IV, used to encrypt the plaintext.
  • The master key is itself encrypted.
  • The encrypted plaintext and encrypted master key are authenticated with a MAC (Encrypt-Then-MAC).

Topics

Change Passcode

You can change the passcode for ciphertext items at encryption strength level 2 (created by Krypton for macOS version 3, or iOS version 4) and higher. Touch Action, select Change Passcode, and enter your current and new passcodes. Krypton uses the current passcode to first authenticate the ciphertext, and assuming that is succesful, the passcode change operation commences. For a 4 GB file this will take approximately 2 minutes on a fast iMac ... if you do not have a few minutes to spare do not attempt a passcode change!

WARNING!

Because your encrypted file is randomly re-written in-place, you must NOT interrupt the change process. Do not leave Krypton, do not lock your screen or power-off your Macintosh. Doing so will almost certainly lead to irrecoverable data loss.

WARNING!

Topics

iCloud Drive and Dropbox Documents

iCloud Drive support is controlled by Mac OS X in System Preferences / iCloud / iCloud Drive / Options. Dropbox support is controlled by Krypton in Krypton / Preferences.

iCloud Image

Krypton documents on iCloud Drive (or Dropbox) must first be imported before they can be decrypted and viewed. After touching Action and selecting Import From iCloud Drive (or Import From Dropbox) the item is marked busy until the download completes and the ciphertext is stored in the vault. At that point you use the item as you normally would. If you delete the vault copy of an iCloud Drive-backed (or Dropbox-backed) document only the vault item is removed. But if you delete the iCloud Drive (or Dropbox) item then the ciphertext is removed from your device, iCloud Drive (or Dropbox) and all synchronized devices.

To move an item from the vault to iCloud Drive (or Dropbox) touch Action and select Send To iCloud Drive (or Send To Dropbox).

Krypton handles iCloud Drive (and Dropbox) version conflicts simply: the last document pushed to iCloud Drive (or Dropbox) wins. So, if you create encrypted documents having identical names on two offline iDevices and/or Macintoshes, then as each device connects to the Internet it stores its version of the document on iCloud Drive (or Dropbox); consequently, the second copy overwrites the first and becomes the true copy.

Krypton distinguishes vault items that have duplicate names by displaying a tiny overlay indicating the item's cloud repository source.

Cloud Name Resolution

The vault's contents are generally updated automatically, but you can force an iCloud and Dropbox refresh with the command File / Refresh Vault List (⌘R)

Topics

Shred Plaintext

When Krypton shreds a plaintext item it first overwrites the file with a pattern of all ones, followed by a second pass of all zeros, before deleting the file.

Topics

Support

Copyright (©) 2009 - 2019 BigCatOs. All rights reserved.   |   Contact

Topics