Security
- Patched a potential directory traversal attack vulnerability when decrypting a file/folder someone sent you that contained a malicious file name. I say potential because I have not attempted to exploit the attack, and this type of vulnerability primarily affects web applications. However, it has also affected ZIP libraries and encryption libraries.
Added
- Non-interactive password support, meaning you can now do
-p:"[password]"instead of entering the password interactively. To randomly generate a password, you can type a space:-p:" ". However, entering a password interactively is still more secure as it hides your password and avoids using a string variable. - Exporting the recovered public key from
-r|--recoverto a.publicfile if one does not exist in the same directory as the.privatekey file. - Automatic
vcruntime140.dllextraction on Windows to always ensure that the libsodium cryptographic library is portable. -u|--updatecan now install updates for you. This checks the download signatures automatically, ensuring authenticity and integrity, and replaces thekryptorexecutable in place.- Coloured error messages (red) and successful messages (green). Blue and orange are also used but rarely.
- A note in
-h|--helpabout having to surround file names/paths with "speech marks".
Changed
- Switched to .NET 6.
- The
-f|--obfuscateoption has been renamed to-n|--names. I will now be calling it file name encryption rather than file name obfuscation. - Path.GetRandomFileName() is no longer being used because the documentation was updated to remove the claim that it is cryptographically secure.
- It is now possible to sign
.signaturefiles. - The spacing in the output text has been changed to try and make things more readable.
- File names in the output text are now surrounded by "speech marks" to help distinguish them from other text.
- Lots of code improvements to reduce the line count.
- Various error messages have been improved.
Fixed
- The authenticated comment is no longer shown if it is empty when verifying a signature.
- Folders containing only empty subdirectories are now detected as containing no files, leading to an error.
- String.Replace() is no longer used for file paths since it may cause problems by removing multiple parts of a string.
- Illegal file name characters are now removed from the file name before it is stored during file name encryption because this could cause issues decrypting the file on another operating system. This may be switched to an error in the future.
- The total count should now be correct when decrypting a directory with an incorrect salt length.
v4.0.0 Roadmap
As a reminder, lots of improvements and breaking changes will be coming in v4, and you can follow my progress via the Roadmap and Projects tab. It will take a while to get this release out because of university and writing a custom libsodium binding.