[Cryptography] Announcing vcrypt: a new encryption toolkit for multi-factor encryption

Ben Burkert ben at benburkert.com
Sun Dec 6 17:55:12 EST 2015


I am pleased to announce a preview release of vcrypt, an encryption toolkit for
building and executing a multi-factor encryption schemes. vcrypt supports a
multi-role encryption workflow: an expert user crafts an encryption plan
distributed to a novice user for safe, reliable encryption.

A plan is an artifact that encodes each step in a multi-factor encryption
scheme. Steps are arranged into a directed acyclic graph with a single root
step. Each step picks and configures a construct like Shamir's Secret Sharing,
NaCl's secretbox, or OpenPGP public key encryption. vcrypt's "build" subcommand
outputs a plan artifact which contains no secret information & is safe to
distribute publicly.

The "lock" subcommand produces an encrypted vault artifact from the input data
(to be protected) and plan artifact. This command requires no extra
configuration and only prompts the user for secrets required for encryption
(passwords, symmetric keys). vcrypt symmetrically encrypts the input data with a
randomly generated key which becomes the output of the DAG. The DAG is walked
to lock each step's output to generate the input, which in turn becomes the
output for the next step in the graph. The vault artifact holds the ciphertext
for the protected data and any intermediate (non-secret) material from the DAG,
along with the plan artifact. There is no unencrypted secret data in the vault

A vault can be decrypted using the "unlock" subcommand, which walks the DAG in
reverse order unlocking each step's output as input for the next. Steps may be
skipped by the user when the required secret is unknown (e.g. another person's
private key). The output of individual steps can be passed between users with
the "import" and "export" subcommands.

Examples are provided to showcase different encryption schemes achievable with


* twoman: two-man rule control mechanism; requires two passwords
* diamond: requires three secrets; the second has two possible solutions
* dnssec: inspired by DNSSEC root key; m-of-n, multi-party OpenPGP encryption

** vcrypt is preview software and is not ready for general use **

Code is available on GitHub:


- Ben

More information about the cryptography mailing list