https://docs.rs/ferrocrypt-cli

Ferrocrypt

   

Tiny, easy-to-use, and highly secure multiplatform encryption tool with CLI and GUI interfaces. Written entirely in Rust.

Table of Contents

• Ferrocrypt
  • ABOUT
  • INSTALLATION
  • USING the CLI app
    • 1. Direct subcommand usage
      • Symmetric encryption (password-based key derivation)
      • Hybrid encryption
        • Generate a private/public key pair and set a passphrase for encrypting the private key
        • Encrypt file or directory (using a public key)
        • Decrypt file (using a private key)
    • 2. Interactive command mode (REPL)
  • SUBCOMMANDS AND OPTIONS
    • Global options
    • symmetric subcommand
    • hybrid subcommand
    • keygen subcommand
  • BUILD the GUI apps (tested on macOS)
    • Tauri GUI
      • Install the create-tauri-app utility:
      • Install the Tauri CLI:
      • Install node modules:
      • Build the app to a binary executable file:
      • Build a DMG installer for macOS:
      • You can start a live dev session with:
    • Dioxus GUI
      • Build release binary:
      • Start a live dev session:
      • Bundle the desktop app:
  • USING the GUI App
    • Symmetric Encryption Mode
    • Hybrid Encryption Mode
    • Key Pair Creation

ABOUT

Ferrocrypt is a simple encryption tool leveraging Rust's memory safety guarantees and performance benefits. The name comes from Latin: "ferrum" (iron) and "ferrugo" (rust).

GUI Options:

• Tauri app (Rust + React frontend)
• Dioxus desktop app (pure Rust)

Encryption Modes:

1. Symmetric - Uses XChaCha20-Poly1305 encryption with Argon2id password-based key derivation. Ideal for personal use where the same password encrypts and decrypts data. Produces .fcs vault files.

2. Hybrid - Combines XChaCha20-Poly1305 (data encryption) with RSA-4096 (key encryption). Each file/folder gets a unique random key, encrypted with your public key. Requires both the private key AND password for decryption, providing dual-layer security. Produces .fch vault files.

Security Features:

• Audited encryption: Uses the chacha20poly1305 crate, which has undergone successful security audits
• Secure secret handling: Passphrases are protected using the secrecy crate, preventing accidental exposure through Debug/Display traits and ensuring automatic memory zeroization when dropped
• Error correction: Reed-Solomon parity bytes protect cryptographic headers from corruption due to bit rot or data transfer errors, enabling reliable data recovery

The code is separated in multiple projects - the library ferrocrypt-lib, a CLI client ferrocrypt-cli, a TAURI based GUI app ferrocrypt-gui-tauri, and a Dioxus based GUI app ferrocrypt-gui-dioxus.

INSTALLATION

CLI Installation

Install from crates.io:

# Installs the 'ferrocrypt' binary
cargo install ferrocrypt-cli

Or build from source:

cargo build --release

The binary executable file will be generated in target/release/ferrocrypt (macOS and Linux) or target\release\ferrocrypt.exe (Windows).

Library Installation

cargo add ferrocrypt

Or add to your Cargo.toml:

ferrocrypt = "0.2"

USING the CLI app

The CLI supports two usage modes:

1. Direct subcommands (recommended for scripts and automation)
2. Interactive command mode (REPL), entered when you run ./ferrocrypt with no arguments

Commands shown are for macOS/Linux (use ferrocrypt instead of ./ferrocrypt on Windows).
Flags can be used in any order.

Available subcommands:

• keygen – Generate a hybrid (asymmetric) key pair
• hybrid – Hybrid encryption/decryption using public/private keys
• symmetric – Symmetric encryption/decryption using a passphrase

---

1. Direct subcommand usage

Symmetric encryption (password-based key derivation)

• Encrypt file or directory | decrypt file

./ferrocrypt symmetric --inpath <SRC_PATH> --outpath <DEST_DIR_PATH> --passphrase <PASSPHRASE>

or

./ferrocrypt symmetric -i <SRC_PATH> -o <DEST_DIR_PATH> -p <PASSPHRASE>

Hybrid encryption

Generate a private/public key pair and set a passphrase for encrypting the private key

./ferrocrypt keygen --bit-size <BIT_SIZE> --passphrase <PASSPHRASE> --outpath <DEST_DIR_PATH>

or

./ferrocrypt keygen -b <BIT_SIZE> -p <PASSPHRASE> -o <DEST_DIR_PATH>

If --bit-size is omitted, the default is 4096.

Encrypt file or directory (using a public key)

./ferrocrypt hybrid --inpath <SRC_PATH> --outpath <DEST_DIR_PATH> --key <PUBLIC_PEM_KEY>

or

./ferrocrypt hybrid -i <SRC_PATH> -o <DEST_DIR_PATH> -k <PUBLIC_PEM_KEY>

Decrypt file (using a private key)

./ferrocrypt hybrid --inpath <SRC_FILE_PATH> --outpath <DEST_DIR_PATH> --key <PRIVATE_PEM_KEY> --passphrase <PASSPHRASE>

or

./ferrocrypt hybrid -i <SRC_FILE_PATH> -o <DEST_DIR_PATH> -k <PRIVATE_PEM_KEY> -p <PASSPHRASE>

---

2. Interactive command mode (REPL)

Running ./ferrocrypt without any arguments starts an interactive shell:

$ ./ferrocrypt
Ferrocrypt interactive mode
Type `keygen`, `hybrid`, or `symmetric` with flags, or `quit` to exit.

ferrocrypt> keygen -o keys -p "my secret"
ferrocrypt> hybrid -i secret.txt -o out -k public.pem
ferrocrypt> symmetric -i secret.txt -o out -p "my secret"
ferrocrypt> quit

This mode is convenient for exploratory or repeated use.
Under the hood, it uses the same subcommands and flags as the direct CLI.

---

SUBCOMMANDS AND OPTIONS

Global options

| Flag             | Description    |
|------------------|----------------|
| `-h, --help`     | Print help     |
| `-V, --version`  | Print version  |

symmetric subcommand

| Flag                             | Description                                                                                                  |
|----------------------------------|--------------------------------------------------------------------------------------------------------------|
| `-i, --inpath <SRC_PATH>`        | File or directory path that needs to be encrypted, or the file path that needs to be decrypted              |
| `-o, --outpath <DEST_DIR>`       | Destination directory path                                                                                   |
| `-p, --passphrase <PASSWORD>`    | Password to derive the symmetric key for encryption and decryption                                          |
| `-l, --large`                    | For large input file(s) that cannot fit into the available RAM.*                                            |

* Use -l, --large when encrypting files larger than available RAM or to minimize memory usage. Omitting it provides faster encryption for smaller files. The decryption process automatically uses the same method as encryption.

hybrid subcommand

| Flag                             | Description                                                                                                  |
|----------------------------------|--------------------------------------------------------------------------------------------------------------|
| `-i, --inpath <SRC_PATH>`        | File or directory path that needs to be encrypted, or the file path that needs to be decrypted              |
| `-o, --outpath <DEST_DIR>`       | Destination directory path                                                                                   |
| `-k, --key <KEY_PATH>`           | Path to the public key for encryption, or the path to the private key for decryption                        |
| `-p, --passphrase <PASSWORD>`    | Password to decrypt the private key (only required when using a private key)                                |

keygen subcommand

| Flag                             | Description                                                                                                  |
|----------------------------------|--------------------------------------------------------------------------------------------------------------|
| `-o, --outpath <DEST_DIR>`       | Destination directory path where the generated key pair will be written                                     |
| `-p, --passphrase <PASSWORD>`    | Passphrase to encrypt the generated private key                                                              |
| `-b, --bit-size <BIT_SIZE>`      | Length of the key in bits for the key pair generation (default: `4096`)                                     |

BUILD the GUI apps (tested on macOS)

Tauri GUI

After installing Rust and Node.js (at least v.18), navigate to the ferrocrypt-gui-tauri directory and run the following commands:

Install the create-tauri-app utility:

cargo install create-tauri-app

Install the Tauri CLI:

cargo install tauri-cli

Install node modules:

npm install

Build the app to a binary executable file:

cargo tauri build

The binary executable file of the GUI app will be generated in ferrocrypt-gui-tauri/src-tauri/target/release/

Build a DMG installer for macOS:

cargo tauri build --bundles dmg

The DMG image file of the GUI app will be generated in ferrocrypt-gui-tauri/src-tauri/target/release/bundle/dmg/

You can start a live dev session with:

cargo tauri dev

Dioxus GUI

After installing Rust, install the Dioxus CLI:

• Install cargo-binstall:

curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash

• Install Dioxus CLI:

cargo binstall dioxus-cli

Navigate to the ferrocrypt-gui-dioxus directory and run:

Build release binary:

cargo build --release

The binary will be generated in target/release/ferrocrypt-gui-dioxus

Start a live dev session:

dx serve

Bundle the desktop app:

dx bundle

USING the GUI App

Drag and drop a file or folder into the app window, then select the encryption mode. When decrypting, the app auto-detects the mode.

Symmetric Encryption Mode

Encrypt/decrypt using the same password. Choose a password, destination folder, and click "Encrypt". For large files, enable "Large files (low RAM usage)" to reduce memory consumption.

Hybrid Encryption Mode

Ideal for secure data exchange. Encrypt using a public RSA key (PEM format), decrypt using the corresponding private key and password.

Key Pair Creation

Select "Create key pair", enter a password to protect the private key, choose output folder, and generate RSA-4096 keys.