{"id":13929058,"url":"https://github.com/finfet/kestrel","last_synced_at":"2026-03-08T02:20:40.336Z","repository":{"id":41261020,"uuid":"388373426","full_name":"finfet/kestrel","owner":"finfet","description":"File encryption done right","archived":false,"fork":false,"pushed_at":"2024-09-14T22:58:54.000Z","size":473,"stargazers_count":30,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-29T22:25:54.195Z","etag":null,"topics":["cryptography","encryption","end-to-end-encryption"],"latest_commit_sha":null,"homepage":"https://getkestrel.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/finfet.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-22T07:45:58.000Z","updated_at":"2024-09-22T14:21:36.000Z","dependencies_parsed_at":"2023-09-24T11:26:26.614Z","dependency_job_id":"ebbccfcf-1c8d-4205-90d4-bf5c2096ac55","html_url":"https://github.com/finfet/kestrel","commit_stats":{"total_commits":196,"total_committers":3,"mean_commits":65.33333333333333,"dds":"0.16326530612244894","last_synced_commit":"4403d42e51f3558fecf5900d1cb38026e7711092"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finfet%2Fkestrel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finfet%2Fkestrel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finfet%2Fkestrel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finfet%2Fkestrel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/finfet","download_url":"https://codeload.github.com/finfet/kestrel/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226588954,"owners_count":17655809,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","encryption","end-to-end-encryption"],"created_at":"2024-08-07T18:02:05.071Z","updated_at":"2026-03-08T02:20:35.303Z","avatar_url":"https://github.com/finfet.png","language":"Rust","funding_links":[],"categories":["others"],"sub_categories":[],"readme":"\u003cp\u003e\u003cimg src=\"https://user-images.githubusercontent.com/13957897/149721971-bdd844e6-0a9d-43fa-9205-04a8daa9fab6.png\" alt=\"Kestrel Logo\" width=\"600\"\u003e\u003c/p\u003e\n\n**File encryption done right**\n\n## About\n\nKestrel is a data-at-rest file encryption program that lets you encrypt files\nto anyone with a public key.\n\n\n## Features and Advantages\n\n- Encrypt files using a public key or a password.\n- Strong security and privacy guarantees. Uses X25519, ChaCha20-Poly1305\n  and the Noise Protocol. Guarantees sender authentication.\n- Secure defaults with zero configuration needed.\n- Supports files of any size.\n- Keys are simple strings that are easy to manage and copy-paste.\n- Private keys are always encrypted.\n- Single binary that is easy to run anywhere.\n- Supports Linux, macOS, Windows.\n\n\n## Limitations\n\n- Does not handle signatures. You can't sign files with this. However,\n  sender authentication is guaranteed.\n- Does not solve the key distribution problem. You have to acquire\n  known-good public keys through some other means.\n\n\n## Security Properties\n\n- **Sender authentication**: When you successfully decrypt a file, you can be\n  certain that it came from someone that you know and that it hasn't been\n  tampered with in any way.\n- **Metadata protection**: Encrypted files contain absolutely zero information\n  about the sender or recipient.\n- **Deniability**: Unlike using a digital signature for authentication, Kestrel\n  provides sender authentication without non-repudiation. You are not\n  cryptographically bound to the messages that you send. If the recipient tries\n  to reveal a message, you are able to deny that you sent that message.\n- **Partial forward secrecy**: An attacker must compromise the _recipient's_\n  private key in order to decrypt a file. Someone else getting their private\n  key compromised doesn't affect the files that they had previously sent to you.\n\nKestrel uses a combination of the Noise Protocol and a chunked file encryption\nscheme. Read the [security documentation](https://getkestrel.com/docs/security-information/)\nfor more details.\n\n\n## Advantages compared to other applications\n\n**GPG**\n\nGPG is a massively complex tool with many use cases, features, and shortcomings.\nIn general, Kestrel provides better default security guarantees with no\nconfiguration required. In particular, by default, GPG does not provide sender\nauthentication or metadata protection. Sender authentication can be\nadded by including signatures, but this removes deniability. In contrast,\nKestrel includes sender authentication while preserving deniability and\nprotecting metadata.\n\n**age**\n\nage is a newer tool with strong defaults and is much less complex than GPG.\nHowever, age does not provide sender authentication. A successfully decrypted\nfile could have come from anyone, including from an attacker that replaced the\nfile with a malicious copy. Kestrel fixes this by showing you the exact sender\nof a file.\n\n## Installation\n\nTested on Linux, macOS, Windows\n\nDownload from the [Official Site](https://getkestrel.com)\n\nOr grab the [GitHub release](https://github.com/finfet/kestrel/releases/latest)\n\nIf you have cargo you can also use `cargo install --locked kestrel-cli`\n\n\n## Usage Examples\n\nGenerate a new private key\n```\n$ kestrel key gen -o keyring.txt\nKey name: alice\nNew password:\nConfirm password:\n$ cat keyring.txt\n[Key]\nName = alice\nPublicKey = D7ZZstGYF6okKKEV2rwoUza/tK3iUa8IMY+l5tuirmzzkEog\nPrivateKey = ZWdrMPEp09tKN3rAutCDQTshrNqoh0MLPnEERRCm5KFxvXcTo+s/Sf2ze0fKebVsQilImvLzfIHRcJuX8kGetyAQL1VchvzHR28vFhdKeq+NY2KT\n```\n\nEncrypt a file\n```\n$ kestrel encrypt example.txt --to alice --from alice -o example.txt.ktl -k keyring.txt\n```\n\nDecrypt a file\n```\n$ kestrel decrypt example.txt.ktl -t alice -o example.txt -k keyring.txt\n```\n\nEncrypt a file using a password\n```\n$ kestrel pass enc example.txt -o example.txt.ktl\n```\n\nSet the environment variable `KESTREL_KEYRING` to use a default keyring file.\n\n## Usage\n\n```\nUSAGE:\n    kestrel encrypt [FILE] -t NAME -f NAME [-o FILE] [-k KEYRING]\n    kestrel decrypt [FILE] -t NAME [-o FILE] [-k KEYRING]\n    kestrel key generate [-o FILE]\n    kestrel key change-pass PRIVATE-KEY\n    kestrel key extract-pub PRIVATE-KEY\n    kestrel password encrypt|decrypt [FILE] [-o FILE]\n\n    Aliases enc, dec, pass, and gen can be used as encrypt, decrypt,\n    password, and generate respectively.\n    Option -k is required unless KESTREL_KEYRING env var is set.\n\nOPTIONS:\n    -t, --to      NAME    Recipient key name. Decrypt requires a private key.\n    -f, --from    NAME    Sender key name. Must be a private key.\n    -o, --output  FILE    Output file name.\n    -k, --keyring KEYRING Location of a keyring file.\n    -h, --help            Print help information.\n    -v, --version         Print version information.\n    --env-pass            Read password from KESTREL_PASSWORD env var\n```\n\n## Documentation\n\nView the [documentation](https://getkestrel.com/docs/)\n\nSource code for the documentation can be found in the\n[kestrel-doc](https://github.com/finfet/kestrel-doc) repository.\n\n\n## Contributing\n\nPatches welcome. Please send feedback and bug reports for any issues that\nyou may have.\n\n\n## License\n\nBSD 3 Clause\n\nUnless you explicitly state otherwise, any contribution intentionally\nsubmitted for inclusion in this project by you, shall be licensed as\nBSD-3-Clause, without any additonal terms or conditions.\n\n\n\u003e [!WARNING]\n\u003e To the best of my knowledge, Kestrel is secure. However, this software has\n\u003e not yet undergone a formal security audit. Swim at your own risk.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffinfet%2Fkestrel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffinfet%2Fkestrel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffinfet%2Fkestrel/lists"}