A small command-line utility for generating RSA key pairs and encrypting or decrypting files with authenticated AES-256-GCM encryption. RSA is used to wrap the randomly generated AES session key, providing public-key based sharing while keeping the data-at-rest encrypted with a fast symmetric cipher.
- Generate 2048-bit RSA key pairs, optionally protecting the private key with a passphrase.
- Encrypt any file with AES-256-GCM and an IV that is generated per file.
- Decrypt files produced by the tool, validating an embedded authentication tag before writing output.
- Chunked streaming encryption/decryption for large files, with simple progress feedback.
- Rust toolchain (Rust 1.80+ recommended). Install via rustup.
- No system OpenSSL installation is required; the
vendoredfeature brings a portable copy.
Clone the repository and build the project:
cargo build --releaseYou can also run the CLI without a separate build step:
cargo run -- --helpThe CLI exposes three subcommands. Every command accepts --help for details.
cargo run -- generate --output keys --passphrase "S3cret!"--output(optional): directory wherepublic_key.pemandprivate_key.pemare written. Defaults to the current directory.--passphrase(optional): encrypts the private key with AES-256-CBC. Omit to write an unencrypted key.
cargo run -- encrypt --input path\to\plain.txt --key keys\public_key.pem --output plain.txt.enc--input(required): file to encrypt.--output(optional): encrypted file path. Defaults toinput + ".enc".--key(required): PEM-formatted RSA public key generated by the tool.
The resulting file layout is:
[MAGIC][RSA(OAEP) encrypted AES key][IV][ciphertext...][GCM tag]
cargo run -- decrypt --input plain.txt.enc --output plain.txt --key keys\private_key.pem --passphrase "S3cret!"--input(required): encrypted file produced by this tool.--output(optional): decrypted output path. Defaults to removing.encor appending.dec.--key(required): PEM-formatted RSA private key.--passphrase(optional): supply if the private key is passphrase protected.
- Protect your private key and any passphrase you use. Losing either prevents decryption.
- AES-256-GCM provides confidentiality and integrity; decryption fails if the file is modified.
- The tool prints progress to standard output; redirect or silence if you process sensitive filenames/logging.
Failed to parse private key PEM: ensure you passed the correct key and, if encrypted, the correct passphrase.Invalid magic number: the file was not encrypted with this tool or is corrupted.- For verbose clap usage information, append
--helpafter any subcommand.
- Format the code with
cargo fmt. - Run the linter with
cargo clippy --all-targets. - Execute tests (if added) with
cargo test.
This project is licensed under the terms of the LICENSE file provided in the repository.