A fast, easy-to-use, and secure command-line tool for encrypting and decrypting files or entire directory trees.

• Fast: Uses AEGIS-128X2 and multi-threaded processing for directories
• Secure: Every file is authenticated - tampering is detected automatically
• Simple: Clean command-line interface with sensible defaults
• Flexible: Works with single files or entire directory trees, with optional filename encryption

Pre-built binaries for Linux, macOS, and Windows are available at: https://github.com/jedisct1/turbocrypt/releases

Note: Building from source is recommended for best performance. The compiled binary will be optimized for your specific platform, while pre-built binaries are built for the lowest common denominator.

Requirements: Zig (master)

git clone https://github.com/jedisct1/turbocrypt.git
cd turbocrypt
zig build -Doptimize=ReleaseFast

The compiled binary will be in zig-out/bin/turbocrypt. Move it elsewhere, add it to your PATH or use the full path.

First, create a key file. This is a random 128-bit key that you'll use to encrypt and decrypt your files.

turbocrypt keygen secret.key

Important: Keep this key file safe! Anyone with access to it can decrypt your files.

Store the key in your configuration so you don't have to specify it every time:

turbocrypt config set-key secret.key

After this, you can encrypt and decrypt without specifying the key. The tool is now ready to use!

Encrypt a single file:

turbocrypt encrypt document.pdf document.pdf.enc

Encrypt an entire directory:

turbocrypt encrypt my-documents/ encrypted-documents/

Check that your encrypted files are intact:

turbocrypt verify encrypted-documents/

This confirms all files were encrypted successfully and haven't been corrupted or tampered with.

For a faster check that just verifies you have the correct key:

turbocrypt verify --quick encrypted-documents/

Decrypt a file:

turbocrypt decrypt document.pdf.enc document.pdf

Decrypt the entire directory:

turbocrypt decrypt encrypted-documents/ my-documents/

That's it!

If you want to protect your key file, you can encrypt it with a password:

# Generate a password-protected key
turbocrypt keygen --password protected.key
# Enter your password when prompted

# Use it (you'll be prompted for the password)
turbocrypt encrypt --key protected.key --password source/ dest/

When you encrypt a directory, you can optionally specify a context string. This adds an additional secret that's required to decrypt your files - think of it as a second password that works alongside your encryption key.

Here's why this matters: Even if someone gains access to your encryption key file and your password, they still won't be able to decrypt your files without knowing the context you used. The context acts as an extra safeguard that you keep in your head rather than written down.

# Encrypt with a context
turbocrypt encrypt --key my-secret.key --context "my-secret-phrase" documents/ encrypted/

# To decrypt, you MUST provide the exact same context
turbocrypt decrypt --key my-secret.key --context "my-secret-phrase" encrypted/ documents/

# Wrong context? Decryption will fail, even with the correct key
turbocrypt decrypt --key my-secret.key --context "wrong-phrase" encrypted/ documents/
# Error: Wrong decryption key, wrong context, or corrupted file header

Each context creates completely different encrypted files, even when using the same key. Files encrypted with context "project-a" cannot be decrypted with context "project-b", or without any context at all.

Sometimes you want to encrypt files directly without creating copies:

turbocrypt encrypt --key my-secret.key --in-place my-documents/

Warning: This overwrites the original files. Make sure you have backups first!

If you want to conceal not just the contents but also the names of your files:

turbocrypt encrypt --key my-secret.key --enc-filenames source/ dest/

This encrypts each filename component, making it impossible to tell what files are in the encrypted directory without the key.

Use exclude patterns to skip files you don't want to encrypt:

# Skip log files and the .git directory
turbocrypt encrypt --key my-secret.key \
  --exclude "*.log" \
  --exclude ".git/" \
  my-project/ encrypted-project/

Common exclude patterns:

• *.log - skip all .log files
• *.tmp - skip temporary files
• .git/ - skip git repository data
• node_modules/ - skip Node.js dependencies
• __pycache__/ - skip Python cache files

Check if encrypted files are intact without decrypting them:

# Verify a single file
turbocrypt verify --key my-secret.key encrypted-file.enc

# Verify an entire directory
turbocrypt verify --key my-secret.key encrypted-documents/

# Quick verification (only checks if you have the correct key)
turbocrypt verify --quick --key my-secret.key encrypted-documents/

This is useful for checking backups or verifying files after transferring them.

Quick vs Full Verification:

• --quick: Only verifies the header MAC (checks if you have the correct key). Much faster but doesn't verify data integrity.
• Full verification (default): Checks both the header MAC and content, ensuring both key correctness and data integrity.

If you use the same key and settings frequently, save them:

# Set your default key (stores it in config)
turbocrypt config set-key my-secret.key

# Set default thread count
turbocrypt config set-threads 8

# Add permanent exclude patterns
turbocrypt config add-exclude "*.log"
turbocrypt config add-exclude ".git/"

# View your configuration
turbocrypt config show

Now you can run commands without repeating options:

# Uses the key and excludes from your config
turbocrypt encrypt source/ dest/

# Generate a new key
turbocrypt keygen output.key

# Generate a password-protected key
turbocrypt keygen --password output.key

# Set default key in config
turbocrypt config set-key my.key

# Basic encryption
turbocrypt encrypt --key KEY source dest

# With password-protected key
turbocrypt encrypt --key KEY --password source dest

# Encrypt in place (overwrites source)
turbocrypt encrypt --key KEY --in-place source/

# Encrypt filenames too
turbocrypt encrypt --key KEY --enc-filenames source/ dest/

# Exclude certain files
turbocrypt encrypt --key KEY --exclude "*.log" --exclude ".git/" source/ dest/

# Use context for key derivation
turbocrypt encrypt --key KEY --context "project-x" source/ dest/

# Add .enc suffix automatically
turbocrypt encrypt --key KEY --enc-suffix source/ dest/

# Custom thread count
turbocrypt encrypt --key KEY --threads 16 source/ dest/

# Basic decryption
turbocrypt decrypt --key KEY source dest

# Decrypt in place
turbocrypt decrypt --key KEY --in-place encrypted/

# Decrypt with context (must match encryption context)
turbocrypt decrypt --key KEY --context "project-x" encrypted/ decrypted/

# Remove .enc suffix automatically
turbocrypt decrypt --key KEY --enc-suffix encrypted/ decrypted/

# Verify file integrity (full verification)
turbocrypt verify --key KEY encrypted-file.enc

# Verify directory (full verification)
turbocrypt verify --key KEY encrypted-directory/

# Quick verification (only checks key correctness, not data integrity)
turbocrypt verify --quick --key KEY encrypted-directory/

# Quick verification with context
turbocrypt verify --quick --key KEY --context "project-x" encrypted/

# View current settings
turbocrypt config show

# Set default key
turbocrypt config set-key path/to/key

# Set thread count
turbocrypt config set-threads 8

# Set buffer size (in bytes)
turbocrypt config set-buffer-size 8388608

# Manage exclude patterns
turbocrypt config add-exclude "*.tmp"
turbocrypt config remove-exclude "*.tmp"

# Set symlink behavior
turbocrypt config set-ignore-symlinks true

# Run benchmarks
turbocrypt bench

Options available for most commands:

• --key <path> - Path to key file (required unless set in config)
• --password - Prompt for password (for password-protected keys)
• --context <string> - Context string for key derivation (creates independent key namespace)
• --threads <n> - Number of parallel threads (default: CPU count, max 64)
• --in-place - Overwrite source files instead of creating new ones
• --enc-filenames - Encrypt filenames (cannot be used with --in-place)
• --enc-suffix - Add/remove .enc suffix automatically
• --exclude <pattern> - Skip files matching pattern (can use multiple times)
• --ignore-symlinks - Skip symbolic links
• --quick - (verify only) Only check header MAC, skip full verification - faster but doesn't verify data integrity
• --force - Overwrite existing files without asking
• --buffer-size <bytes> - Set I/O buffer size (default: 4MB)

Encrypted files can be freely moved between directories and renamed. The encryption intentionally does not depend on the file's path, filename, or parent directories. This means you can reorganize and rename your encrypted files however you like without needing to re-encrypt them.

When using --enc-filenames:

• Each path component (directory or filename) is encrypted separately
• Encoded with base91 to ensure filesystem compatibility
• Preserves directory structure (you still see folders, just with encrypted names)

TurboCrypt stores your settings in a JSON configuration file:

• macOS: ~/Library/Application Support/turbocrypt/config.json
• Linux: ~/.local/share/turbocrypt/config.json
• Windows: %LOCALAPPDATA%\turbocrypt\config.json

The config file is created with restricted permissions (owner read/write only) to protect your key if you choose to store it there.

Settings are applied in this order (highest priority first):

1. Command-line flags (e.g., --key, --threads)
2. Environment variables (TURBOCRYPT_KEY_FILE)
3. Configuration file settings

• Generate strong keys: Always use turbocrypt keygen - don't create keys manually
• Keep backups: Store a copy of your key in a safe, separate location
• Use password protection: For keys stored on your computer, consider --password
• Never share keys: Each person should have their own key, or use password-protected keys with different passwords for additional security

• Test first: Try encrypting/decrypting a small test directory before processing important data
• Verify after transfer: Use turbocrypt verify to check files after copying or uploading them
• Keep originals: Don't delete unencrypted files until you've verified the encrypted versions
• Exclude unnecessary files: Use --exclude to skip cache, logs, and other regenerable files

• Adjust threads for directories: Use --threads based on your CPU core count and disk features
• Larger buffers for huge files: Try --buffer-size 16777216 (16MB) for very large files
• Exclude unnecessary files: Using exclude patterns is faster than encrypting files and deleting them later

This error means either:

• You're using the wrong key file
• You're using the wrong context (or missing a required context)
• The file wasn't encrypted with TurboCrypt
• The file header is corrupted

Double-check you're using the same key and context that were used to encrypt the file.

The file has been modified or corrupted after encryption. TurboCrypt detected tampering and refused to decrypt. This is a security feature - the file may have been altered maliciously or damaged during storage/transfer.

On some systems, memory-mapped I/O (used for files >1MB) requires specific permissions. Try running with sudo/administrator privileges, or check that your user has read/write access to both source and destination directories.

• Check if you're using too many threads (--threads 4 is often faster than 32 for small files)
• Ensure your source/destination are on fast storage (SSD vs HDD makes a big difference)
• For many small files, threading overhead can reduce performance - try using --threads 2

Reduce the buffer size: --buffer-size 1048576 (1MB instead of default 4MB)

• TURBOCRYPT_KEY_FILE: Path to your key file (overridden by --key flag)

Example:

export TURBOCRYPT_KEY_FILE=~/.ssh/turbocrypt.key
turbocrypt encrypt source/ dest/  # Uses key from environment