Hands-on: miniLock's powerful file encryption is dead simple to use
The creator of Cryptocat, Nadim Kobeissi, is back with another easy-to-use encryption tool. This time it's a Chrome app that aims to make it easy to create and share single encrypted files with others. Called miniLock, the app is freely available on the Chrome Web Store.
Similar to other encryption tools, miniLock relies on public key cryptography. Under this scheme you have to share your public key with others so they can encrypt files meant for you and only you. But unlike many encryption tools—which are often difficult to use—miniLock is very easy to understand and takes away a lot of the pain typically associated with encryption tools.
The public key itself, dubbed your miniLock ID, is relatively short at around 45 characters. That's long enough to easily fit in a tweet, as the miniLock site says. But it's still too long to easily remember, so you'll have to write it down or save it in a password manager like LastPass or KeePass.
For encryption, miniLock uses Curve25519 elliptic curve cryptography, which is the same cryptography used in Kobeissi's Cryptocat. The problem with encryption tools, however, often isn't the strength of their encryption but how well it's implemented.
On the miniLock site you can find a recent miniLock security audit by penetration testing firm Cure53. The report gives miniLock a clean bill of health stating that "MiniLock is a one-purpose app offering this one particular feature [encryption] and appears to be doing that as well as possible...The code is soundly and neatly written, well structured, minimal and therefore offers no sinks for direct exploitation."
That's just one report, however, and others will no doubt sink their teeth into miniLock and try to find exploits. Judging the quality of the cryptography is beyond the scope of this article. But as it's a new app, miniLock may not yet be the best choice for anyone encrypting documents in a high-stakes environment (political oppression, corporate secrecy). That said, it's definitely worth keeping tabs on to see what the security community has to say about miniLock in the future.
For anyone that wants to dive in right away, here's a quick hands-on with miniLock on a Windows 8.1 PC.
Generating your ID
To get started, visit the Chrome Web Store and install miniLock as you would any other Chrome app. Once it's installed you can either launch it right from the Chrome Web Store or the Chrome App Launcher in your taskbar, if you've installed that.
When it starts up, miniLock will ask you to sign in with your email address and a passphrase. These two pieces will be used to generate your miniLock ID, which should take only a second or two.
In my tests, miniLock was fairly picky about passphrases. I tried using a 10-character randomly generated passphrase with capital and lowercase letters, numbers, and special characters. That's a fairly solid password if you ask me—but for miniLock it wasn't strong enough.
Instead, the app suggested I use one of its auto-generated passphrases, which was a series of random dictionary words. To make things easier, I used one of the series generated by miniLock, but you could also write your own. Just make sure it's memorable and unique enough that you won't forget it. Otherwise, storing it in a password manager will be important. As with other encryption tools, if you lose that passphrase, you won't be able to unlock any files sent to you with that miniLock ID.
Once you've got your miniLock ID share it far and wide. That's mine in the picture up at the top of this section.
Now that you've got your own ID set-up, let's encrypt a file to see how it works. This should go without saying, but make sure you back-up the test file in unencrypted form just in case something goes wrong.
To choose a file, either tap the file drop area in the miniLock window or drag a file from File Explorer and drop it in the miniLock window. Once it gets a file to encrypt, you'll see the miniLock window flip around and reveal space for entering up to four miniLock IDs.
By default, your miniLock ID will be at the top, as you are the person encrypting the file.
Below that, you have the option to add another three people to encrypt the file—assuming you have their miniLock ID. If you wanted to send this file to one person and didn't want to have access to it yourself, you can just press the "X" to the far right of your miniLock ID to remove your key.
You also have an option underneath the file name for miniLock to create a random file name if you wanted to be really secretive about what you're sending.
Once the ID's for every recipient are ready to go, tap the arrow at the bottom of the window to encrypt. Depending on the size of the file, it could take a few seconds or a few minutes to finish.
After it's done, the app will say "Your encrypted file is ready" in small letters below the file name. Next, click on the file name to save the file to your PC via Chrome's downloads manager.
Now that you've got an encrypted file, you can send it to the intended recipients any way you like: email, instant messaging, USB key, Facebook...the choices are endless.
Decrypting a file is even easier than encrypting one. Just receive your miniLock-encrypted file via email (or whatever), download it somewhere to your PC, and drop it into the miniLock window. As long as you are signed in to miniLock and the file is encrypted with your miniLock ID, the file will be automatically decrypted. Then you can save it to your PC the same way you did with the encrypted file.
That's about all there is to miniLock. The only drawback that some people might find is that you have to sign-in every time you open the app. MiniLock does not save your login across user sessions.
That was likely a conscious choice to protect user privacy so that an attacker with physical access to your machine couldn't view your decrypted files. Nevertheless, constant logins may be a drawback for some.
Overall, miniLock is incredibly easy to use and the work flow should really be a template for how to make encryption tools for the average user. As for the quality of the encryption itself, we'll offer no judgment on that here—but I'm certain others will address that topic soon.