Picocrypt NG is a compact yet robust encryption tool designed to protect files securely through simplicity and minimalism. It leverages the XChaCha20 cipher for encryption and Argon2id for key derivation, ensuring high security.
Key Features:
Secure file encryption with support for comments (non-sensitive).
User-friendly interface with drag-and-drop functionality.
Password generator for creating strong, cryptographically secure passwords.
Keyfile authentication, allowing multiple keyfiles in a specific order for decryption.
Command-line interface for advanced users and automation.
Audience & Benefit:
Ideal for everyday users seeking straightforward file encryption. It also appeals to technically inclined individuals valuing security and simplicity, offering reliable protection without complexity. Available via winget installation, Picocrypt NG ensures ease of use across platforms.
README
Picocrypt NG (new generation) is a very small (hence Pico), very simple, yet very secure encryption tool that you can use to protect your files. It's designed to be the go-to tool for file encryption, with a focus on security, simplicity, and reliability. Picocrypt NG uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security.
History
Picocrypt NG is a community-developed continuation of the archived Picocrypt project.
The original Picocrypt author does not endorse, develop, nor support Picocrypt NG.
When referencing Picocrypt NG, please always include the "NG" suffix to ensure distinction.
Downloads
ℹ️ You are highly recommended to read through the Features section below to fully understand the features and limitations of Picocrypt NG before using it. ℹ️
Make sure to only download Picocrypt NG from this repository to ensure that you get the authentic and backdoor-free Picocrypt NG. When sharing Picocrypt NG with others, be sure to link to this repository to prevent any confusion.
Windows
Windows 10/11: Download the latest, standalone, and portable executable here.
Windows 7/8 (Legacy Systems): If you're running Windows 7, Windows 8, or systems without OpenGL support, download the Legacy Build instead. This version includes:
Compiled with go-legacy-win7 for Windows 7/8 compatibility
Bundled Mesa3D software OpenGL renderer (no GPU or graphics drivers required)
Keep all files in the extracted folder together
⚠️ Note: The legacy build uses CPU-based software rendering and may be slower than the standard build. Only use it if you're on Windows 7/8 or experiencing graphics-related issues on older systems.
If your antivirus flags Picocrypt NG as a virus, please report it as a false positive to help everyone.
macOS
Download Picocrypt NG here, open the container, and drag Picocrypt NG to your Applications.
Apple Silicon vs Intel: The macOS app is built for Apple Silicon (M1/M2/M3/M4/M5+) only. Intel Mac users need to build from source or use the CLI-only version.
Gatekeeper Warning: macOS may block the app with a "forbidden" icon or "incompatible with this version of macOS" message. This is a Gatekeeper issue (unsigned app), not a compatibility problem. Picocrypt NG supports macOS 10.11+.
To fix, use one of these methods:
Right-click → Open (instead of double-clicking), then confirm
System Settings → Privacy & Security → scroll down → "Open Anyway"
Terminal:xattr -cr /Applications/Picocrypt-NG.app
The CLI-only build doesn't trigger Gatekeeper warnings.
Linux
Download the raw binary here (you may need the packages below). Alternatively, try the .deb or Flatpak.
The Android build is now a native app built from the android/ project in this repository rather than a fyne-cross package. GitHub releases publish a signed release APK, while PR artifacts remain debug/testing-only.
For local Android builds and architecture details, see android/README.md.
CLI
Picocrypt NG includes a command-line interface in this repository; see CLI.md for usage. It can encrypt and decrypt files, folders, and glob patterns, and supports paranoid mode and Reed-Solomon encoding. You can use it on systems that don't have a GUI or can't run the GUI app.
Web
A functionally limited web app is available here which allows you to encrypt and decrypt standard Picocrypt NG volumes (no advanced features or keyfiles) on any modern browser, including mobile devices. It's a simple, future-proof way to securely encrypt files that should work indefinitely due to the web's stable nature. Note that you can only encrypt/decrypt single files up to a maximum size of 512 MiB.
Comparison
Here's how Picocrypt NG compares to other popular encryption tools.
Keep in mind that while Picocrypt NG does most things better than other tools, it's not a one-size-fits-all and doesn't try to be. There are use cases such as full-disk encryption where VeraCrypt and BitLocker would be a better (and the only) choice. So while Picocrypt NG is a great choice for the majority of people doing file encryption, you should still do your own research and use what's best for you.
Features
Picocrypt NG is a very simple tool and most users will intuitively understand how to use it in a few seconds. On a basic level, simply dropping your files, entering a password, and hitting Encrypt is all that's needed to encrypt your files. Dropping the output back into Picocrypt NG, entering the password, and hitting Decrypt is all that's needed to decrypt those files. Pretty simple, right?
While being simple, Picocrypt NG also strives to be powerful in the hands of knowledgeable and advanced users. Thus, there are some additional options that you may use to suit your needs. Read through their descriptions carefully as some of them can be complex to use correctly.
<strong>Password generator</strong>: Picocrypt NG provides a secure password generator that you can use to create cryptographically secure passwords. You can customize the password length, as well as the types of characters to include.
<strong>Comments</strong>: Use this to store <strong>non-sensitive</strong> text along with the volume (<strong>it won't be encrypted</strong> and simply can't be by design). For example, you can put a description of the file you're encrypting before sending it to someone. When the person you sent it to drops the volume into Picocrypt NG, your description will be shown to that person. Or, if you're backing up personal files, you can give a description of the volume's contents so you can quickly remind yourself without having to fully decrypt. Since comments are neither encrypted nor authenticated, it can be freely read and modified by an attacker. <strong>Thus, it should only be used for non-sensitive, informational purposes in trusted environments.</strong>
<strong>Keyfiles</strong>: Picocrypt NG supports the use of keyfiles as an additional form of authentication (or the only form of authentication). Any file can be used as a keyfile, and a secure keyfile generator is provided for convenience. Not only can you use multiple keyfiles, but you can also require the correct order of keyfiles to be present for a successful decryption to occur. A particularly good use case of multiple keyfiles is creating a shared volume, where each person holds a keyfile, and all of them (and their keyfiles) must be present to decrypt the shared volume. By checking the "Require correct order" box and dropping your keyfile in last, you can also ensure that you'll always be the one clicking the Decrypt button. <strong>Use the keyfile generator whenever possible for the best security.</strong>
<strong>Paranoid mode</strong>: Using this mode will encrypt your data with both XChaCha20 and Serpent in a cascade fashion, and use HMAC-SHA3 to authenticate data instead of BLAKE2b. Argon2 parameters will be increased significantly as well. This is recommended for protecting top-secret files and provides the highest level of practical security attainable. For a hacker to break into your encrypted data, both the XChaCha20 cipher and the Serpent cipher must be broken, assuming you've chosen a good password. It's safe to say that in this mode, your files are impossible to crack. Keep in mind, however, that this mode is slower and isn't really necessary unless you're a government agent with classified data or a whistleblower under threat.
<strong>Reed-Solomon</strong>: This feature is very useful if you are planning to archive important data on a cloud provider or external medium for a long time. If checked, Picocrypt NG will use the Reed-Solomon error correction code to add 8 extra bytes for every 128 bytes of data to prevent file corruption. This means that up to ~3% of your file can corrupt and Picocrypt NG will still be able to correct the errors and decrypt your files with no corruption. Of course, if your file corrupts very badly (e.g., you dropped your hard drive), Picocrypt NG won't be able to fully recover your files, but it will try its best to recover what it can. Note that this option will slow down encryption and decryption speeds significantly.
<strong>Force decrypt</strong>: Picocrypt NG automatically checks for file integrity upon decryption. If the file has been modified or is corrupted, Picocrypt NG will automatically delete the output for the user's safety. If you would like to override these safeguards, check this option. Also, if this option is checked and the Reed-Solomon feature was used on the encrypted volume, Picocrypt NG will attempt to recover as much of the file as possible during decryption.
<strong>Split into chunks</strong>: Don't feel like dealing with gargantuan files? No worries! With Picocrypt NG, you can choose to split your output file into custom-sized chunks, so large files can become more manageable and easier to upload to cloud providers. Simply choose a unit (KiB, MiB, GiB, or TiB) and enter your desired chunk size for that unit. To decrypt the chunks, simply drag one of them into Picocrypt NG and the chunks will be automatically recombined during decryption.
<strong>Compress files</strong>: By default, Picocrypt NG uses a zip file with no compression to quickly merge files together when encrypting multiple files. If you would like to compress these files, however, simply check this box and the standard Deflate compression algorithm will be applied during encryption.
<strong>Deniability</strong>: Picocrypt NG volumes typically follow an easily recognizable header format. However, if you want to hide the fact that you are encrypting your files, enabling this option will provide you with plausible deniability. The output volume will indistinguishable from a stream of random bytes, and no one can prove it is a volume without the correct password. This can be useful in an authoritarian country where the only way to transport your files safely is if they don't "exist" in the first place. Keep in mind that this mode slows down encryption and decryption speeds, requires you to manually rename the volume afterward, renders comments useless, and also voids the extra security precautions of the paranoid mode, so you should only use it if absolutely necessary. <strong>If you've never heard of plausible deniability, this feature is not for you.</strong>
<strong>Recursively</strong>: If you want to encrypt and/or decrypt a large set of files individually, this option will tell Picocrypt NG to go through every recursive file that you drop in and encrypt/decrypt it separately. This is useful, for example, if you are encrypting thousands of large documents and want to be able to decrypt any one of them in particular without having to download and decrypt the entire set of documents. <strong>Keep in mind that this is a very complex feature that should only be used if you know what you are doing.</strong>
Security
For more information on how Picocrypt NG handles cryptography, see Internals for the technical details.
Picocrypt NG operates under the assumption that the host machine it is running on is safe and trusted. If that is not the case, no piece of software will be secure, and you will have much bigger problems to worry about. As such, Picocrypt NG is designed for the offline security of volumes and does not attempt to protect against side-channel analysis.
FAQ
Does the "Delete files" feature shred files?
No, it doesn't shred any files and just deletes them as your file manager would. On modern storage mediums like SSDs, there is no such thing as shredding a file since wear leveling makes it impossible to overwrite a particular sector. Thus, to prevent giving users a false sense of security, Picocrypt NG doesn't include any shredding features at all.
Is Picocrypt NG quantum-secure?
Yes, Picocrypt NG is secure against quantum computers. All of the cryptography used in Picocrypt NG works off of a private key, and private-key cryptography is considered to be resistant against all current and future developments, including quantum computers.
Acknowledgements
Thank you to the significant contributors on Open Collective who helped secure the original Picocrypt project's audit:
