Skip to content
Franco Corbelli edited this page Sep 2, 2023 · 1 revision

Just about everywhere you can enter a password with

 -key password

This option is required for all commands operating on an encrypted archive. When creating a new archive with add, the new archive will be encrypted with password and all subsequent operations will require the same password.

An archive is encrypted with AES-256 in CTR mode. The password is strengthened using Scrypt(SHA-256(password), salt, N=16384, r=8, p=1), which would require 208M operations and 16 MB memory per test in a brute force key search. When creating a new archive, a 32 byte salt is generated using CryptGenRandom() in Windows or from /dev/urandom in Unix/Linux, such that the first byte is different from the normal header of an unencrypted archive (z or 7). A multi-part archive is encrypted with a single keystream as if the parts were concatenated. An index is encrypted with the same password, where the first byte of the salt is modified by XOR with ('z' XOR '7').

Encryption provides secrecy but not authentication. An attacker who knows or can guess any bits of the plaintext can set them without knowing the key.

Hint: better to use a LONG password, instead of a short "strange" one

!Ab1 have a search space of ~8 x 10^7
betterlongthanshort ~ 8 x 10^26

Clone this wiki locally