eddy is a simple and fast CLI file encryption tool. It features concurrent file processing while ensuring data authenticity and plausible deniability. It is also capable of generating secure passphrases.
encrypt, enc, e - encrypt provided files.
decrypt, dec, d - decrypt provided files.
generate, gen, g - generate a passphrase.
--output, -o - specify output directory.
--passgenlen, -g - specify generated passphrase length (6 is the minimum). Ignored in decryption mode.
--overwrite, -w - enable overwrite existing files.
--no-emoji, -n - disable emojis and color in output.
--force - force decrypt. Bypasses file authentication and, inherently, the password check. Useful if the encrypted file is corrupt (damaged) but you still want to decrypt it.
--unsafe-password - replace interactive password prompt with the provided value. Intended for scripts/automation and reading password from environment variables. The "unsafe" prefix here is to indicate that the provided value will likely stay in the shell command history which is not safe.
# encrypt a text file
eddy e secret.txt
# encrypt multiple files in parallel
eddy e secret.txt secret2.png secret3.mp4
# encrypt a text file using a random 8-word passphrase
eddy -g 8 enc secret.txt
# encrypt while overwriting output files (here it would be 'secret.txt.eddy')
eddy --overwrite encrypt secret.txt
# decrypt a file and put it into Documents folder
eddy -wo ./Documents dec secret.txt.eddy
# encrypt two files and put them both into the current folder
# using the password 'supeR-$ecr3t'
# without using any color or emojis in the output
eddy --unsafe-password "supeR-$ecr3t" --no-emoji -o . enc "D:/stuff/secret.txt" secret2.txt
# generate a 10-word passphrase without any en/decryption
eddy gen 10
The following install options are available:
Prebuilt binaries are available for Windows, Linux, and macOS (both x86 and ARM): download the latest release from the releases page for the desired OS.
If you have Go installed, the simplest way to get eddy is to run:
go install github.com/70sh1/eddy@latestIf you are on Linux and using this method with the default Go installation parameters, make sure that go bin path is added to your PATH environment variable: e.g.
export PATH=$PATH:$HOME/go/bin
eddy is available as a part of 70sh1's scoop bucket. To install, you first need to add the bucket:
scoop bucket add jug https://github.com/70sh1/jug
After that, run:
scoop install eddy
Alternatively, if you don't want to add the bucket, you can run this:
scoop install https://raw.githubusercontent.com/70sh1/jug/refs/heads/master/bucket/eddy.json
eddy is available as a package in the AUR. You can install it using an AUR helper (e.g. yay):
yay -S eddy
If no password (empty one) was provided during encryption (this includes lack of --unsafe-password flag and leaving interactive password prompt empty), eddy will generate and use a secure passphrase (length of 6 words by default). The length can be adjusted using --passgenlen (-g) flag. Additionally, if the -g flag is provided, the password prompt will be skipped automatically. The passphrase is generated using cryptohraphically secure PRNG provided by the OS and EFF's long wordlist. The generate command is also available for standalone generation.
You can read more about passphrases here.
- eddy doesn't delete input files.
- eddy doesn't preserve file timestamps (creation date and date modified).
- eddy doesn't use any methods to increase the resilience of a file, such as error correction code. Therefore, regular backups of important files are recommended.
- The maximum file size is 256 GiB.
- It is safe to rename any files that are encrypted with eddy. This means that decryption does not require
.eddyin the file name.
eddy leverages ChaCha20 for encryption paired with keyed BLAKE2b for data authentication (MAC). The scrypt KDF is used for producing keys. You can read more about the internals in the spec file.
urfave/cli - CLI framework.
cheggaaa/pb - Progress bars.