| ❗ | This project is part of the FadSec Lab suite. Discover our focus on ad-free, privacy-first applications and stay updated on future releases! |
|---|
Advanced and elegant cross-platform encryption tool – files, folders, and applications all protected with military-grade AES-256-GCM encryption. Open-source, completely free, no telemetry!
FadCrypt is a comprehensive dual-mode security solution that protects both your files and your applications:
Protect your installed applications (Firefox, Chrome, Brave, VS Code, etc.) with encrypted password locks. Once locked, the app cannot be launched without your master password. FadCrypt continuously monitors your system in the background and:
- Scans for running processes matching your protected applications (e.g., firefox.exe, chrome.exe, brave.exe)
- Terminates processes instantly if an app is launched without permission
- Auto-locks after inactivity: Once you unlock an app and provide the correct password, it stays unlocked for 10 seconds of inactivity, then automatically re-locks for security
- Logs all access attempts and lock/unlock events for your activity dashboard
Encrypt and lock sensitive files and folders using military-grade AES-256-GCM encryption. All data is encrypted before storage:
- Encryption Process: Master password → PBKDF2 key derivation (100,000 iterations) → AES-256-GCM encryption →
.fadcryptfile - Decryption Process: Provide password → Derive key from stored salt → Verify authentication tag → Decrypt data → Restore original file
- File Protection: Windows uses ACL (Access Control Lists), Linux uses chmod + immutability flags
- Perfect for protecting documents, photos, archives, source code, and other sensitive data
Key Highlights:
- Cross-Platform: Windows and Linux desktop platforms with unified CLI and separate optimized GUIs
- Military-Grade Encryption: AES-256-GCM with PBKDF2 key derivation (100,000 iterations)
- Fully Encrypted: Configuration, passwords, and recovery codes are all encrypted
-
- No External Dependencies: Open-source and completely free with no cloud sync or telemetry
Expand Table of Contents
 Home Tab - Dashboard with overview |
 Applications Tab - Lock and manage apps/software |
 Files & Folders Tab - View encrypted files |
 Activity Tab - Track events and access |
 Settings Tab - Recovery codes & preferences |
 Context Menu - Right-click lock/unlock *(Windows)* |
 Config Tab - Application configuration |
 Statistics Window - Activity & uptime |
 FadGuide Tab 1 - Interactive tutorial |
 FadGuide Tab 2 - More information |
 Password Dialog - Secure entry prompt |
 Password Fullscreen - With wallpaper |
 README Info - Documentation display |
 Password Recovery - Recovery codes |
 Snake Game - Entertainment feature on home tab |
|
 Main Menu - Terminal UI with animations |
 Lock Screen - Select files to encrypt |
 Password Prompt - Secure entry |
 Lock Confirmation - Review & confirm |
 Locked Items List - View encrypted files |
 Unlock Screen - Decrypt files |
📚 Technical Deep Dive (Click to expand)
Encryption Process:
- You provide a file/folder path and your master password via the CLI (
fadcrypt --lock <path>) - FadCrypt derives a unique encryption key from your password using PBKDF2-SHA256 (100,000 iterations)
- The file content is encrypted using AES-256-GCM (authenticated encryption)
- The encrypted data is written to a new
.fadcryptfile with metadata and authentication tag - Original file is securely overwritten and deleted
- File protection rules are applied (Windows ACL or Linux chmod/chattr) to prevent unauthorized access
Decryption Process:
- You run
fadcrypt --unlock <path.fadcrypt>and provide your master password - FadCrypt derives the same encryption key from your password using the stored salt
- The authentication tag is verified to ensure file integrity and authenticity
- AES-256-GCM decrypts the file content back to its original form
- The decrypted data is written back to the original file
- The
.fadcryptfile is deleted after successful decryption - File protection is removed, returning full access to the decrypted file
File Format (.fadcrypt):
- Header: Custom format identifier and version
- Metadata: Original filename, file size, timestamps
- Salt: Random salt for PBKDF2 key derivation (unique per file)
- IV: Initialization vector for AES-256-GCM
- Encrypted Data: Actual file content encrypted with AES-256-GCM
- Auth Tag: GCM authentication tag for integrity verification
Lock Process:
- Select applications from your system in the GUI interface (e.g., Firefox, Chrome, Brave, VS Code)
- FadCrypt registers these applications in its configuration database (stored in plain JSON for easy access by the GUI)
- Process Monitoring: FadCrypt scans system processes in real-time to detect if any registered app is launched
- For browsers: Detects Firefox, Chrome, Brave, Edge, and other Chromium-based browsers by scanning process names and command lines
- For standard apps: Matches by executable path and process name
- System processes are filtered out to prevent accidental termination
- Process Termination: When a protected app is detected running:
- The app process is immediately terminated (killed) and cannot execute
- User sees a lock notification with a password prompt
- The app remains locked until password is verified
Unlock & Session Timeout Process:
- User runs the protected app → FadCrypt detects the launch attempt
- Password dialog appears; user must enter the master password
- Session Grant: If password is correct, the app is temporarily unlocked
- Auto-Lock on Inactivity: The app stays unlocked for 10 seconds with no activity
- Re-lock: After 10 seconds of inactivity, FadCrypt automatically re-locks the app
- On next launch attempt, password is required again
- Note: Session timeout is based on inactivity of the process; actual app usage continues normally
1. Encryption Algorithm: AES-256-GCM
- Security Level: 256-bit keys providing military-grade encryption resistant to all known attacks
- Authentication: GCM (Galois/Counter Mode) provides authenticated encryption with built-in integrity checking
- Every decryption attempt verifies the authentication tag
- Tampering detection: If file is modified, decryption fails and returns error
- Cannot decrypt without the exact original password
2. Key Derivation: PBKDF2-SHA256
- Iterations: 100,000 iterations (slow-by-design to prevent brute-force attacks)
- Process: Your master password → PBKDF2-SHA256 (100K iterations) + random salt → 256-bit key
- Purpose: Converts human-readable password into cryptographic key
- Rainbow Table Prevention: Unique salt per file/config prevents pre-computed hash attacks
- Computational Cost: Even with modern GPUs, brute-forcing a strong password would take centuries
3. Encryption Process (CLI Mode - File/Folder):
- User selects file/folder and provides master password via CLI (
fadcrypt --lock <path>) - Random salt is generated and stored in file header
- Master password + salt → PBKDF2 derives 256-bit encryption key
- File content is read into memory
- AES-256-GCM encrypts file content with the derived key
- Authentication tag is computed (ensures data integrity)
- New
.fadcryptfile created with:- Header: Format identifier and version info
- Metadata: Original filename, file size, timestamps
- Salt: Random salt for this file (unique per file)
- IV (Initialization Vector): Random nonce for AES-GCM
- Encrypted Data: The encrypted file content
- Auth Tag: GCM authentication tag for integrity verification
- Original file is securely overwritten with random data and deleted
- File protection rules applied (Windows ACL or Linux chmod/chattr)
4. Decryption Process (CLI Mode - File/Folder):
- User runs
fadcrypt --unlock <path.fadcrypt>and provides master password .fadcryptfile is read and parsed:- Salt is extracted from file
- IV is extracted from file
- Encrypted data is extracted
- Auth tag is extracted
- Master password + extracted salt → PBKDF2 derives the same 256-bit key
- AES-256-GCM decryption:
- Verifies authentication tag first (aborts if tampering detected)
- Decrypts data using derived key and IV
- Returns original file content
- Decrypted content written back to original filename
.fadcryptfile deleted- File protection removed (original permissions restored)
- Lock event logged to activity history
5. Data Integrity & Atomicity:
- Atomic Operations: Temporary file pattern + atomic move (no partial writes on failure)
- Rollback on Error: If encryption/decryption fails at any step, original file unchanged
- Verification: Authentication tag ensures no tampering or corruption
- No Plaintext on Disk: Original plaintext never remains on disk after encryption
6. Configuration Storage (Both Modes):
- Windows:
- Config:
%APPDATA%\FadCrypt\config\apps_config.json(plain JSON, readable by GUI) - Password:
encrypted_password.bin(AES-256 encrypted master password) - Backup:
C:\ProgramData\FadCrypt\Backup\(encrypted backups)
- Config:
- Linux:
- Config:
~/.config/FadCrypt/config/apps_config.json(plain JSON, readable by GUI) - Password:
~/.config/FadCrypt/encrypted_password.bin(AES-256 encrypted master password) - Backup:
~/.local/share/FadCrypt/Backup\(encrypted backups)
- Config:
- File Protection: ACL (Access Control List) via
icaclscommand- Backs up original ACLs before locking
- Denies all access to locked files/folders
- Restores ACLs atomically on unlock
- Elevation / Service: Windows service installed by the Inno Setup installer (service is the recommended elevation mechanism)
- Autostart: Windows Registry (
HKCU\Software\Microsoft\Windows\CurrentVersion\Run) - Installation: Inno Setup installer with context menu integration
- File Protection: Permission-based via
chmod+ immutability flags viachattr- Backs up original permissions before locking
- Sets
chmod 000to deny all access - Sets
chattr +ito make files immutable (requires root) - Restores permissions atomically on unlock
- Elevation: Root daemon service with Unix socket communication
fadcrypt-elevated.service(systemd service)- Seamless root operations via socket IPC
- No password prompts during normal operation
- Autostart:
.desktopfile in~/.config/autostart/ - Installation: Debian package (
.deb) with automatic daemon setup
# Lock files/folders (requires master password)
fadcrypt --lock ./file.txt ./folder/
# Unlock files/folders (requires master password)
fadcrypt --unlock ./file.txt ./folder/
# List locked items
fadcrypt --list
# Start TUI (interactive menu)
fadcrypt
# Start GUI application
fadcrypt --gui
# Auto-monitor mode (startup daemon)
fadcrypt --auto-monitor- Master Password: Securely encrypted using PBKDF2 key derivation
- Recovery Codes: Generate 10 one-time recovery codes for password reset
- Stored encrypted in
recovery_codes.json - Each code can be used once; remaining codes stay valid until used or until you choose to regenerate a fresh set
- Stored encrypted in
- Password Reset: Use recovery code to set new master password
- Cache: Password cached in memory during session for seamless operations
When monitoring (auto-monitor) is enabled:
- Auto-startup: Launches automatically on system boot with the
--auto-monitorflag or via the installed autostart entry - UI-less Auto-Monitor: Runs without showing the GUI when configured (the app continues to operate without a visible window)
- Scope: Real-time monitoring primarily applies to applications managed by FadCrypt (the "Applications" protection features). File and folder locking/encryption is performed manually via the CLI or context menu (Windows) and is not automatically recovered by the monitor.
- Statistics & Logs: Activity logs and statistics are stored locally for the user's dashboard only; no external telemetry is collected.
- Password Security: Monitoring control requires the master password to stop or alter protection settings
Mutex Protection: Single instance enforcement prevents multiple instances
Monitoring Control: When monitoring is active, control operations that stop monitoring or alter protection require the master password.
Optional System Tool Lockdown: (User-configurable) Prevent access to certain system tools while protection is active.
- Windows: Task Manager, Registry Editor, Command Prompt, Control Panel, msconfig
- Linux: Terminal emulators (gnome-terminal, konsole, xterm), system monitors (htop, top, gnome-system-monitor)
Config Protection: Critical config files are backed up and protected; the daemon manages file immutability and restoration where applicable.
When you first run FadCrypt:
- Password Creation: Set a strong master password
- Recovery Codes: Generate 10 emergency recovery codes and store them securely
- Configuration: Choose preferences (UI theme, dialog style, etc.)
- Ready: FadCrypt is now ready to lock files/folders
If you forget your password:
- Use one of the recovery codes to set a new password
- Each recovery code is single-use; other codes remain valid until used or until you regenerate a fresh set
Download the latest version from the releases page:
- Download: Get the installer from Releases
- Install: Run
FadCryptSetup_vX.X.X.exeand follow the wizard - Run:
- Search "FadCrypt" in Start menu and launch, or
- Run
fadcryptfrom terminal
- Context Menu: Right-click files/folders to lock/unlock directly
-
Download & Install: Get
.debfrom Releases, then:sudo apt install ./fadcrypt_X.Y.Z_amd64.deb
- The daemon service installs and enables automatically
-
Run:
- Search "FadCrypt" in app menu, or
- Run
fadcryptfrom terminal
-
First Setup: Set master password and generate recovery codes
ℹ️ Linux-Specific Details
Daemon Service:
- Name:
fadcrypt-elevated.service - Check status:
systemctl status fadcrypt-elevated.service - View logs:
journalctl -u fadcrypt-elevated.service -f - Start:
sudo systemctl start fadcrypt-elevated.service - Stop:
sudo systemctl stop fadcrypt-elevated.service
File Operations:
- Lock: Uses
chmod 000+chattr +i(daemon-managed) - Unlock: Restores original permissions
- Logs:
~/.config/FadCrypt/logs/
Socket Communication:
- Client-daemon via Unix socket:
/run/fadcrypt/elevated.sock - Auto-retry on connection failure
- Timeout: 30 seconds per operation
✅ Application Locking | ✅ File Encryption | ✅ Recovery Codes | ✅ Real-time Protection | ✅ Auto-Startup | ✅ Cross-Platform
📋 Full Feature List (Click to expand)
- Application Locking: Secure apps with encrypted password protection; password cannot be recovered if lost and tool cannot be stopped without it.
- Real-time File Protection: Detects and auto-recovers critical files/folders if deleted or modified.
- Recovery Codes: Generate and use recovery codes to reset forgotten password securely (non-bypassable, one-time use).
- Auto-Startup Monitoring: Automatically starts monitoring on system boot with seamless initialization.
- Statistics & Activity Logging: Detailed monitoring statistics with activity history and duration tracking.
- Customizable UI: Choose password dialog styles, UI themes, and system tray integration.
- Cross-Platform: Works on both Windows and Linux with platform-specific features.
- Snake Game: Classic arcade Snake game available on home tab for entertainment.
- System Tray Integration: Quick access from system tray with minimize/restore functionality.
- Auto-Recovery: Crashes are detected and monitored files are recovered automatically on next startup.
- Encrypted Storage: All passwords and configuration data encrypted using industry-standard cryptography
- Single Instance Enforcement: Only one FadCrypt instance can run at a time to prevent bypass attempts
- Password-Secured Monitoring Control: Requires master password to stop or alter protection settings
- Optional System Tools Disabled: Prevent access to Task Manager, Registry Editor, Command Prompt, etc. (configurable)
- File Immutability & Elevation: Windows Service or Linux daemon for seamless elevated operations
- Root Daemon:
fadcrypt-elevated.serviceruns as systemd service with full root privileges - Unix Socket Communication: Secure IPC between GUI and daemon
- Capabilities: File protection (chattr), permissions (chmod), backup restoration, kernel monitoring (fanotify)
- Installation: Automatically configured with .deb package
FadCrypt provides a complete CLI interface for automation and scripting on both platforms:
# Lock a file or folder
fadcrypt --lock ./sensitive_file.txt
fadcrypt --lock /path/to/folder1 /path/to/folder2
# Unlock files/folders
fadcrypt --unlock ./sensitive_file.txt
fadcrypt --unlock /path/to/folder1 /path/to/folder2
# Note: You can also unlock using the encrypted .fadcrypt filename; it will be mapped to the same file
fadcrypt --unlock ./sensitive_file.txt.fadcrypt
# List all locked items with details
fadcrypt --list
# Start interactive TUI (Text User Interface)
fadcrypt
# Start GUI application
fadcrypt --gui
# Auto-monitor mode (runs at startup)
fadcrypt --auto-monitor
# Show version information
fadcrypt --version
# Show help
fadcrypt --help
# Enable verbose logging (shows all operations)
fadcrypt --lock ./file.txt --verbose⚙️ CLI Technical Details (Click to expand)
Cross-Platform Compatibility:
- Identical command syntax on Windows and Linux
- Automatic platform detection for ACL (Windows) or chmod (Linux) operations
- Unified error messages and user feedback
Password Management:
- First run prompts for master password creation
- Subsequent operations require password authentication
- Recovery code support for password resets
- Password caching during session to prevent repeated prompts
Encryption Features:
- Files: AES-256-GCM stream encryption
- Folders: Tar archive + AES-256-GCM encryption (preserves structure)
- Metadata: Automatic hash verification and integrity checks
- Atomic Operations: Safe temporary file handling with automatic rollback on errors
Error Handling:
- Detailed error messages for troubleshooting
- Prevents locking of system paths
- Detects already-locked items and prevents double-locking
- Automatic recovery on interrupted operations
By default, FadCrypt applies full tamper-proof protection to all encrypted files, preventing them from being copied, moved, edited, or deleted until they are decrypted.
Control Tamper-Proof Behavior:
You can enable or disable tamper-proof protections using simple toggle flags:
# TURN OFF (Disable tamper-proof) - files become moveable and copyable
fadcrypt --0 file.txt
# or
fadcrypt --off file.txt
# TURN ON (Enable tamper-proof) - restore full protection
fadcrypt --1 TestFolder
# or
fadcrypt --on TestFolderWhat the Flags Do:
| Flag | Behavior | Files Can Be... |
|---|---|---|
--0 or --off |
Disable protections | Moved, Copied, Deleted (but still encrypted) |
--1 or --on |
Enable protections (DEFAULT) | Cannot be moved, copied, edited, or deleted |
Important: Works on ANY File!
The --1/--on and --0/--off flags work on any file or folder, not just encrypted ones:
- Use them to make system files, configs, or documents immutable without encryption
- Lighter option than full encryption if you just want protection without decryption overhead
- Perfect for protecting important files you don't want accidentally modified or deleted
- Can toggle protection on/off anytime, on any file type
When to Use Each Mode:
- Tamper-Proof (ON) - Default for maximum security. Use when you want to absolutely prevent unauthorized access or modifications.
- Non-Protected (OFF) - Use when you need flexibility to organize or back up files while keeping them protected.
- Immutable Without Encryption - Use
--1on regular files when you want read-only protection without encryption overhead.
FadCrypt uses AES-256-GCM encryption with efficient streaming I/O and optimized cryptographic operations. Files are encrypted with authentication to ensure data integrity.
| Operation | Size | Time |
|---|---|---|
| Encryption | 250 MB | ~8s |
| Encryption | 500 MB | ~15s |
| Decryption | Any | ~2-3s |
Performance varies based on CPU speed and storage type (SSD/HDD).
Join our Discord server to share ideas, seek help, or connect with other users. Your feedback and contributions are welcome!
We welcome any contributions to improve this project! Whether it's bug fixes or new features, your help is appreciated.
- Discuss First: Before starting work, please discuss your ideas:
- Open an issue to discuss the bug or feature
- Join our Discord server to chat with maintainer and community
- This helps avoid duplicate work and ensures your contribution aligns with project goals
- Check Issues: Browse existing issues to see where you can help.
- Fork the Repo: Once approved, fork the repository to make your changes.
- Submit a PR: Create a pull request with a clear description of your changes.
Note: Please avoid submitting PRs without prior discussion to ensure efficient collaboration.
We look forward to your contributions!
Install Python dependencies:
pip install -r requirements.txt📦 Build Instructions (Windows & Linux)
See BUILD_WINDOWS.md for detailed instructions.
Quick start:
.\build-windows.ps1This will:
- Build GUI executable
- Build CLI executable
- Create installer with Inno Setup
See BUILD_LINUX.md for detailed instructions.
Quick start:
chmod +x build-deb.sh
./build-deb.shThis will:
- Build GUI and CLI executables
- Create .deb package
- Install daemon service automatically
FadCrypt is open-source under the GNU General Public License v3.0 (GPLv3).
Need a commercial license? If you want to use FadCrypt without GPLv3 requirements, contact us for commercial licensing terms.
📧 Email: [email protected]
🧪 Development Testing
For developers testing context menu functionality without full registry integration:
# Test lock operation (single file)
python FadCrypt.py --test-context-lock <path>
# Test lock operation (multiple files - batch)
python FadCrypt.py --test-context-lock <path1> <path2> <path3>
# Test unlock operation (single file)
python FadCrypt.py --test-context-unlock <path>
# Test unlock operation (multiple files - batch)
python FadCrypt.py --test-context-unlock <path1> <path2> <path3>Security Note: These test flags provide the same security as the real context menu:
- Require valid master password already set up
- Require correct password entry in authentication dialog
- Perform full encryption/decryption process with all security checks
- Support batch operations (multiple files with single password entry)
Use Cases:
- Debugging context menu integration issues
- Testing batch lock/unlock without installing registry entries
- Verifying password dialog behavior during development
- Testing file encryption/decryption logic before deployment
Example:
# Test locking 3 files at once
python FadCrypt.py --test-context-lock "file1.txt" "file2.txt" "file3.txt"
# A password dialog will appear - enter your master password
# All files will be processed and encrypted with progress updates🔑 Reset Password
Follow these steps to regain access to FadCrypt:
Windows:
- Open PowerShell as Administrator:
Windows key + S→ type "PowerShell" → right-click → "Run as administrator" - Run:
Stop-Process -Name "fadcrypt" -Force
Linux:
killall fadcrypt fadcrypt-cliWindows: Delete these files:
C:\Users\<YourUsername>\AppData\Roaming\FadCrypt\encrypted_password.bin
C:\ProgramData\FadCrypt\Backup\encrypted_password.bin
Linux:
rm ~/.config/FadCrypt/encrypted_password.bin
rm ~/.local/share/FadCrypt/Backup/encrypted_password.binNow reopen FadCrypt and set a new password!
