rsecure is a simple and secure command-line tool for AES-256-GCM file encryption and decryption, built in pure Rust. You can use either a 32-byte key file (default) or a passphrase (Argon2id) as the credential. Each file is then encrypted under a unique per-file subkey derived via HKDF-SHA256, eliminating any practical risk of nonce collision across files. Ideal for protecting sensitive files, backups, and personal data.
rsecure uses stream encryption and rayon parallelism. The speed of the encryption also depends of your hardware specs (disk speed, CPU speed and number of cores).
# 1. Install
curl --proto '=https' --tlsv1.2 -sSfL https://raw.githubusercontent.com/containerscrew/rsecure/main/install.sh | sh
# 2. Generate a demo key (for real use, store the key on a USB drive or password manager!)
rsecure create-key -o /tmp/rsecure.key
# 3. Create a test file
echo "hello rsecure" > /tmp/secret.txt
# 4. Encrypt it (-r removes the plaintext after encryption)
rsecure encrypt -p /tmp/rsecure.key -s /tmp/secret.txt -r
# 5. Decrypt it back
rsecure decrypt -p /tmp/rsecure.key -s /tmp/secret.txt.encWarning
If you lose the key, the encrypted data is unrecoverable. Read the Security section before storing real data.
curl --proto '=https' --tlsv1.2 -sSfL https://raw.githubusercontent.com/containerscrew/rsecure/main/install.sh | shPin a specific release by appending -s -- -v <version>:
curl --proto '=https' --tlsv1.2 -sSfL https://raw.githubusercontent.com/containerscrew/rsecure/main/install.sh | sh -s -- -v <version>Note
The installation script automatically detects your OS and ARCH and installs the correct binary (rpm, deb, apk, or just a binary in /usr/local/bin). On Alpine, install apk add gcompat since the binary is built with glibc and Alpine uses musl.
paru -S rsecure # or yay -S rsecurebrew install containerscrew/tap/rsecureNote
If you installed an older version via brew install --cask rsecure, run brew uninstall --cask rsecure first β rsecure is now distributed as a Homebrew formula, which avoids the macOS Gatekeeper quarantine that affected the cask.
Using cargo
cargo install rsecure
cargo install rsecure --version <version> # pin a specific releasegit clone https://github.com/containerscrew/rsecure.git
cd rsecure
cargo build --release
sudo cp ./target/release/rsecure /usr/local/bin/| Command | Description |
|---|---|
rsecure create-key -o /mnt/myusb/rsecure.key |
Generate a new AES-256 key and save it to a file |
openssl rand -out /mnt/myusb/rsecure.key 32 |
Alternative: generate a random 256-bit key using OpenSSL |
rsecure encrypt -p /mnt/myusb/rsecure.key -s /home/mydirectory/text_to_encrypt.txt |
Encrypt a single file (.enc file is created in the same directory) |
rsecure encrypt -p /mnt/myusb/rsecure.key -s /home/mydirectory/files/ |
Encrypt all files in a directory |
rsecure decrypt -p /mnt/myusb/rsecure.key -s /home/mydirectory/text_to_encrypt.txt.enc |
Decrypt a single encrypted file |
rsecure decrypt -p /mnt/myusb/rsecure.key -s /home/mydirectory/files/ |
Decrypt all files in a directory |
rsecure encrypt -r -p /mnt/myusb/rsecure.key -s /home/rsecure/dirtoencrypt/ |
Encrypt and remove original files (plain text) |
rsecure encrypt -p /mnt/myusb/rsecure.key -s /home/rsecure/dirtoencrypt -e '.git' |
Encrypt all files in a directory excluding .git/ files |
rsecure encrypt --passphrase -s /home/mydirectory/text_to_encrypt.txt |
Encrypt with a passphrase (Argon2id), no key file needed |
rsecure decrypt -s /home/mydirectory/text_to_encrypt.txt.enc |
Decrypt a passphrase-encrypted file (auto-detected, prompts for it) |
Warning
Saving the key in the same local filesystem where you save the encrypted files is not a good idea.
Save the key in a secure location, like a USB drive or a password manager.
Or just save it in a root owned directory with strict permissions (will require sudo to use it).
Something like:
sudo rsecure encrypt -p /root/rsecure.key -s /home/dcr/Documents/PrivateDocuments -r
rsecuremust be in a PATH directory whererootuser can execute it. Which means, if you installed it usingcargo, you need to add~/.cargo/binto thePATHvariable in therootuser environment. Or just copy the binary to/usr/local/bin/or any other directory in thePATH.
Important
By default, rsecure will not delete the source plain files after encryption to avoid data loss.
If you want to delete the source files after encryption, use -r flag.
rsecure encrypts file contents with AES-256-GCM via the audited aes-gcm crate from RustCrypto, using the STREAM construction (EncryptorBE32) over 128 KiB chunks. For each file, a 32-byte random salt is generated and a unique AES-256 subkey is derived from the master key via HKDF-SHA256, so the (key, nonce) pair is globally unique and nonce-collision attacks against AES-GCM are not a concern in practice. Files written by rsecure β€ 0.5.0 (no HKDF, 7-byte random nonce, no header) are still decrypted transparently β the RSEC magic header in new files distinguishes the two formats. The crate forbids unsafe code at the root (#![forbid(unsafe_code)]), and the dependency tree is continuously checked against the RustSec Advisory Database by cargo-audit and cargo-deny in CI.
Read SECURITY.md for the full threat model β what rsecure does and does not protect against, the exact cryptographic parameters, and key custody guidance.
To report a vulnerability, please use GitHub Security Advisories β do not open a public issue.
Testing encryption and decryption:
git clone https://github.com/containerscrew/rsecure.git
cd rsecure
sh scripts/fake_data.sh # will generate 17gb of fake data in /var/tmp/dummy_files/
rsecure encrypt -p /var/tmp/rsecure.key -s /var/tmp/dummy_files/
rsecure decrypt -p /var/tmp/rsecure.key -s /var/tmp/dummy_files/Edit the
fake_data.shscript to create different types of files and directories for testing.
cargo install hyperfine
hyperfine --runs 5 'rsecure encrypt -p /var/tmp/rsecure.key -s /var/tmp/dummy_files/'
hyperfine --runs 5 'rsecure decrypt -p /var/tmp/rsecure.key -s /var/tmp/dummy_files/'rsecure is distributed under the terms of the GPLv3 license.