Here you will find various recipes, tips and recommendations about how to use Xecrets Ez, the desktop app for macOS, Linux and Windows. Start by watching a demo.
The app is the same across all supported platforms, but since the platforms have some fundamental differences, there are a few differences also for Xecrets Ez.
Xecrets Ez has a simple and compact user interface for encrypting and decrypting files. It's designed to be easy to use, and to be used by anyone who can use a computer. It's available for macOS, Linux and Windows, and requires no Internet access.
Please visit the feature overview for more details.
For a quick introduction, check out our videos. More to come.
There's really no installation required, Xecrets Ez is designed to be run as a stand-alone single executable, what's often called a portable app.
However, since macOS, Linux and Windows do have some differences, for convenience and ease of use, you may want to perform some platform specific actions. If you're not putting the app on a removable device such as a USB stick (which works perfectly fine) we recommend that you place the app after downloading and unpacking in a fixed un-versioned location.
The download itself is always versioned by name, so that it's easy to know what you've got. For example, the download for macOS may be named XecretsEz-macOS-2.3.398.tar.gz
while the corresponding Windows download would be XecretsEz-Win-2.3.398.zip
.
Use the appropriate utility to extract the actual app executable from the downloaded file. This will be XecretsEz
for Linux, Xecrets Ez.app
(the .app extension is usually hidden and it's actually a directory) for macOS and XecretsEz.exe
on Windows.
We suggest you move the extracted app to the following location:
/Applications
(or user local /Users/[YourUserName]/Applications
)./home/[YourUserName]
or equivalently the Home
shortcut.C:\Users\[YourUserName]
or equivalently %USERPROFILE%
.The advantage of placing the app in a fixed location is that it's easier to find it when you use it or update it and it also makes it possible to conveniently associate encrypted .axx files to the app, see below for details.
A license is a (relatively) short string digitally signed by us containing the terms and validity of your subscription. You copy the license string from our server, and then paste it in the Xecrets Ez main window.
If you did not enter your credit card details directly because you used a wallet like Link, or some other payment method, use the customer portal instead, see just below.
Use the "Help | Download License" menu option in the app. You will need to provide the last 4 digits of the credit card number to identify yourself.
If you didn't use a credit card, or don't have access to the last 4 digits, you can use the customer portal and find the link to your license there.
Follow the instructions to enter the customer portal (enter your email, check your inbox, and click the time limited link in the received email). After clicking the link in the email, you should see something similar to the image below. Select the link as indicated, paste it in your browser, hit enter and proceed to the final step.
Regardless of how you get there, via the last 4 digits of your credit card or the customer portal, use the copy to clipboard button just to the right of the license string display to copy the license to the clipboard, and then switch back to Xecrets Ez, ensure you are signed in and paste it in the main window.
Before you can download a license, you need to purchase a subscription.
For Xecrets Cli, you instead download a small text file and place it next to the cli executable.
Xecrets Ez supports the use of a YubiKey for signing in, you'll find the configuration in the User menu. This is a very secure and convenient way to sign in, as you don't have to type your password. Thus key loggers are defeated, and if you configure a PIN or touch, physical access is required.
Because Xecrets Ez protects files at rest for the long term, we use the YubiKey in a way that if you lose your YubiKey, you won't necessarily lose access to your files. We have deemed it to be an unacceptable risk to cause complete data loss if you lose your YubiKey.
Briefly, the YubiKey is used to encrypt your actual password, and the encrypted password is stored in your settings. When you sign in, the app checks if there's a YubiKey present, and if it can decrypt a stored encrypted password, it is used to try to sign in. If it doesn't work, you will be presented with the normal password sign in dialog.
Technically, the YubiKey is used with the PIV smart card application with RSA-2048 keys, and the password is encrypted with the public key of an existing slot, or if no suitable slot exists, a new slot that is created for this purpose. The private key is generated on the YubiKey and never leaves it. It should co-exist nicely with other PIV smart card applications, such as for SSH keys, as well as other uses of the YubiKey including FIDO2, U2F, OTP and OpenPGP.
The only consequence of losing your YubiKey is that you have to type your password instead. However, if you lose your YubiKey and an attacker has access to it and your computer, they can decrypt your files unless you protect the YubiKey with a PIN, which we strongly recommend.
The design goal of the YubiKey support is to make it as easy as possible to use Xecrets Ez, and also to encourage the use of a strong password since there will be no need to type it as long as you have the YubiKey inserted.
Using a YubiKey is optional, and you can always sign in with your password if you prefer. There is generally no need to configure anything to use a YubiKey if it's already setup for PIV smart card use. If it's not been setup before, we recommend that you change all the default security settings using the Yubico YubiKey Manager app.
You might also want to generate a Key Management certificate in the Yubico app, which will then be used by Xecrets Ez. Regardless, Xecrets Ez will configure it as needed, but it can't change default security settings.
Some notes concerning YubiKey on macOS, please read the Yubico documentation for details. Briefly, if the keyboard assistant opens, just close it. If you're asked to allow Xecrets Ez to receive keystrokes from any application, you can click "Deny" (unless you are planning to use the YubiKey for OTP sign in to sites, but this has nothing to do with Xecrets Ez). No further action is required, but we do recommend that you configure the YubiKey as described above using the Yubico YubiKey Manager app.
Some notes concerning YubiKey on Linux, please read the Yubico documentation for details. Briefly, you may need to install the pcscd
package, and you may need to configure the location of the libudev.so
library. As above, we recommend configuring the YubiKey with the Yubico YubiKey Manager app. On Ubuntu 22.04, the following is required:
sudo apt install pcscd
sudo ln -s /usr/lib/x86_64-linux-gnu/libudev.so.1 /usr/lib/libudev.so
You can pin Xecrets Ez for quick access.
No action really required, macOS will place it in the recent apps section in the dock if it's in /Applications and you will find it in the Launchpad like any other application. If you want it always in the Dock, right-click the icon in the dock when it's running, and select "Options | Keep in Dock".
For Linux it requires a little bit of manual work to get Xecrets Ez into menus, but as a Linux user, you'll probably feel right at home. This is on Ubuntu 22.04, but it should be fairly similar in most distributions. You will have to manually create and edit a .desktop
file, and place it in the ~/.local/share/applications
directory. Please name the file com.axantum.XecretsEz.desktop
. Copy and paste the following, changing [YourUserName]
to whatever user name you are using in your system.
[Desktop Entry] Name=Xecrets Ez Exec=/home/[YourUserName]/XecretsEz %f Type=Application Categories=Utility;FileTools
Pin the program for quick access to both Start
and the Taskbar
. Right-click the executable where you placed it, and then select "Pin to Start" and/or "Show more options | Pin to taskbar".
Each operating system has it's own desktop file manager, typically Finder for macOS, GNOME/Nautilus for Ubuntu Linux and Explorer for Windows. There are many other options, but here we describe procedures for these.
Normally you open a file by double clicking it, but how does the operating system know how to open it, i.e. what app to use?
This is called associating the file type with the app. The procedure differs, and there are many alternate ways to do this, here are some ways it can be done.
Normally it's not required, but if you have other applications registered for the .axx extension such as AxCrypt, you may want to change it. To associate Xecrets Ez with .axx
files right-click an .axx
file, select "Open with" then "Other...". Select either /Applications
or /Users/[YourUserName]/Applications
, scroll down to XecretsEz
, select it, check the Always Open With checkbox and finally click Open. You can also do this from the Get Info menu on right-click.
This is for Ubuntu 22.04, but the process should be similar in most distributions. To associate Xecrets Ez with .axx
files right-click an .axx
file, select "Open With Other Application", click View All Applications, scroll down to XecretsEz
, select it, and click the Select button. Xecrets Ez opens the file, and will do it with a double-click in the future.
To associate Xecrets Ez with .axx
files right-click an .axx
file, select "Open with" then "Choose another app", scroll down to "Choose an app on your PC" and browse to where you moved the XecretsEz.exe
executable when you installed it. Finally, click the "Always" button to make the association permanent.
There are several reasons for signing in.
The most important one is based on over 20 years of experience with encryption apps. When you sign in, the app verifies that you're really using the password that you intend to use, your master password that you set up the app with.
If we were just to ask without checking, there's always the risk of you mistyping - and then being unable to decrypt when next time you enter the correct password.
Even dual entry of the password is not foolproof, as it's easy to make the same mistake twice. Also it's annoying to have to enter it twice every time...
Another reason is that it's well-known metaphor and should feel comfortable to use, and it allows for the app to remember the password for the duration of the session, reducing the need to retype it frequently.
If you want to send an encrypted file to someone else, you want to do so with a different password than the one you use to sign in to the app with.
You do this with the "File|Encrypt|Encrypt Copy For..." menu option. You will be prompted for a password and which files to encrypt with this password. Once they are encrypted like this, you can send them to the recipient.
To cancel a subscription during the trial period, or later, please visit the customer portal and follow the instructions.
Start by selecting the Buy | Customer Portal menu option.
Enter your email address and click the "Send" button. You will receive an email with a link.
In your inbox you will find an email from Stripe.
Open the email and click the "Login to your customer portal" link.
Cancel your subscription by clicking the "Cancel plan" button.
Hard rule number one, that there is no way around is: If you lose your password, you lose data encrypted with that password. That is why you need to remember your password, and store a backup of it in a safe place, and why you need to type it several times the first time, and why you need to type it correctly to sign in to the app.
Since you need to remember your password in order to even sign in to the program, if you forget it, there's normally no way to sign in! (However, if you have a YubiKey configured, you can use that to sign in, it's a good backup.)
Since Xecrets Ez is strong encryption, with no back doors, there's no password recovery as such.
However, if you do find yourself locked out of the app, hopefully just because you've been testing it and forgot to make a note of the password, you can reset the password. Remember this will not make it possible to decrypt files encrypted with the old password. It will only make it possible to sign in to the app with a new password.
In the sign in dialog, hit the key combination Ctrl-Shift-I and follow the instructions.
Still got questions? Check out if your question is answered below!
Security best practice is to have one unique very strong master password for all your personal files when using strong encryption like Xecrets Ez.
For online website accounts it is different, there you indeed should have unique passwords for each site. The reason for this is that different online accounts may have different levels of security for passwords, and if you re-use passwords, weak security for one account puts all accounts with the same password at risk.
In the file encryption case, all files are encrypted with the same method. Either it is good enough, and breaking one file's encryption is no easier than another, or it is not good enough, in which case having different passwords will make no difference. Breaking the encryption of one file will be no harder than breaking another. Nothing is gained by having different passwords for different files.
It is also impractical to securely handle separate passwords that are strong enough for every file in your head, so then you need a password manager or a similar function. This, in turn, then will have a single password or be a single point of attack. So this just moves the single password situation to a different place, which does not gain you any security, but it may reduce it if the password manager turns out to be vulnerable. This just complicates things without any security gain.
Xecrets Ez does allow you to set separate passwords for different files, but this is intended for sharing situations, where you share the encrypted file with others.
If you are happy to pay with our payment processor Stripe, you can in some cases use other payment methods. Initiate the purchase, and see what options are presented.
If you still want to pay with something else, please contact our support team. We try to be flexible so just ask us, but there is no automatic recurring payment for the subscription, so in the future you need to contact us each time the license expires and arrange for payment again. It may also take longer time, since we'll have to handle it and verify the payment manually. We ask, for everyone's convenience that you consider prepaying for 2 or 3 years.
Finally, we normally can't provide a commercial invoice or receipt for these manual prepayments. If you represent a business and want to purchase a large number of licenses (> 100), we'll try to accommodate to your needs.