Xecrets Ez Help

Help and Documentation

Here you will find various recipes, tips and recommendations about how to use Xecrets Ez, the desktop app for macOS, Linux and Windows. Start by watching a demo.

Operating System Differences

The app is the same across all supported platforms, but since the platforms have some fundamental differences, there are a few differences also for Xecrets Ez.

Feature Overview

Xecrets Ez has a simple and compact user interface for encrypting and decrypting files. It's designed to be easy to use, and to be used by anyone who can use a computer. It's available for macOS, Linux and Windows, and requires no Internet access.

Please visit the feature overview for more details.

Demonstration Videos

For a quick introduction, check out our videos. More to come.

IntroductionUsing a YubiKey

Installation

There's really no installation required, Xecrets Ez is designed to be run as a stand-alone single executable, what's often called a portable app.

However, since macOS, Linux and Windows do have some differences, for convenience and ease of use, you may want to perform some platform specific actions. If you're not putting the app on a removable device such as a USB stick (which works perfectly fine) we recommend that you place the app after downloading and unpacking in a fixed un-versioned location.

The download itself is always versioned by name, so that it's easy to know what you've got. For example, the download for macOS may be named XecretsEz-macOS-2.3.398.tar.gz while the corresponding Windows download would be XecretsEz-Win-2.3.398.zip .

Use the appropriate utility to extract the actual app executable from the downloaded file. This will be XecretsEz for Linux, Xecrets Ez.app (the .app extension is usually hidden and it's actually a directory) for macOS and XecretsEz.exe on Windows.

We suggest you move the extracted app to the following location:

  • macOS - /Applications (or user local /Users/[YourUserName]/Applications).
  • Linux - /home/[YourUserName] or equivalently the Home shortcut.
  • Windows - C:\Users\[YourUserName] or equivalently %USERPROFILE%.

The advantage of placing the app in a fixed location is that it's easier to find it when you use it or update it and it also makes it possible to conveniently associate encrypted .axx files to the app, see below for details.

Downloading a License

A license is a (relatively) short string digitally signed by us containing the terms and validity of your subscription. You copy the license string from our server, and then paste it in the Xecrets Ez main window.

Download via credit card last 4 digits

If you did not enter your credit card details directly because you used a wallet like Link, or some other payment method, use the customer portal instead, see just below.

Use the "Help | Download License" menu option in the app. You will need to provide the last 4 digits of the credit card number to identify yourself.

Download purchased license

Download via Customer Portal

If you didn't use a credit card, or don't have access to the last 4 digits, you can use the customer portal and find the link to your license there.

Follow the instructions to enter the customer portal (enter your email, check your inbox, and click the time limited link in the received email). After clicking the link in the email, you should see something similar to the image below. Select the link as indicated, paste it in your browser, hit enter and proceed to the final step.

Find link in customer portal

Copy the actual license

Regardless of how you get there, via the last 4 digits of your credit card or the customer portal, use the copy to clipboard button just to the right of the license string display to copy the license to the clipboard, and then switch back to Xecrets Ez, ensure you are signed in and paste it in the main window.

Web page with the license

Before you can download a license, you need to purchase a subscription.

For Xecrets Cli, you instead download a small text file and place it next to the cli executable.

Using a YubiKey

Xecrets Ez supports the use of a YubiKey for signing in, you'll find the configuration in the User menu. This is a very secure and convenient way to sign in, as you don't have to type your password. Thus key loggers are defeated, and if you configure a PIN or touch, physical access is required.

Enter your YubiKey PIN

Because Xecrets Ez protects files at rest for the long term, we use the YubiKey in a way that if you lose your YubiKey, you won't necessarily lose access to your files. We have deemed it to be an unacceptable risk to cause complete data loss if you lose your YubiKey.

Briefly, the YubiKey is used to encrypt your actual password, and the encrypted password is stored in your settings. When you sign in, the app checks if there's a YubiKey present, and if it can decrypt a stored encrypted password, it is used to try to sign in. If it doesn't work, you will be presented with the normal password sign in dialog.

Technically, the YubiKey is used with the PIV smart card application with RSA-2048 keys, and the password is encrypted with the public key of an existing slot, or if no suitable slot exists, a new slot that is created for this purpose. The private key is generated on the YubiKey and never leaves it. It should co-exist nicely with other PIV smart card applications, such as for SSH keys, as well as other uses of the YubiKey including FIDO2, U2F, OTP and OpenPGP.

The only consequence of losing your YubiKey is that you have to type your password instead. However, if you lose your YubiKey and an attacker has access to it and your computer, they can decrypt your files unless you protect the YubiKey with a PIN, which we strongly recommend.

The design goal of the YubiKey support is to make it as easy as possible to use Xecrets Ez, and also to encourage the use of a strong password since there will be no need to type it as long as you have the YubiKey inserted.

Configure and enable the YubiKey.

Using a YubiKey is optional, and you can always sign in with your password if you prefer. There is generally no need to configure anything to use a YubiKey if it's already setup for PIV smart card use. If it's not been setup before, we recommend that you change all the default security settings using the Yubico YubiKey Manager app.

Configure the YubiKey PINs.

You might also want to generate a Key Management certificate in the Yubico app, which will then be used by Xecrets Ez. Regardless, Xecrets Ez will configure it as needed, but it can't change default security settings.

macOS

Some notes concerning YubiKey on macOS, please read the Yubico documentation for details. Briefly, if the keyboard assistant opens, just close it. If you're asked to allow Xecrets Ez to receive keystrokes from any application, you can click "Deny" (unless you are planning to use the YubiKey for OTP sign in to sites, but this has nothing to do with Xecrets Ez). No further action is required, but we do recommend that you configure the YubiKey as described above using the Yubico YubiKey Manager app.

Linux

Some notes concerning YubiKey on Linux, please read the Yubico documentation for details. Briefly, you may need to install the pcscd package, and you may need to configure the location of the libudev.so library. As above, we recommend configuring the YubiKey with the Yubico YubiKey Manager app. On Ubuntu 22.04, the following is required:

sudo apt install pcscd
sudo ln -s /usr/lib/x86_64-linux-gnu/libudev.so.1 /usr/lib/libudev.so

Quick Access

You can pin Xecrets Ez for quick access.

macOS

No action really required, macOS will place it in the recent apps section in the dock if it's in /Applications and you will find it in the Launchpad like any other application. If you want it always in the Dock, right-click the icon in the dock when it's running, and select "Options | Keep in Dock".

Right-click & pin to start
Right-click & pin to start
Right-click & pin to start

Linux

For Linux it requires a little bit of manual work to get Xecrets Ez into menus, but as a Linux user, you'll probably feel right at home. This is on Ubuntu 22.04, but it should be fairly similar in most distributions. You will have to manually create and edit a .desktop file, and place it in the ~/.local/share/applications directory. Please name the file com.axantum.XecretsEz.desktop. Copy and paste the following, changing [YourUserName] to whatever user name you are using in your system.

[Desktop Entry] 
Name=Xecrets Ez
Exec=/home/[YourUserName]/XecretsEz %f
Type=Application
Categories=Utility;FileTools

Windows

Pin the program for quick access to both Start and the Taskbar. Right-click the executable where you placed it, and then select "Pin to Start" and/or "Show more options | Pin to taskbar".

Right-click & pin to start
Right-click & pin to taskbar

Making it easy to open .axx files

Each operating system has it's own desktop file manager, typically Finder for macOS, GNOME/Nautilus for Ubuntu Linux and Explorer for Windows. There are many other options, but here we describe procedures for these.

Normally you open a file by double clicking it, but how does the operating system know how to open it, i.e. what app to use?

This is called associating the file type with the app. The procedure differs, and there are many alternate ways to do this, here are some ways it can be done.

macOS

Normally it's not required, but if you have other applications registered for the .axx extension such as AxCrypt, you may want to change it. To associate Xecrets Ez with .axx files right-click an .axx file, select "Open with" then "Other...". Select either /Applications or /Users/[YourUserName]/Applications, scroll down to XecretsEz, select it, check the Always Open With checkbox and finally click Open. You can also do this from the Get Info menu on right-click.

Right-click & pin to start
Right-click & pin to taskbar

Linux

This is for Ubuntu 22.04, but the process should be similar in most distributions. To associate Xecrets Ez with .axx files right-click an .axx file, select "Open With Other Application", click View All Applications, scroll down to XecretsEz, select it, and click the Select button. Xecrets Ez opens the file, and will do it with a double-click in the future.

Right-click & select Open With...
Select XecretsEz and click the Select button

Windows

To associate Xecrets Ez with .axx files right-click an .axx file, select "Open with" then "Choose another app", scroll down to "Choose an app on your PC" and browse to where you moved the XecretsEz.exe executable when you installed it. Finally, click the "Always" button to make the association permanent.

Right-click & Open With
Open & Choose always

Why Sign In?

There are several reasons for signing in.

  • The most important one is based on over 20 years of experience with encryption apps. When you sign in, the app verifies that you're really using the password that you intend to use, your master password that you set up the app with.

    If we were just to ask without checking, there's always the risk of you mistyping - and then being unable to decrypt when next time you enter the correct password.

    Even dual entry of the password is not foolproof, as it's easy to make the same mistake twice. Also it's annoying to have to enter it twice every time...

  • Another reason is that it's well-known metaphor and should feel comfortable to use, and it allows for the app to remember the password for the duration of the session, reducing the need to retype it frequently.

Sharing encrypted files

If you want to send an encrypted file to someone else, you want to do so with a different password than the one you use to sign in to the app with.

You do this with the "File|Encrypt|Encrypt Copy For..." menu option. You will be prompted for a password and which files to encrypt with this password. Once they are encrypted like this, you can send them to the recipient.

Encrypt Copy For... window

Cancelling a subscription

To cancel a subscription during the trial period, or later, please visit the customer portal and follow the instructions.

Start by selecting the Buy | Customer Portal menu option.

Buy | Customer Portal menu choice

Enter your email address and click the "Send" button. You will receive an email with a link.

Stripe login with email window

In your inbox you will find an email from Stripe.

An email in the inbox

Open the email and click the "Login to your customer portal" link.

The contents of the Stripe email

Cancel your subscription by clicking the "Cancel plan" button.

The Stripe manage subscription page

Emergency Password Reset

Hard rule number one, that there is no way around is: If you lose your password, you lose data encrypted with that password. That is why you need to remember your password, and store a backup of it in a safe place, and why you need to type it several times the first time, and why you need to type it correctly to sign in to the app.

Since you need to remember your password in order to even sign in to the program, if you forget it, there's normally no way to sign in! (However, if you have a YubiKey configured, you can use that to sign in, it's a good backup.)

Since Xecrets Ez is strong encryption, with no back doors, there's no password recovery as such.

However, if you do find yourself locked out of the app, hopefully just because you've been testing it and forgot to make a note of the password, you can reset the password. Remember this will not make it possible to decrypt files encrypted with the old password. It will only make it possible to sign in to the app with a new password.

In the sign in dialog, hit the key combination Ctrl-Shift-I and follow the instructions.

Frequently Asked Questions

Still got questions? Check out if your question is answered below!

You can always recover your subscription by visiting the customer portal.

You can cancel your subscription by visiting the customer portal.

There are no servers or services that can be decommissioned or stop working. The source code for the command line backend that does all encryption and decryption is open source and easily available on GitHub. If you want to be really sure, keep a copy of the source code and the compiled Xecrets Cli of your choice around, and you are as long term safe as you possibly can be. Also, files encrypted with Xecrets Ez can be decrypted with AxCrypt, another compatible software.

Xecrets Ez does not use any servers or services, so it always works completely offline. It works perfectly even in an air gapped environment, where the computer is not connected to the internet at all.

Security best practice is to have one unique very strong master password for all your personal files when using strong encryption like Xecrets Ez.

For online website accounts it is different, there you indeed should have unique passwords for each site. The reason for this is that different online accounts may have different levels of security for passwords, and if you re-use passwords, weak security for one account puts all accounts with the same password at risk.

In the file encryption case, all files are encrypted with the same method. Either it is good enough, and breaking one file's encryption is no easier than another, or it is not good enough, in which case having different passwords will make no difference. Breaking the encryption of one file will be no harder than breaking another. Nothing is gained by having different passwords for different files.

It is also impractical to securely handle separate passwords that are strong enough for every file in your head, so then you need a password manager or a similar function. This, in turn, then will have a single password or be a single point of attack. So this just moves the single password situation to a different place, which does not gain you any security, but it may reduce it if the password manager turns out to be vulnerable. This just complicates things without any security gain.

Xecrets Ez does allow you to set separate passwords for different files, but this is intended for sharing situations, where you share the encrypted file with others.

If you are happy to pay with our payment processor Stripe, you can in some cases use other payment methods. Initiate the purchase, and see what options are presented.

If you still want to pay with something else, please contact our support team. We try to be flexible so just ask us, but there is no automatic recurring payment for the subscription, so in the future you need to contact us each time the license expires and arrange for payment again. It may also take longer time, since we'll have to handle it and verify the payment manually. We ask, for everyone's convenience that you consider prepaying for 2 or 3 years.

Finally, we normally can't provide a commercial invoice or receipt for these manual prepayments. If you represent a business and want to purchase a large number of licenses (> 100), we'll try to accommodate to your needs.

If you have been charged for a subscription you didn't want, you can always get a refund by contacting our support team. Please don't file a dispute with your card issuer or Stripe before talking with us. We will just refund you, and it's much faster and easier for everyone! Credit card refunds typically take 5-10 days to show up on your account.

Trial licenses acquired without signing up for a subscription are valid for 3 days. After that, you can purchase a subscription to continue using Xecrets, which includes an additional 10 days of free trial which you can cancel at any time before then.