Here you will find various recipes, tips and recommendations about how to use Xecrets Ez, the desktop app for macOS, Linux and Windows.
The app is the same across all supported platforms, but since the platforms have some fundamental differences, there are a few differences also for Xecrets Ez.
Xecrets Ez has a simple and compact user interface for encrypting and decrypting files. It's designed to be easy to use, and to be used by anyone who can use a computer. It's available for macOS, Linux and Windows, and requires no Internet access.
Please visit the feature overview for more details.
There's really no installation required, Xecrets Ez is designed to be run as a stand-alone single executable, what's often called a portable app.
However, since macOS, Linux and Windows do have some differences, for convenience and ease of use, you may want to perform some platform specfic actions. If you're not putting the app on a removable device such as a USB stick (which works perfectly fine) we recommend that you place the app after downloading and unpacking in a fixed unversioned location.
The download itself is always versioned by name, so that it's easy to know what you've got. For example, the download for macOS may be named XecretsEz-Osx-2.3.398.tar.gz
while the corresponding Windows download would be XecretsEz-Win-2.3.398.zip
.
Use the appropriate utility to extract the actual app executable from the downloaded file. This will be XecretsEz
for Linux, Xecrets Ez.app
(the .app extension is usually hidden and it's actually a directory) for macOS and XecretsEz.exe
on Windows.
We suggest you move the extracted app to the following location:
/Applications
(or user local /Users/[YourUserName]/Applications
)./home/[YourUserName]
or equivalently the Home
shortcut.C:\Users\[YourUserName]
or equivalently %USERPROFILE%
.The advantage of placing the app in a fixed location is that it's easier to find it when you use it or update it and it also makes it possible to conveniently associate encrypted .axx files to the app, see below for details.
Xecrets Ez supports the use of a YubiKey for signing in, you'll find the configuration in the User menu. This is a very secure and convient way to sign in, as you don't have to type your password. Thus keyloggers are defeated, and if you configure a PIN or touch, physical access is required.
Because Xecrets Ez protects files at rest for the long term, we use the YubiKey in a way that if you lose your YubiKey, you won't necessarily lose access to your files. We have deemed it to be an unacceptable risk to cause complete data loss if you lose your YubiKey.
Briefly, the YubiKey is used to encrypt your actual password, and the encrypted password is stored in your settings. When you sign in, the app checks if there's a YubiKey present, and if it can decrypt a stored encrypted password, it is used to try to sign in. If it doesn't work, you will be presented with the normal password sign in dialog.
Technically, the YubiKey is used with the PIV smart card application with RSA-2048 keys, and the password is encrypted with the public key of an existing slot, or if no suitable slot exists, a new slot that is created for this purpose. The private key is generated on the YubiKey and never leaves it. It should co-exist nicely with other PIV smart card applications, such as for SSH keys, as well as other uses of the YubiKey including FIDO2, U2F, OTP and OpenPGP.
The only consequence of losing your YubiKey is that you have to type your password instead. However, if you lose your YubiKey and an attacker has access to it and your computer, they can decrypt your files unless you protect the YubiKey with a PIN, which we strongly recommend.
The design goal of the YubiKey support is to make it as easy as possible to use Xecrets Ez, and also to encourage the use of a strong password since there will be no need to type it as long as you have the YubiKey inserted.
Using a YubiKey is optional, and you can always sign in with your password if you prefer. There is generally no need to configure anything to use a YubiKey if it's already setup for PIV smart card use. If it's not been setup before, we recommend that you change all the default security settings using the Yubico YubiKey Manager app.
You might also want to generate a Key Management certificate in the Yubico app, which will then be used by Xecrets Ez. Regardless, Xecrets Ez will configure it as needed, but it can't change default security settings.
Some notes concerning YubiKey on macOS, please read the Yubico documentation for details. Briefly, if the keyboard assistant opens, just close it. If you're asked to allow Xecrets Ez to receive keystrokes from any application, you can click "Deny" (unless you are planning to use the YubiKey for OTP sign in to sites, but this has nothing to do with Xecrets Ez). No further action is required, but we do recommend that you configure the YubiKey as described above using the Yubico YubiKey Manager app.
Some notes concerning YubiKey on Linux, please read the Yubico documentation for details. Briefly, you may need to install the pcscd
package, and you may need to configure the location of the libudev.so
library. As above, we recommend configuring the YubiKey with the Yubico YubiKey Manager app. On Ubuntu 22.04, the following was required:
sudo apt install pcscd
sudo ln -s /usr/lib/x86_64-linux-gnu/libudev.so.1 /usr/lib/libudev.so
You can pin Xecrets Ez for quick access.
No action really required, macOS will place it in the recent apps section in the dock if it's in /Applications and you will find it in the Launchpad like any other application. If you want it always in the Dock, right-click the icon in the dock when it's running, and select "Options | Keep in Dock".
For Linux it requires a little bit of manual work to get Xecrets Ez into menus, but as a Linux user, you'll probably feel right at home. This is on Ubuntu 22.04, but it should be fairly similar in most distributions. You will have to manually create and edit a .desktop
file, and place it in the ~/.local/share/applications
directory. Please name the file com.axantum.XecretsEz.desktop
. Copy and paste the following, changing [YourUserName]
to whatever user name you are using in your system.
[Desktop Entry] Name=Xecrets Ez Exec=/home/[YourUserName]/XecretsEz %f Type=Application Categories=Utility;FileTools
Pin the program for quick access to both Start
and the Taskbar
. Right-click the executable where you placed it, and then select "Pin to Start" and/or "Show more options | Pin to taskbar".
Each operating system has it's own desktop file manager, typically Finder for macOS, GNOME/Nautilus for Ubuntu Linux and Explorer for Windows. There are many other options, but here we describe procedures for these.
Normally you open a file by double clicking it, but how does the operating system know how to open it, i.e. what app to use?
This is called associating the file type with the app. The procedure differs, and there are many alternate ways to do this, here are some ways it can be done.
Normally it's not required, but if you have other applications registered for the .axx extension such as AxCrypt, you may want to change it. To associate Xecrets Ez with .axx
files right-click an .axx
file, select "Open with" then "Other...". Select either /Applications
or /Users/[YourUserName]/Applications
, scroll down to XecretsEz
, select it, check the Always Open With checkbox and finally click Open. You can also do this from the Get Info menu on right-click.
This is for Ubuntu 22.04, but the process should be similar in most distributions. To associate Xecrets Ez with .axx
files right-click an .axx
file, select "Open With Other Application", click View All Applications, scroll down to XecretsEz
, select it, and click the Select button. Xecrets Ez opens the file, and will do it with a double-click in the future.
To associate Xecrets Ez with .axx
files right-click an .axx
file, select "Open with" then "Choose another app", scroll down to "Choose an app on your PC" and browse to where you moved the XecretsEz.exe
executable when you installed it. Finally, click the "Always" button to make the association permanent.
There are several reasons for signing in.
The most important one is based on over 20 years of experience with encryption apps. When you sign in, the app verifies that you're really using the password that you intend to use, your master password that you set up the app with.
If we were just to ask without checking, there's always the risk of you mistyping - and then being unable to decrypt when next time you enter the correct password.
Even dual entry of the password is not foolproof, as it's easy to make the same mistake twice. Also it's annoying to have to enter it twice every time...
Another reason is that it's well-known metaphor and should feel comfortable to use, and it allows for the app to remember the password for the duration of the session, reducing the need to retype it frequently.
If you want to send an encrypted file to someone else, you want to do so with a different password than the one you use to sign in to the app with.
You do this with the "File | Encrypt Copy For..." menu option. You will be prompted for a password and which files to encrypt with this password. Once they are encrypted like this, you can send them to the recipient.