Legacy AxCrypt 1.x

History and documentation for legacy AxCrypt[2] 1.x

The actual downloads are found on the legacy downloads page. Here is all the documentation and some history that may be useful should you be in need of this software.

All of the information on this page should be considered legacy and essentially obsolete. You should be using Xecrets Ez and/or Xecrets Cli unless you have a very specific reason to use version 1.x, also AxCrypt 1.x is now renamed to Xecrets File Classic 1.x due to trademark restrictions.

History

The first version of AxCrypt[2] was released to the general public on the 19th of November 2001, as a pre-release beta.

On April 29, 2016, AxCrypt 2.x was released. This page is only about the previous version 1.x of AxCrypt.

[Xecrets Ez and Xecrets Cli is based on the 2.x code and is to a large degree functionally equivalent and also 100% compatible.]

As of version 1.7 and later, a new numbering scheme is in effect. Versions are now in the format Major.Minor.Build.Revision, which effectively means that minor changes are only reflected in the build number, and the revision will typically always be zero since it is only intended to reflect a re-build of the same code base. Version numbers are still strictly increasing, so version 1.7.1948 is later than 1.7.1878. The build number will normally be strictly increasing in it's own right, so when version 1.8 is released, it may have a version number such as 1.8.3567 - i.e. the build number is a global version number.

Also starting with version 1.7, there are different setup packages for 32-bit and 64-bit environments, and the setup-files are named accordingly. The version number for a 32-bit release will be the same as the 64-bit release if they are built from the same set of sources. Starting with version 1.7, Windows 7 and 64-bit systems are fully supported.

It's designed to run on Windows 2003/Vista/2008/7/8/2012/10/2016/11/2019/2022. Older versions ran on Windows 95, 98 and ME, NT, 2000 and XP, but since Microsoft has dropped all support for it and AxCrypt required features from Windows XP and higher, AxCrypt also dropped support for for these versions during 2008. Version 1.7.2126 is the last version to support Windows 2000. Version 1.6.3 is the last version to support 98/ME/NT.

Version numbering is a strictly increasing sequence, a higher version number is always a later version.

Interim versions may use the character "b" for Beta or "c" for Candidate between the second and third digit, as in 1.5b2.2. This is thus interpreted as beta 2 of the upcoming version 1.5.3.

Advanced Use

AxCrypt 1.x may be used in more advanced scenarios, such as integration into other softwares, server scripting, use from batch files etc.

Server Side Use

AxCrypt 1.x is often used as a server-side component in for example web applications, and there are some things to consider. AxCrypt 1.x is essentially a user program, with some adaptation to server side use. One of the challenges when run on a server as a service or called by a service such as IIS, is unwanted interaction between interactive use and non-interactive use. AxCrypt 1.x depends on having a resident process running which does all the real work and specifically serves as the cache for encryption and decryption keys.

The design of AxCrypt 1.x does not allow several resident processes in one session, but it does support and is aware of terminal server scenarios, so these issues do not apply then. The basic problem is that whoever uses AxCrypt first, be it a service or an interactive user on the server, will cause the resident process to be loaded and run with that users permissions and identity. If a subsequent use of AxCrypt is made in the same session from a different user, this will not work.

So, the simple rule is that if you're using AxCrypt 1.x in a server called from a service, you can't also use it interactively. The easiest way to achieve this is to not install the Windows Explorer right-click integration during setup. You can also remove this component later by using the "Change" option in the Programs and Features applet.

There is a registry entry that is of use here, and it's called ServerMode. This is useful, but you must define it in the appropriate sub-key of HKEY_CURRENT_USER of the service account if it's to be applied to the use of AxCrypt by the service. For example, if AxCrypt is run via IIS 6 under the "NETWORK SERVICE" account, you need to change the registry for SID S-1-5-20. To have it apply to an interactive Administrator, you'll have to do the same for that Administrators HKEY_CURRENT_USER hive.

If you still need to use AxCrypt 1.x interactively during testing, I suggest primarily to use the AxCrypt2Go program which is found in the installation directory of AxCrypt 1.x. As an alternative, if you're careful, you can use Task Manager to kill the resident AxCrypt 1.x.exe process whenever you need a clean start.

Command Line

This section is for system administrators, programmers and other advanced users.

AxCrypt 1.x may be called by other programs, or manually, by specifying command-line arguments. The general syntax is:

AxCrypt [-i [.ext] | p | u | x ] | [-l] | [-V n] [-v n] [-b tag] [-f] [-c] [-g] [-n filename] [-m] [-e] [-a | -k "passphrase"] [-K folder | filename] [-O path2exe] [-z | d | o | w | s | q | h | J file(s)] [-t [tag]] | file(s)

Except for -i -p -u -x, the options are interpreted sequentially and may occur multiple times if it makes sense.

The options and their meanings

OptionMeaningDescription
-i [.ext]InstallSet all registry values to default. Set the extension to associate with AxCrypt - default is .axx.
-pPsp testTest for the need to install psapi.dll. Only relevant on NT. If return code is 0, no need. This is an installation helper function only.
-uUninstallClear all registry values.
-xeXitEnd the resident server process, if loaded.
-lLicenseStart the license manager dialog.
-b tagBatch idDefine a tag, or batch id, to be used with subsequent pass phrases. These pass phrases will only be used when the same tag is specified in future calls to AxCrypt. The batch id is a decimal non-zero positive 32-bit signed integer. Odd values are reserved for internal use. If no -b option is given, saved pass phrases are "global". All tagged pass phrases are saved until cleared with -t.
-fToggle Fast modeWill modify certain operations to execute fast, rather than safe and/or secure. There is no guaranteed effect. Initially off.
-cToggle Copy-only flagCauses subsequent -d and -z to retain the originals. May be combined with -f for fast copy without wiping of temporaries. Initially off.
-gToggle ignore encrypted flagIf set, attempted encryption of already encrypted files will do nothing. Initially off.
-nOutput NameDefines a file name to be used as output instead of default for the next -z or -d.
-mToggle recurse flagIf set, causes subsequent wild card file names to search into sub-directories. Initially off.
-eEncryption pass phrase definitionSubsequent -a or -k options on this invocation define the default encryption key instead of one of possibly many decryption keys. The -b option may be used to define pass phrases with limited context.
-aAdd pass phrasePrompt for a pass phrase using the AxCrypt standard safe dialogues. -b and -e may be used as modifiers.
-k "pass phrase"Cache pass phraseCache the given pass phrase, quotes are recommended. The pass phrase is case-sensitive. -b and -e may be used as modifiers. Note that there are restrictions for what passphrases may be used in the AxCrypt dialogs - these are not enforced here! See below for allowed characters in passphrases.
-O "Path2Exe"Set Open ExecutableModify a subsequent -o (Open for edit) to use the specified executable instead of the automatic association by extension.
-zencryptEncrypt (and if useful compress) the given file(s) with either the current default encryption key, or with one that is prompted for. The originals are wiped. -b, -c, -g, -f and -n may be used as modifiers.
-Jself-decrypt encryptEncrypt (and if useful compress) and copy the given file(s) with either the current default encryption key, or with one that is prompted for to a self-decrypting executable archive. -b, -g and -n may be used as modifier. Default is to ignore files that already are self-decrypting.
-Kmake Key-fileGenerate and store a Key-file in the given folder, or directly to the given full path-name.
-dDecryptDecompress and decrypt the given file(s) with either a cached key, or with one that is prompted for. -b, -c, -f and -n may be used as modifiers.
-oOpenOpen the given file(s) with the appropriate application after temporary decryption and decompression. If they are modified after application exit, they are re-encrypted with the same pass phrase. -b may be used as modifier.
-v noverride wipe passesSets an override of the number of passes for wipe for the remainder of the command line. See -V for more info.
-V nwipe passesSets the global persistent default number of wipe passes when overwriting, 1-7. Default if not set is 1. The full set of 7 passes will overwrite in the following sequence: random, ones, zeroes, random, zeroes, ones, random. If less are specified only the last n passes are performed. Thus, -V 3 corresponds to the DoD 5220.22-M standard for sanitizing data on fixed hard disks.
-wWipeWipe the given files and delete. Show a confirmation warning first.
-swipe SilentWipe the given files and delete, but do not ask for confirmation.
-qQuery pass phrase cacheReturn exit code 0 if all files given have pass phrases in the cache already. -b may be used as modifier.
-hAnonymous renameRenames the given file(s) to anonymous names. The original names will be restored on decryption.
-tClear pass phrase cacheClear the internal pass phrase cache. If -b is given, only pass phrases associated with that tag are affected, otherwise all are removed, tagged and un-tagged alike.

If no options are given but just file(s), they are opened as with -o. Otherwise the most recent -z, -d, -c, -o, -w, -s or -h determines the operation performed on the file.

The first time AxCrypt is started, a server process is initiated which will run until terminated. It's within this process that the pass phrase cache is kept, in a secure manner.

All operations are "waitable", and will return a non-zero exit code on error.

The "flag" options are important to specify before the operations they intend to modify, parameters are parsed and executed sequentially as the appear on the command line. Only operating system restrictions on command line lengths limit the number of operations on a single line. If any operation returns an error, the rest of the command line is ignored, and that error is returned as exit code.

Standard wild cards are accepted for all file specifications, except for Open. If the recursion flag is enabled, sub-directories will be searched too.

If you need to do several operations, and keep them together, without affecting the "global" pass phrase cache, use the -b option with an arbitrary tag as described above. Deriving one from the time of day may be appropriate for example. The -b option is valid over multiple calls to the server process, as long as it's not restarted.

Allowed passphrase characters

To minimize the risk of a user entering a passphrase on one system, where it gets difficult to generate the same characters on another system with a different keyboard, certain characters from the ANSI set have been excluded. Also note that currently the passphrase dialog as such does not allow Unicode characters. The following are the legal characters:

<space>
!"#$%&'()*+,-./0123456789:;<=>?@
ABCDEFGHIJKLMNOPQRSTUVWXYZ [\] _abcdefghijklmnopqrstuvwxyz {|}
€ŠŒŽšœžŸ¡ ¢£¤¥§±¼½¾¿ ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏ ÐÑÒÓÔÕÖØÙÚÛÜÝ Þßàáâãäåæçèéêëìíîïð ñòóôõöøùúûüýþÿ

The full key is derived from the passphrase concatenated with the key-file (if any). From this it follows, that you can always create a key-file that contains all the necessary characters that make up a passphrase. In the key-file, there are no restrictions on the contents - it is interpreted as a binary sequence of bytes. If you use this for passphrase data, you must be aware of character encoding issues - a key-file stored in Unicode UTF-16 encoding will probably not work as expected...

Examples

As the command line is made for programmatic access, the usage is not really intuitive so here follows some examples which can be executed as a sequence, which assume that AxCrypt is installed in a typical standard location and that the current directory contains a file named secrets.txt (test this with non-vital data please):

@ECHO ON REM Encrypt secrets.txt with the given passphrase, but do not remember this passphrase
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -b 2 -e -k "A Secret Phrase" -z secrets.txt

REM Decrypt secrets.txt, but prompt for the passphrase
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -b 2 -d secrets-txt.axx

REM Clear the passphrase cache of the default phrase (and all other cached phrases) for batch id "2"
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -b 2 -t

REM Load the passphrase cache with a default encryption phrase using the standard dialog
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -e -a

REM Encrypt secrets.txt with the default encryption phrase just entered
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -z secrets.txt

REM Decrypt secrets-txt.axx
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -d secrets-txt.axx

REM Clear the passphrase cache of the default phrase (and all other cached phrases)
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -t

REM Encrypt to a self-decrypting copy of the original and clear the cache
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -b 2 -e -k "A Secret Phrase" -J secrets.txt

REM Encrypt and copy to a regular encrypted file, but keep the passphrase in the global cache
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -e -k "Another Secret" -c -z secrets.txt

REM Shred the original with an interactive warning
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -w secrets.txt

REM Shred the self-decrypting file with no interactive warning
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -s secrets-txt.exe

REM Open the file file with notepad or whatever is used for .txt-files
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" secrets-txt.axx

REM Decrypt back to secrets.txt, using the cached phrase
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -d secrets-txt.axx

REM Clear the passphrase cache again
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -t

REM Encrypt all files in the current and sub-directories, and do it fast but just deleting originals etc (i.e. faster)
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -b 2 -e -k "A Third phrase" -m -f -z *.txt

REM Rename all just encrypted files to anonymous names
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -m -h *.axx

REM Decrypt them all again, and clear the cache (batch id 2)
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -b 2 -m -f -d *.axx -t

REM Request that the resident process ends itself, and exits
"%ProgramFiles%\Axon Data\AxCrypt\1.6.1\AxCrypt" -x

Please note that for the passphrase cache to work as implied above, you need to check the appropriate options for keeping the passphrase in the cache when the interactive dialog is displayed. Also please note that you may need to use Alt-Tab to find the passphrase dialog when this is run from a command line window due to Windows design constraints.

Registry Settings

AxCrypt[1] 1.x keeps some persistent data and chosen options in the registry. Most of these are managed automatically, and should not be modified manually.

Some values under HKEY_CURRENT_USER\Software\Axantum\AxCrypt\ are:

AllowAnyExtension is a DWORD that when non-zero causes AxCrypt to allow any extension of files to be decrypted. The default is to assume that if this happens it's because of a faulty association, and thus give a message to this effect.

BruteForceCheck is a REG_SZ that maintains the most recent check-point in a custom brute force key-recovery search. See the code for details. This is not for ordinary mortals. Please don't waste bandwidth hollering 'back-door' without understanding what this is about. It's not. For questions, please contact me directly.

CompressThreshold is DWORD that indicates the minimum estimated compression level needed for AxCrypt to compress before encryption. To disable compression, set the value to 101. To enable compression in all cases, set it to 0. The default is 20, indicating that at least estimated 20% savings is required for compression to be performed.

DefaultLanguageId is a DWORD when non-zero will indicate which language AxCrypt will attempt to use. The id is expressed as a Locale ID, or LCID . The default is the current system locale.

DisableRenameMenu is a DWORD when non-zero causes the anonymous rename menu to disappear from the right-click context menu. The default is 0.

EventLogLevel is normally zero DWORD, causing nothing to be logged, unless server mode is enabled. You may increase this to positive values to get increasing levels of detailed log-entries in %TEMP%\AxCrypt.Log. This is primarily for testing and debugging purposes.

EntropyPool is 128 byte BINARY used to persistently save the state of half of the entropy pool.

FastModeDefault is a DWORD that when non-zero indicates that "Fast Mode" is default if not specified on the command line. Fast mode skips wiping of temporaries, and is typically used when AxCrypt is run in a controlled server environment. The default is 0.

KeepTimeStamp is a DWORD that when non-zero will ensure that the encrypted file always has the same time-stamp as the plain-text file. When zero (default), the time stamp will reflect the time of last encryption - not the time of last modification of the plain-text. The default is 0.

KeyWrapIterations is a DWORD that specifies the number of rounds performed in the key-wrapping operation, where the actual master data encrypting key is wrapped with the SHA-1 hash of the pass phrase. The minimum value is 6, no maximum, except it may take a long time... The default is 6.

Licensee is a REG_SZ containing the name or identifying string for the licensed user. This setting may be override an entry in HKLM.

NoDecryptMode is a DWORD that when non-zero indicates that the option to decrypt is disabled. The default is 0.

NoShowKeyFileInfo is a DWORD that when non-zero indicates that AxCrypt should not show the warning when a key file is being created. This is maintained by AxCrypt by a "don't show again" checkbox in the dialog. The default is 0.

NoShowKeyFileNotRemovable is a DWORD that when non-zero indicates that AxCrypt should not show the warning about key files stored on removable media. This is maintained by AxCrypt by a "don't show again" checkbox in the dialog. The default is 0.

NoShowKeyFileUseInfo is a DWORD that when non-zero indicates that AxCrypt should not show the warning about key files stored on removable media. This is maintained by AxCrypt by a "don't show again" checkbox in the dialog. The default is 0.

NoShowKeyFileNotEncrypt is a DWORD that when non-zero indicates that AxCrypt should not show the warning about a key file possibly being encrypted, an operation that usually will cause data loss. This is maintained by AxCrypt by a "don't show again" checkbox in the dialog. The default is 0.

NoUnsafeWipeWarn is a DWORD that when non-zero disables the warning about not being able to securely wipe certain types of files, notably compressed and EFS encrypted. This is modified by the checkbox in the warning dialog. The default is 0.

SaveDecKey is a DWORD that when non-zero causes decryption pass phrases to be cached in memory. This is modified by the checkbox in the enter pass phrase dialog.

SaveEncKey is a DWORD that when non-zero causes an encryption pass phrase to be cached in memory and be used as default encryption pass phrase. This is modified by the checkbox in the enter pass phrase dialog for encryption.

ServerErrorShellCmd is a REG_SZ containing the prototype of a shell command. The %1 parameter of the command will be substituted with the file name of an encrypted file and executed, if AxCrypt is running in server mode and a passphrase prompt would have been shown if not for server mode. This can be used to fetch the passphrase from somewhere, load it into AxCrypt and the retry for example. The default is an empty string, which disables the feature.

ServerMode is a DWORD entry, that when non-zero causes AxCrypt to enter a non-interactive server mode. In this mode, no message boxes or dialogues will be displayed. The messages will be logged to %TEMP%\AxCrypt.Log, and they will be given default responses. The shell extension, i.e. the right click menu in Windows Explorer with AxCrypt options will be disabled as well. Note that this is per user, so if a service is running AxCrypt, the user it considers to be the current user must have this entry set. The default is 0.

Signature is a REG_SZ containing the base 34 string representing the digital signature that verifies the licensee. This setting may be override an entry in HKLM.

ShowActivationMenu is a DWORD. When non-zero, determines that the Program Activation menu should be shown. When zero, it will not be. The default is 0.

SystemFolderWarn is a DWORD. When non-zero, determines that a warning will be displayed when an attempt is made to encrypt what AxCrypt believes to be a system folder. This is maintained by AxCrypt by a "don't show again" checkbox in the dialog. The default is 1.

TryBrokenFile is a DWORD that when non-zero makes AxCrypt give the user the option to try decrypting a file, even if it appears broken. Use only for data-recovery, and at your own risk, and always on a copy of the file in question. The default is 0.

WipePasses is a DWORD between 0 and 7 indicating how many wipe passes should be used. The sequence is random, 0xff, 0x00, random, 0x00, 0xff, random, with the early steps being skipped if less than 7 passes are requested. The default is 1. Zero is interpreted as default.


Some values under HKEY_LOCAL_MACHINE\Software\Axantum\AxCrypt\ are:

DefaultLanguageId is a DWORD when non-zero will indicate which language AxCrypt will attempt to use. The id is expressed as a Locale ID, or LCID .

DisableSaveDecryptionKey is a DWORD which when non-zero will mean that there is no user interface checkbox allowing caching of any passphrases for decryption. This setting may not be overridden by a HKCU setting.

DisableSaveEncryptionKey is a DWORD which when non-zero will mean that there is no user interface checkbox allowing caching of a passphrase as default for encryption. This setting may not be overridden by a HKCU setting.

KeyWrapIterations is a DWORD that specifies the number of rounds performed in the key-wrapping operation, where the actual master data encrypting key is wrapped with the SHA-1 hash of the pass phrase. The minimum value is 6, no maximum, except it may take a long time...

Licensee is a REG_SZ containing the name or identifying string for the licensed user. This setting may be overridden by an entry in HKCU.

SelfExtractorName is a REG_SZ that contains the name of the executable base file used for self decrypting archives. This should be a file name without a path, it must reside in the same directory as the program.

ShowActivationMenu is a DWORD. When non-zero, determines that the Program Activation menu should be shown. When zero, it will not be.

Signature is a REG_SZ containing the base 34 string representing the digital signature that verifies the licensee. This setting may be overridden by an entry in HKCU.

Donate

Original AxCrypt 1.x is free for all to use in just about any way you want to, according to the General Public License, but it was not free to develop and distribute.

Donations are always appreciated, but they are neither required nor even expected. There is no obligation whatsoever to donate or in any other way pay for using AxCrypt 1.x.

If you still would like to contribute you are of course welcome to do so.

You can use PayPal in the US and globally. You can also use a credit card via PayPal, without opening an account.

Donate whatever amount you feel is appropriate.

License

AxCrypt 1.x is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

AxCrypt 1.x is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public Licensefor more details.

You should have received a copy of the GNU General Public License along with AxCrypt 1.x; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.

A graphic representing a license