Picocrypt delegates all low‑level cryptographic operations to well‑audited libraries: crypto/xchacha20poly1305 (in the Go version) or libsodium (in the C++ version). The core construction is:
Encryption: salt = random(16 bytes) key = Argon2id(password, salt, time=4, memory=64 MiB, threads=4, key_len=32) nonce = random(24 bytes) ciphertext = XChaCha20-Poly1305_encrypt(plaintext, nonce, key, additional_data=header) output = salt + nonce + ciphertext
Decryption: salt, nonce, ciphertext = split(input) key = Argon2id(password, salt, ...) plaintext = XChaCha20-Poly1305_decrypt(ciphertext, nonce, key, additional_data) (Integrity fails if authentication tag mismatch)picocrypt
Key choices justified:
Picocrypt also supports multi‑factor keyfiles (any file), two‑step keyfiles, and Reed–Solomon parity files for error correction (e.g., for archival on damaged media). Key choices justified:
Picocrypt stores necessary metadata (salt, nonce, Argon2 parameters) in a header preceding the encrypted data. This allows the tool to be self-contained; the user does not need to remember specific algorithm settings—only the password. ciphertext = split(input) key = Argon2id(password
You need to back up server configs to the cloud (AWS S3 or Backblaze B2). You don't want to trust the cloud provider's internal encryption keys. You pipe your backup script through Picocrypt. The resulting .pcv file is safe on any server.