Hands-on: miniLock's powerful file encryption is dead simple to use

A new Chrome app called miniLock is making it easy to encrypt and share single files with others.

The creator of Cryptocat, Nadim Kobeissi, is back with another easy-to-use encryption tool. This time it's a Chrome app that aims to make it easy to create and share single encrypted files with others. Called miniLock, the app is freely available on the Chrome Web Store.

Similar to other encryption tools, miniLock relies on public key cryptography. Under this scheme you have to share your public key with others so they can encrypt files meant for you and only you. But unlike many encryption tools--which are often difficult to use--miniLock is very easy to understand and takes away a lot of the pain typically associated with encryption tools.

The public key itself, dubbed your miniLock ID, is relatively short at around 45 characters. That's long enough to easily fit in a tweet, as the miniLock site says. But it's still too long to easily remember, so you'll have to write it down or save it in a password manager like LastPass or KeePass.

For encryption, miniLock uses Curve25519 elliptic curve cryptography, which is the same cryptography used in Kobeissi's Cryptocat. The problem with encryption tools, however, often isn't the strength of their encryption but how well it's implemented.

On the miniLock site you can find a recent miniLock security audit by penetration testing firm Cure53. The report gives miniLock a clean bill of health stating that "MiniLock is a one-purpose app offering this one particular feature [encryption] and appears to be doing that as well as possible...The code is soundly and neatly written, well structured, minimal and therefore offers no sinks for direct exploitation."

That's just one report, however, and others will no doubt sink their teeth into miniLock and try to find exploits. Judging the quality of the cryptography is beyond the scope of this article. But as it's a new app, miniLock may not yet be the best choice for anyone encrypting documents in a high-stakes environment (political oppression, corporate secrecy). That said, it's definitely worth keeping tabs on to see what the security community has to say about miniLock in the future.

For anyone that wants to dive in right away, here's a quick hands-on with miniLock on a Windows 8.1 PC.

Generating your ID

To get started, visit the Chrome Web Store and install miniLock as you would any other Chrome app. Once it's installed you can either launch it right from the Chrome Web Store or the Chrome App Launcher in your taskbar, if you've installed that.

When it starts up, miniLock will ask you to sign in with your email address and a passphrase. These two pieces will be used to generate your miniLock ID, which should take only a second or two.

In my tests, miniLock was fairly picky about passphrases. I tried using a 10-character randomly generated passphrase with capital and lowercase letters, numbers, and special characters. That's a fairly solid password if you ask me--but for miniLock it wasn't strong enough.

Instead, the app suggested I use one of its auto-generated passphrases, which was a series of random dictionary words. To make things easier, I used one of the series generated by miniLock, but you could also write your own. Just make sure it's memorable and unique enough that you won't forget it. Otherwise, storing it in a password manager will be important. As with other encryption tools, if you lose that passphrase, you won't be able to unlock any files sent to you with that miniLock ID.

Once you've got your miniLock ID share it far and wide. That's mine in the picture up at the top of this section.


Now that you've got your own ID set-up, let's encrypt a file to see how it works. This should go without saying, but make sure you back-up the test file in unencrypted form just in case something goes wrong.

To choose a file, either tap the file drop area in the miniLock window or drag a file from File Explorer and drop it in the miniLock window. Once it gets a file to encrypt, you'll see the miniLock window flip around and reveal space for entering up to four miniLock IDs.

By default, your miniLock ID will be at the top, as you are the person encrypting the file.

Below that, you have the option to add another three people to encrypt the file--assuming you have their miniLock ID. If you wanted to send this file to one person and didn't want to have access to it yourself, you can just press the "X" to the far right of your miniLock ID to remove your key.

You also have an option underneath the file name for miniLock to create a random file name if you wanted to be really secretive about what you're sending.

Once the ID's for every recipient are ready to go, tap the arrow at the bottom of the window to encrypt. Depending on the size of the file, it could take a few seconds or a few minutes to finish.

After it's done, the app will say "Your encrypted file is ready" in small letters below the file name. Next, click on the file name to save the file to your PC via Chrome's downloads manager.

Now that you've got an encrypted file, you can send it to the intended recipients any way you like: email, instant messaging, USB key, Facebook...the choices are endless.


Decrypting a file is even easier than encrypting one. Just receive your miniLock-encrypted file via email (or whatever), download it somewhere to your PC, and drop it into the miniLock window. As long as you are signed in to miniLock and the file is encrypted with your miniLock ID, the file will be automatically decrypted. Then you can save it to your PC the same way you did with the encrypted file.

That's about all there is to miniLock. The only drawback that some people might find is that you have to sign-in every time you open the app. MiniLock does not save your login across user sessions.

That was likely a conscious choice to protect user privacy so that an attacker with physical access to your machine couldn't view your decrypted files. Nevertheless, constant logins may be a drawback for some.

Overall, miniLock is incredibly easy to use and the work flow should really be a template for how to make encryption tools for the average user. As for the quality of the encryption itself, we'll offer no judgment on that here--but I'm certain others will address that topic soon.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityencryptionchrome

More about Facebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts