EncryptEngine logo

EncryptEngine

User Guide

EncryptEngine protects your files, folders, and text with modern, authenticated encryption. It's built around what you want to do — "lock this file", "send this to someone", "open what someone sent me" — rather than cryptographic jargon. Everyday tasks are front-and-centre; power features live one toggle away under Advanced mode.

  • Platform: Windows 10/11 desktop app.
  • Your data lives in: %AppData%\EncryptEngine — identity keys, contacts, and settings.
  • Encrypted files use the .eenc extension and are self-describing (the app can tell how each was protected).
Read Backup, recovery & portability before you rely on "My key" encryption — some choices produce files that can only be opened on this PC.

1. First run & your identity

The first time the app needs it, EncryptEngine creates a personal identity — an RSA-3072 key pair — automatically. You don't have to do anything.

  • Your public key is shareable: give it to people so they can encrypt files for you.
  • Your private key stays on this machine, sealed with Windows DPAPI and tied to your Windows user account. It never leaves the app unsealed.

Your identity is random — it is not derived from your Windows password or account, so it stays the same across logins as long as its file survives. The on-disk copy is sealed to your Windows account so it can't be read off the disk, but you can back it up with a passphrase to move it to another PC or recover it after a reinstall (see §7). You can also keep more than one identity (e.g. Work and Personal) — see §5.

2. Encrypting (the Encrypt tab)

Choose what to encrypt, then how to protect it.

What to encrypt

  • File — pick or drag-and-drop a single file. Choose where to save the .eenc output.
  • Folder — pick or drag a folder. It's compressed into a single archive and then encrypted into one .eenc file.
  • Text — type or paste text; the result is a copy-pasteable -----BEGIN ENCRYPTENGINE MESSAGE----- block.

Optional: "Delete the original after encrypting" securely overwrites and removes the source file/folder once the .eenc is written.

How to protect it

See §6 for the full comparison. In short:

  • Password — anyone with the password can open it.
  • My key — only you (on this PC) can open it.
  • A person — pick a saved contact; only they can open it.
  • Session key (Advanced) — a 256-bit key you paste in.

Running it

Click Encrypt. A progress bar shows activity for every operation (a moving bar for text/folder phases; a filling bar for file byte-progress). Large operations can be Cancelled.

After a run, the Encrypt button stays disabled to prevent accidental re-encryption. Click Reset to clear the form and start a new operation.

3. Decrypting (the Decrypt tab)

  • File — pick or drag a .eenc file. The app auto-detects how it was protected and shows a banner ("Protected with a password", "Encrypted for a person — your private key will be used", etc.). Provide the password or key if needed and choose an output location (or a folder to extract into, for encrypted folders).
  • Message — paste an encrypted message block; the decrypted text appears below and can be copied.

Click Decrypt. As with encryption, a progress bar shows, the operation can be cancelled, and the Decrypt button locks until you click Reset.

If you have several identities, decryption automatically picks the right one for a "Person"-encrypted item (by the key it was encrypted for) — you don't choose. If that identity isn't on this PC, you'll get a clear message.

Items protected with a raw session key require Advanced mode to be turned on before they can be opened.

Opening older (1.x) files (Windows)

The Decrypt screen also opens files and messages made by the original EncryptEngine 1.x. It recognizes them automatically and shows a "Legacy (v1)" banner:

  • Password items (.encv0 files, or text starting SALT:) — enter the original password.
  • Items encrypted to your old key — opened automatically using your detected legacy identity (see §5); no password needed.
Legacy items predate authenticated encryption, so the app can't verify they haven't been altered — it decrypts them as-is.

4. Contacts

Contacts are the public keys of people you trust, so you can encrypt files for them.

Adding contacts

  • Import an identity card (.vcf) — the easiest way; import a card someone shared with you.
  • Add manually — enter a name, optional email, and paste their public key (-----BEGIN PUBLIC KEY-----), or Import key from file (.pem).

Bulk export & import

On the All contacts tab:

  • Export all… writes every contact into one .vcf file — a portable backup or a way to move your whole address book to another machine.
  • Import contacts… reads many contacts at once from a .vcf file or a contacts.json backup. Duplicates (same key fingerprint) are updated rather than doubled, and unreadable entries are skipped.

Each contact shows an avatar, name/email, and a short fingerprint (a stable ID derived from their public key) you can copy to verify out-of-band.

5. My Identity

  • View your fingerprint and public key.
  • Set your name and email (shared on your identity card).
  • Copy public key / Save public key (.pem) — share your key so others can encrypt for you.
  • Export my identity (.vcf) — a single card with your name, email, and public key; the friendliest thing to hand to a contact.
Exporting your identity (.vcf) shares only your public key. Your private key is never included. To move the private key, use Back up identity below.

Back up & restore your identity

Because "My key" (and files others send to you) can only be opened with your private key, protect it:

  • Back up identity… — writes a .eeid file containing your identity, encrypted with a passphrase you choose (independent of Windows). Keep the file and its passphrase safe and separate — together they can restore, and impersonate, your identity.
  • Restore identity… — imports a .eeid with its passphrase and makes it your active identity. If that exact identity is already present, the restore is cancelled (nothing changes).

This is what makes key-based encryption survivable across a reinstall or a new PC.

Multiple identities (Advanced mode)

Turn on Advanced mode (Settings) to see Your identities — keep separate keys, e.g. Work and Personal:

  • New identity… creates a fresh key and makes it active.
  • Use switches which identity is active (the active one is used for "My key" and shown at the top). Editing the name/email retargets the active identity.
  • Delete removes an identity after a warning — anything encrypted to it becomes unopenable, so back it up first. You can't delete your only identity.

The active identity is used for new "My key" encryption; decryption still opens older items against whichever of your identities they were encrypted for.

Legacy identity (v1) (Windows)

If you upgraded from the original 1.x app, its key is detected and shown as a read-only "Legacy identity (v1)" row. You can't rename, switch to, or delete it, but it's used automatically to open items you encrypted to your old key (see §3).

6. Protection modes explained

ModeHow it worksWho can open itNeeds
PasswordKey derived from your password (PBKDF2-SHA256)Anyone with the passwordThe password
My keyHybrid encryption to your own public keyOnly youYour private key (this PC)
A personHybrid encryption to a contact's public keyOnly that personTheir private key (their PC)
Session key (Advanced)A raw 256-bit key you supplyAnyone with the keyThe base64 key

All modes use authenticated encryption (AES-256-GCM or ChaCha20-Poly1305), so tampering is detected on decrypt.

Portability — will the file open on another PC?

Encryption modePortable to another PC?
My key❌ Only this Windows user + PC (needs the sealed private key)
Person (someone else's key)✅ …but only they can open it, on their PC
Password✅ Fully portable — the password opens it anywhere
Session key✅ Fully portable — the key opens it anywhere

Why "My key" is PC-locked: decrypting it requires your private key, which is sealed to your Windows account. The .eenc file copies anywhere, but without the private key nothing can open it — and a new PC/reinstall makes a different identity. Unless you first back up your identity (§7) and restore it on the other machine — then "My key" works there too.

Rule of thumb
  • Open it yourself elsewhere, or share broadly → Password (nothing to move).
  • Sending to one specific person → A person (their contact).
  • Only you ever open it → My key — and back up your identity so you keep access after a reinstall or on a new PC.

7. Backup, recovery & portability

Your data lives in %AppData%\EncryptEngine:

ItemWhat it isHow to move / recover it
identities\ + identities.jsonYour identities (private keys sealed with DPAPI)Back up identity.eeid, then Restore on the other PC (§5)
contacts.jsonYour saved contactsExport all….vcf, then Import contacts… (§4)
settings.jsonApp preferences + profile name/emailCopy the file

Do this to stay safe

  • Back up each identity you rely on. Keep the .eeid file and its passphrase safe and separate. Without a backup, losing your Windows profile / reinstalling / switching PCs makes My key (and files sent to you) unrecoverable.
  • Back up your contacts with Export all….
  • The sealed private keys themselves can't be copied between machines directly — that's what the .eeid backup is for.
  • For items you must open elsewhere without any setup, Password mode is simplest (nothing to move).

8. Settings

  • Theme — System, Light, or Dark.
  • Default cipher — AES-256-GCM (always available) or ChaCha20-Poly1305 (when supported by the OS).
  • PBKDF2 iterations — work factor for password-based encryption (clamped to 100,000–5,000,000). Higher = stronger but slower.
  • Delete original after encrypting — default for the "shred" checkbox.
  • Advanced mode — reveals the session-key mode and the Advanced tab.
  • About — version and build information.

9. Advanced tools

Enable Advanced mode in Settings to reveal these.

  • Session-key generator — create a random 256-bit key (base64) for session-key encryption; copy it to share out-of-band.
  • Container inspector — open a .eenc file or paste a message to see its metadata without decrypting: format version, content kind, protection mode, cipher, key-derivation parameters, and the recipient key id — including who it was encrypted for when it matches one of your identities or contacts ("your identity ‘Work’", "your contact ‘Sara’").

10. FAQ & troubleshooting

I encrypted a file with "My key" and can't open it on my other computer.

"My key" needs your private key, which lives on the PC that made it. Back up your identity on that PC (§5) and Restore it on the other computer — then it opens. For no-setup portability, use Password mode instead.

Can I move my identity to a new PC / recover it after a reinstall?

Yes — Back up identity… to a .eeid file (passphrase-protected), then Restore identity… on the other machine. Do this before you lose access.

"This item uses a raw session key. Turn on Advanced mode to open it."

Enable Advanced mode in Settings, then paste the session key on the Decrypt screen.

Is my identity tied to my Windows login?

No — it's a random RSA key generated once. Its stored copy is sealed to your Windows user, but you can move it with a passphrase-protected backup (§5).

Can I open files/messages from the old EncryptEngine 1.x?

Yes, on Windows — the Decrypt screen opens them automatically (a "Legacy (v1)" banner). Password items ask for their password; items encrypted to your old key use your detected Legacy identity (v1). It's decrypt-only — new files always use the modern format.

Can I verify a contact is really who they say?

Compare their fingerprint (shown on the contact and on their identity card) with them over a trusted channel.

What happens to the original file when I encrypt?

Nothing, unless you tick "Delete the original after encrypting", which securely overwrites and removes it.