deadbolt simplifies encrypting and decrypting files. All you need is a password. Works on any laptop / desktop that you do.
You can download deadbolt for macOS, Windows, or Linux. Any encrypted file can be shared across these platforms.
Download the desktop app from the releases tab or see the installation section below for platform-specific instructions.
Select a file (or folder) to encrypt, enter a password, and β¦ that's it. Decryption is just as easy.
deadbolt includes a command-line interface for encrypting and decrypting files without the GUI. If you don't provide a password, you'll be prompted to enter it securely.
$ npm install -g deadbolt-cli
# Encrypt a file or folder
$ deadbolt encrypt secret.pdf
# Decrypt a file
$ deadbolt decrypt secret.pdf.deadbolt
# Provide password directly (warning: may be logged in shell history)
$ deadbolt encrypt secret.pdf --password "my-secure-password"
$ deadbolt decrypt secret.pdf.deadbolt --password "my-secure-password"Check out the releases tab for pre-built binaries for Mac, Windows, and Linux.
The recommended way to install deadbolt on macOS is with Homebrew, which uses this recipe:
# Install Homebrew
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install deadbolt, using homebrew
$ brew install deadbolt --caskInstall the deadbolt.dmg file from GitHub Releases. There are builds for both x86_64 (Intel) and arm64 (Apple Silicon -- M1, M2, etc.) CPU architectures.
After downloading:
- Double-click the
.dmgfile to mount it - Drag the
Deadboltapp to yourApplicationsfolder
Download an .exe file, or installer, from GitHub Releases.
AppImage and flatpak packages are available for Linux. AppImages can run on all major Linux desktop distributions, and flatpak packages are provided as another option. Auto-updates are not supported for Linux currently.
$ git clone https://github.com/alichtman/deadbolt.git && cd deadbolt
deadbolt on main is π¦ v2.0.0-beta via node v22.11.0 took 0s
$ npm install
deadbolt on main is π¦ v2.0.0-beta via node v22.11.0 took 0s
$ npm run package:linux-flatpak
deadbolt on main is π¦ v2.0.0-beta via node v22.11.0
$ ls -la release/build/
...
.rw-r--r--. alichtman alichtman 75 MB Sat Feb 8 21:42:00 2025 Deadbolt-2.0.0-beta.x86_64.flatpak
deadbolt on main is π¦ v2.0.0-beta via node v22.11.0 took 0s
$ flatpak install --user release/build/Deadbolt-2.0.0-beta.x86_64.flatpak
org.alichtman.deadbolt permissions:
ipc wayland x11 dri file access [1]
[1] home
ID Branch Op Remote Download
1. [β] org.alichtman.deadbolt master i deadbolt-origin 0 bytes
Installation complete.
deadbolt on main is π¦ v2.0.0-beta via node v22.11.0 took 7s
$ flatpak run org.alichtman.deadboltdeadbolt is packaged as deadbolt-bin on aur. I do not maintain this package.
$ yay -S deadbolt-bindeadbolt uses proven, secure password hashing and data encryption algorithms to make sure your files stay private.
deadbolt is built on Electron and uses crypto.js from the node.js standard library as well as the @node-rs/argon2 library. AES-256-GCM is used as an encryption protocol, and argon2id is used as a password hashing function. The integrity of all encrypted data is verified with the authentication tag provided by AES-GCM mode.
NOTE Starting in
deadbolt v2.1.0-alpha, the password-based key derivation function (PBKDF) changed frompbkdf2-sha512toargon2id. All newly encrypted files will benefit from the security upgrade.
Encrypted files include a version header (starting with DEADBOLT_V002 -- if it's missing, it's V1) at the beginning of the file, allowing for cryptographic improvements while maintaining backwards compatibility.
V002 Format (Current)
- Password Hashing Algorithm:
argon2id - Parameters: RFC 9106 FIRST recommendation (see Section 7.4: Parameter Choice)
- Memory cost: 2 GiB (2,097,152 KiB)
- Time cost: 1 iteration
- Parallelism: 4 lanes
- Salt: 128-bit (16-byte) randomly generated
- Output: 256-bit (32-byte) key for AES-256-GCM
V001 Format (Legacy)
- Password Hashing Algorithm:
PBKDF2-SHA512 - Parameters:
- Iterations: 10,000
- HMAC digest: SHA-512
- Salt: 512-bit (64-byte) randomly generated
- Output: 256-bit (32-byte) key for AES-256-GCM
- Version Header: None (no
DEADBOLT_Vprefix) - Maintained for backwards compatibility - V001 files can still be decrypted, but users are encouraged to re-encrypt with V002 for improved security
The cryptography components of deadbolt were written by an ex-Facebook Security Engineer (@alichtman -- me), and have been briefly reviewed by Vlad Ionescu, an ex-Facebook Red Team / Offensive Security Group tech lead. Their review is:
"yeah fuck it, it's fine. You're using very boring methods for everything -- that's the way to do it"
By default, macOS hides file extensions. To reduce confusion about what type each file is, I recommend configuring macOS to show file extensions. You can do that with the following command: $ defaults write NSGlobalDomain AppleShowAllExtensions -bool true && killall Finder.
You can set this app as the default app for .deadbolt files, which means you'll be able to double-click on .deadbolt files to open them with deadbolt for decryption.
You can set this up the first time you double-click on a .deadbolt file, or by right-clicking on a .deadbolt file, selecting Get Info and changing the default app in the Open With: section.
To do this programmatically, run the following snippet:
$ brew install duti
$ duti -s org.alichtman.deadbolt dyn.ah62d4rv4ge80k2xtrv4a allThe output of $ duti -x deadbolt should then be:
$ duti -x deadbolt
Deadbolt.app
/Applications/Deadbolt.app
org.alichtman.deadbolt