MySecret Encryption Utility

MySecret is a command-line freeware utility that can be used to encrypt and decrypt messages in an email-friendly manner. It works by encrypting or decrypting the contents of the clipboard. It can also work in file mode.

March 2026: Brand new modern version. Completely new version of MySecret using modern 256-bit authenticated encryption (ChaCha20-Poly1305) and SHA-256 for hashing. See Technical details for more information.

MySecret.exe is small - 180 kB - and quick. It creates base64-encoded text output that can be easily transmitted over the Internet or stored on any computer system.

Output from MySecret looks like

-----BEGIN MYSECRET-----
TVn7ACoH5CUBaC0nAhflKD91b3vKUKcQUR3pBLSCUVJU5z2vCuPP1a2bCyDv
D0sDYsXNIkl6cQQmj9ANOPBtDAc864tWGAU30Oxh98e48S/ecWkADOz94bx7
5jf8O5zcbeg97GtnbhOmt+OpVbqiWV7M
-----END MYSECRET-----

which can easily be copied and pasted. (The password for the above is "password" - check it in MySecret v4 On-line.)

Introduction
Feedback
Download
Terms and Conditions
To install
To use to encrypt a message in CLIPBOARD mode
To use to decrypt a message
Syntax
Using the in-line password option
To use to encrypt a file
Using MySecret in Batch Files
Remarks
The Program
ChaCha20-Poly1305 algorithm
Security Considerations
Linux Version
Examples in Use
Technical details
Acknowledgements
References
History
Contact
Comments

Introduction

I wrote the first version after I'd been travelling and needed a simple utility I could keep on a floppy (yes, that long ago!) that would enable me to create and receive encrypted emails from Internet cafes and friends' PCs. You can also use it in batch files to carry out automated encryption of backup files.

These days I use it to store password and other confidential information in text data files and databases.

In February 2026 we updated the original Win32 code to add a 64-bit X64 version, as we have been doing progressively with all our Windows utilities. Having done that we realised that a complete re-write should be done using modern 256-bit algorithms. Hence the new version 4.

The original and older versions 2 and 3 used the Blowfish encryption algorithm. The latest (2026) version has been completely re-written to use 256-bit authenticated encryption and increased 256-bit security for hashing. MySecret will still decrypt input encrypted with versions 2 and 3. There is a demonstration web site at MySecret v4 On-line.

Feedback

thanks for a great program !!

i've been testing some programs (using either rijndael or blowfish) and i ended up using MYSECRET.. why?
because..
it's fast !!
it's a command-line program (easy to use with vb ;)
it's blowfish and it supports large keys..
it copies the encrypted/decrypted text to the clipboard (easy to use with vb)

thanks again, blowfish is indeed a great algoritm..

-Noaz

Your "MySecret" has got to be just about the best freeware utility of its type available - Thanks!!

I love its simplicity, the ability to en/decrypt text or files easily (I knocked up a trivial script to help with that), the fact that it compresses text before encryption and that it ignores whitespace when decrypting and also looks only for data between the delimiters.

All this makes it exceptionally powerful and robust, whilst still being incredibly simple to use.
-Tom

But...

Having said all that [and meant it too], there is just one small thing that I *don't* like about it....the name "MySecret" ! It just doesn't do the program justice: to be honest, it makes the program sound like something some script-kiddy has knocked up instead of the exceptional bit of software it actually is. I suspect that a number of people might not take it [the program] seriously, which would be a shame.
-Tom

Download

Download the latest version of MySecret.zip (265 kB) from here.

The MySecret.exe file version 4.0.1 was recompiled and signed on 15 March 2026 (using our signing certificate issued to "D.I. MANAGEMENT SERVICES PTY LIMITED"). This compilation includes executables compiled for both Win32 and X64 platforms. (The 32-bit compilation should work on most Windows computers; the 64-bit version is there if you need it.)

Terms and Conditions

Copyright 2002-26 David Ireland DI Management Services Pty Ltd https://di-mgt.com.au/contact
These executables are licensed under the BSD 2-Clause License.

To install

Copy the file MYSECRET.EXE into a directory on your PC's path, e.g. C:\Windows.
That's it!
We recommend you set up a C:\Bin directory for files like this.

To use to encrypt a message in CLIPBOARD mode

Copy the text you want to encrypt into the clipboard. This might have been typed first into Notepad, for example, or be from the body of an email.
Open an Command Line window: Start > Programs > Accessories > Command Prompt.
Type:
```
MYSECRET
```
The contents of the clipboard will display (this is a useful check).
Enter a password when prompted. This is case-sensitive, so be careful. Your password can be any phrase with any normal characters including spaces and punctuation. The password is not displayed. Press Enter to finish. (New in Version 3) You will be asked to confirm the password, so type it again.
The encrypted message will display.
The encrypted message is now also in the clipboard. It can be pasted into an email or into a text editor.

To use to decrypt a message

A message created with MySecret looks like this:

-----BEGIN MYSECRET-----
TVn7ACoH5CUBaC0nAhflKD91b3vKUKcQUR3pBLSCUVJU5z2vCuPP1a2bCyDv
D0sDYsXNIkl6cQQmj9ANOPBtDAc864tWGAU30Oxh98e48S/ecWkADOz94bx7
5jf8O5zcbeg97GtnbhOmt+OpVbqiWV7M
-----END MYSECRET-----

Copy the message into the clipboard. Make sure you include the BEGIN and END lines, including the five dashes before the word BEGIN. It doesn't matter if there is other text before or after these lines; text outside will be ignored.
In a Command Prompt (MS-DOS) window type:
```
MYSECRET
```
The contents of the clipboard will display as a check.
Enter the correct password (in the example above it is "abc").
If correct, the decrypted message will display on the screen.
The decrypted message will also be in the clipboard for you to paste into a text document.

Syntax

Usage: MySecret [OPTIONS] [-p password] [[-i] infile [[-o] outfile]]
OPTIONS:
-e force Encrypt
-n do Not ask to confirm password
-w Warn before overwriting existing outfile
-q hide input in clipboard mode
-@ use stdin/stdout pipes if in/outfile not given
-3 use v3 algorithm (Blowfish)
-L display Licence conditions and exit
-V display Version information and exit
-h|-? display this Help and exit
EXAMPLES:
MySecret                (=clipboard-mode, prompts for password)
MySecret -p "my pass phrase"
MySecret infile outfile (=file-mode)
MySecret -@ infile      (output to stdout)
MySecret -@ -o outfile  (input from stdin)
MySecret -@             (input from stdin/output to stdout)

Using the in-line password option

The default mode is to prompt for a password which will not be displayed when typed. Alternatively, you can use the -p option to enter a password in the command line.

MYSECRET -p abc

will use the password "abc" to encrypt the contents of the clipboard.

To use a pass phrase with spaces or other punctuation characters in it, surround the pass phrase with double-quote characters, e.g.

MYSECRET -p "hello world#"

Note that a space is required between the "-p" and the password itself.

To use to encrypt a file

If you enter both an input and an output filename in the command line, you can encrypt or decrypt files. When encrypting. the output file will be an ordinary ASCII text file that can be viewed in any text editor, albeit in encrypted and base64 encoded form. The input file for encryption, however, may be a text or binary file of any type.

MYSECRET C:\mydrive\myfile.txt C:\mydrive\myfile.mys.txt

will create the encrypted file myfile.mys.txt. Alternatively

C:
CD \mydrive
MYSECRET myfile.txt myfile.mys.txt

To decrypt (the program automatically detects the -----BEGIN MYSECRET encapsulation)

MYSECRET myfile.mys.txt myfile.txt

If the name of the file or the folder contains spaces, enclose the name in double-quotes

MYSECRET "My Documents\myfile.txt" "My Documents\myfile.mys.txt"

Using MySecret in Batch Files

This example will allow you to do "automated" encryption of a particular file using a batch file.

Create a text file ENCR.BAT as follows:

=====(cut)=====
echo password is "%1"
if "%1"=="" goto NOPASSWORD

set mypwd=%1

mysecret -p %mypwd% $backup.zip $backup.zip.mys
if not errorlevel 1 del $backup.zip

set mypwd=
goto DONE
:NOPASSWORD
echo no password
:DONE
=====(cut)=====

Open a command prompt window in the relevant directory where your file is.
At the command prompt type
```
ENCR password
```
where "password" is your password.
The file in this example "$backup.zip" will be encrypted and the output will be the new file "$backup.zip.mys".

Remarks

If you want to encrypt clipboard data or a file that actually contains the text "-----BEGIN MYSECRET", the program will automatically try to decrypt it. To prevent this include the -e option in the command line. For example:
```
MYSECRET -e
```
or
```
MYSECRET -e myfile.txt myfile.mys.txt
```
Use the "-n" option to avoid having to re-type the password.
```
MYSECRET -n
```
To turn off the display of the clipboard data before it's encrypted, use the "-q" option.
```
MYSECRET -q
```
To encrypt or decrypt files, both the input and output filenames must be in the command line, or the program will default to clipboard mode. The default is to overwrite the output file without warning - you have been warned! To prevent this, use the -w option which will prompt if an existing file of the same name exists. The output filename may be the same as the input filename, in which case the original data will be overwritten.
The program needs at least two times free memory as the size of the object you are encrypting or decrypting. So don't complain about your 1 GB file.

The Program

MySecret.exe is written in ANSI C and has been compiled for Windows using Microsoft Visual C++. The program is a Win32 executable that requires Windows XP SP1 or above. The 32-bit executable should run on all modern Windows machines, but a 64-bit X64 executable is also provided, should you need it. There is also a version compiled on a X86_64 Linux machine. MySecret is Copyright © 2002-26 DI Management Services Pty Ltd. All rights reserved.

ChaCha20-Poly1305 algorithm

ChaCha20 is a high-speed cipher and Poly1305 is a high-speed message authentication code. Both were introduced by Daniel J. Bernstein, see [CHACHA] and [POLY1305]. AEAD-CHACHA20-POLY1305 is the Authenticated Encryption with Associated Data (AEAD) construction using ChaCha20 and Poly1305 described in [RFC8439]

Security Considerations

MySecret is a software application that provides a scheme for encrypting data using the ChaCha20-Poly1305 authenticated encryption algorithm. The security provided in theory is the lesser of 256-bits and the entropy provided by the user's password. It is the responsibility of the user to provide a password or pass phrase of sufficient strength and to protect the secrecy of that password, including protecting against exposure by malware or keystroke loggers on the user's computer.

Linux Version

The file 'MySecret' is an executable compiled using gcc for an X86_64 Linux system: MySecret-4.0.1.bin.tbz (439 kB). It is compiled from the same source code as the Windows version, but it only works in file-to-file mode. (Hint: You may find the -@ option useful.) If it works for you on your X86_64 Linux system, please use it.

To install: Copy the executable file MySecret to a test directory, or in /usr/local/bin.

chmod +x MySecret
echo -n "abc" > abc.txt
./MySecret -p password abc.txt abc.mys.txt
cat abc.mys.txt

This Linux version has been compiled using the "-static" option so it is independent of other libraries. It works for us on our Apache-based website: see My Secret On-line.

Examples in Use

For a Linux-based demonstration on our Apache-based website, see My Secret On-line.

There is a C#/WinForms project that demonstrates the v3 and v4 algorithms available at MySecret with CryptoSys API.

Technical details

For the technical minded, here's how it works in the new (2026) Version 4.

The program takes its input buffer from either the clipboard or the specified file. Unless the program is explicitly instructed to encrypt with the -e option in the command line, it will examine the input buffer for the "-----BEGIN MYSECRET" framing characters. If the framing is present, the program will attempt to decrypt the characters up to "-----END MYSECRET". In all other circumstances, it will encrypt the entire input buffer.

Version 4 uses the AEAD_CHACHA20_POLY1305 authenticated encryption algorithm. This uses a 256-bit key and a 96-bit nonce (IV). It generates ciphertext of the same length as the input plus a 16-byte authentication tag. For more information about authenticated encryption see Using the AEAD functions for authenticated encryption with additional data. Hashing in version 4 uses the SHA-256 algorithm as specified in [FIPS180].

Version 4

                                      +-----------------------+
                                      | Plaintext...          |
                                      +-----------------------+
                                      |<----(compress this)-->|
                                      |                      /
                                      |                     /
                +-----+-------+-------+--------------------+------+---------+
                |ZS(2)|CLEN(4)|ULEN(4)| Compressed data... |CRC(4)|PAD(8-71)|
                +-----+-------+-------+--------------------+------+---------+
                |<----------------------(encrypt this)--------------------->|
+------+--------+-----------------------------------------------------------+---------+
|SIG(4)| IV(12) | Ciphertext...                                             | TAG(16) |
+------+--------+-----------------------------------------------------------+---------+
|<-----------------------------(encode this)----------------------------------------->|
+-------------------------------------------------------------------------------------+
| Base64-encoded output...                                                            |
+-------------------------------------------------------------------------------------+

To encrypt, the program does the following:-

Checksum: Compute a 4-byte CRC-32 checksum of the plaintext input buffer.
Generate an IV: Generate a 12-byte Initialisation Vector (IV) by making an SHA256 hash of the current time and the CRC value computed above together with an internal counter.
```
SHA256(time || seed || INT(counter))
```
Set the IV to be the first 12 bytes of the resulting message digest value.
Set key: Generate a 256-bit key by using the IV as a salt (s) and stretching the user's pass phrase (p) by hashing with SHA256 repeatedly with a counter as follows:
- Set X(1) = SHA256 (p || s || INT(1))
- For i = 2 to 2048, set X(i) = SHA256 (X(i-1) || p || s || INT(i)
- Set the key as the final value of X(i).
where || denotes ordered concatenation of two strings and INT(i) is a four-byte encoding of the integer i, most significant byte first.
Construct the encryption block:
Version 4:
1. Compress the plaintext input using the ZLIB 'compress' function.
2. Prepend the compressed data with a 10-byte header:
  - a 2-byte signature ZS: 0x5A05 ('Z' + 0x05), plus
  - the compressed length CLEN as a 32-bit integer in big-endian order, plus
  - the original, uncompressed length ULEN as a 32-bit integer in big-endian order.
3. Append the 4-byte CRC-32 checksum in big-endian order.
4. Generate random integers k and r between 0 and 7 and set NPAD = (k + 1) * 8 + r, so NPAD is in the range [8, 71].
5. Append a padding string of length NPAD random bytes each of value [0,255]. This padding string is used purely to disguise the length of the original plaintext.
Encrypt: Create the ciphertext and TAG by encrypting the encryption block using the AEAD_CHACHA20_POLY1305 algorithm with the 256-bit key and 96-bit nonce (IV) as computed above, and the empty string for additional authenticated data (AAD).
Add header and tag: Prepend the ciphertext with a 16-byte header consisting of
- A 4-byte signature: 0x4D59FB00 ('M' + 'Y' + 0xFB + 0x00) for Version 4,
- The 12-byte IV
And append the 16-byte TAG computed by the AEAD_CHACHA20_POLY1305 algroithm.
Encode: Encode the resulting output using base64 encoding [RFC4648].
Frame: Add CR-LF characters every 60 characters and surround with BEGIN and END frames in a similar manner to that used in PGP [RFC2440] s6.2. and in Privacy Enhanced Mail [RFC1421] s4.4.

Decryption is the reverse process. The program will decode any base64-encoded data found between the framing characters. It will then look for, check, and skip over the signature and extract the IV from the input before deciphering the remaining ciphertext using the key generated from the user's pass phrase and IV. Decryption will fail if the authentication tag is not validated (i.e. if the ciphertext has been altered).

After decryption, the program checks that decryption has been successful by examining the decrypted block.

Version 4: Confirm that the first two bytes are 'Z' and 0x05. Convert the subsequent 8 bytes into the two 32-bit integers CLEN and ULEN. Check that the values of these integers are reasonable (not negative, not too large, CLEN < decrypted block size). Extract the 4-byte CRC-32 checksum immediately after the compressed data, uncompress the compressed data to recover the original plaintext, compute the CRC-32 checksum of this, and make sure the two checksum values are equal. Check that ULEN equals the length of the uncompressed data.

If any of these checks fail, the program will indicate a "Decryption Error". Otherwise it will output the recovered plaintext either to the clipboard or to a file.

Version 3 and earlier

Version 3 and earlier versions used the Blowfish encryption algorithm with a 128-bit key in CBC mode. The 3-byte CRC value used the CRC-24 algorithm. The key was derived by stretching the user's password using the MD5 algorithm over 1024 iterations. The length of the padding was set to a randomly-generated number between 9 and 72 bytes padded to an exact multiple of 8 bytes, including "guard" bytes that can be checked after decryption.

The 4-byte signature for Version 3 is 0x4D59FC00 ('M' + 'Y' + 0xFC + 0x00) and the 2-byte ZS value is 0x5A04 ('Z' + 0x04). For reference, the signature for Version 2 was 0x4D59FD00.
                                     +-----------------------+
                                     | Plaintext...          |
                                     +-----------------------+
                                     |<----(compress this)-->|
                                     |                      /
                                     |                     /
               +-----+-------+-------+--------------------+------+---------+
               |ZS(2)|CLEN(4)|ULEN(4)| Compressed data... |CRC(3)|PAD(9-72)|
               +-----+-------+-------+--------------------+------+---------+
               |<----------------------(encrypt this)--------------------->|
+------+-------+-----------------------------------------------------------+
|SIG(4)| IV(8) | Ciphertext...                                             |
+------+-------+-----------------------------------------------------------+
|<-----------------------------(encode this)------------------------------>|
+--------------------------------------------------------------------------+
| Base64-encoded output...                                                 |
+--------------------------------------------------------------------------+
Version 3 computations

Generate an IV: Generate a 64-bit Initialisation Vector (IV) by making an MD5 hash of the current time and the CRC value computed above. Set the IV to be the first 8 bytes of the resulting message digest value.

Set key: Generate a 128-bit key by using the IV as a salt (s) and stretching the user's pass phrase (p) by hashing with MD5 repeatedly as follows:

Set X(1) = MD5 (p || s)

For i = 2 to 1024, set X(i) = MD5 (X(i-1) || p || s)

Set the key as the final value of X(i).

where || denotes ordered concatenation of two strings.

Pad block: Append a padding string of length NPAD between 9 and 72 bytes to make the total length of the encryption block an exact multiple of 8 bytes. This padding string consists of

a "guard" block of 8 bytes each of value equal to the length, NPAD, of the padding string; plus

a sequence of length 8*k of bytes each of random value [0,255] where k is a random integer between 0 and 7; plus

a final block of size [1,8] bytes of value NPAD.

Acknowledgements

The source code used in MySecret is original code written by David Ireland except for the following:

The code for ChaCha20 uses code derived from public domain code by D.J. Bernstein, <http://cr.yp.to/djb.html>.
The code for Poly1305 uses code adapted from public domain software by Andrew Moon, <https://github.com/floodyberry/poly1305-donna>.
The Blowfish encryption functions use code placed in the public domain by Bruce Schneier as published in Applied Cryptography (second edition, John Wiley, 1996).
The base64 encoding functions use code derived from work placed in the public domain by Carl M. Ellison in 1995.
The CRC-24 function uses code derived from RFC 2440 OpenPGP Message Format, Callas et al, November 1998.
The basic code implementing the RSA Data Security, Inc. MD5 Message-Digest Algorithm is derived from that published in RFC1321 and is covered by the following copyright:
Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the ''RSA Data Security, Inc. MD5 Message-Digest Algorithm'' in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as ''derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm'' in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided ''as is'' without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software.
The ZLIB data compression utilities and CRC-32 function use source code with permission from the 'zlib' general purpose compression library version 1.2.3 Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler.

Thanks to 'Chris' for pointing out a bug in version 3.1.0 with strings of a certain length (like "abc").

References

[CHACHA] Bernstein, D., ChaCha, a variant of Salsa20, January 2008, (https://cr.yp.to/chacha/chacha-20080128.pdf).
[POLY1305] Bernstein, D., The Poly1305-AES message-authentication code, March 2005, (https://cr.yp.to/mac/poly1305-20050329.pdf).
[RFC1421] RFC 1421 Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures. J. Linn. February 1993.
[RFC2440] RFC 2440 OpenPGP Message Format. J. Callas, L. Donnerhacke, H. Finney, R. Thayer. November 1998.
[RFC4648] RFC 4648 The Base16, Base32, and Base64 Data Encodings. S. Josefsson, October 2006.
[RFC8439] RFC 8439 ChaCha20 and Poly1305 for IETF Protocols. Y. Nir, A. Langley. June 2018. (Obsoletes RFC7539)
[FIPS180] Federal Information Processing Standard, FIPS PUB 180-4 Secure Hash Standard (SHS), U.S. Department of Commerce/National Institute of Standards and Technology, August 2015. (NIST.FIPS.180-4).

History

7 March 2026: Completely new Version 4 using authenticated encryption. Added -V and -q options, removed redundant -d option.
8 February 2026: MySecret's opal (24th) anniversary Version 3.2: Updated and recompiled for Windows and Linux 64-bit platforms. Changed license to BSD 2-Clause. Added -L option.
11 May 2007: Version 3 released using compression of plaintext
June 2003: Version 2 released.
8 February 2002: First version of MySecret published.

Contact

For more information on this page, please send us a message. To make a comment see below.

This page last updated 15 March 2026

Comments

[Go to last comment] [Read our comments policy]

[Go to first comment]