DI Management Home > Cryptography > MySecret Blowfish Encryption Utility

MySecret Blowfish Encryption Utility

MySecret is a command-line freeware utility that can be used to encrypt and decrypt messages in an email-friendly manner. It works by encrypting or decrypting the contents of the clipboard. It can also work in file mode.

Updated 2026-02-08. On MySecret's opal (24th) anniversaryOpal anniversary. Version 3.2: Updated and recompiled for Windows and Linux 64-bit platforms. Changed license to BSD 2-Clause.

MySecret.exe is small - 150 kB - and quick. It uses the Blowfish algorithm to create base64-encoded text output that can be easily transmitted over the Internet or stored on any computer system. For more information on Blowfish see the web site of its inventor, Bruce Schneier and his references to Products that Use Blowfish.

Output from MySecret looks like 
-----BEGIN MYSECRET-----
TVn8AM0kIC3dpsmALVjI3zNXkDWzXuFWL/8EyHo9tzY7WK8072VWGNYw8mNn
JIOXp6VloE7YT0ar+RIRm68SnGAbD4rpqJijGI+xHw==
-----END MYSECRET-----
which can easily be copied and pasted.

Contents

Introduction

I wrote the first version after I'd been travelling and needed a simple utility I could keep on a floppy (yes, that long ago!) that would enable me to create and receive encrypted emails from Internet cafes and friends' PCs. You can also use it in batch files to carry out automated encryption of backup files.

These days I use it to store password and other confidential information in text data files.

Version 3 has improvements including compression of data before encryption, random padding characters, and confirmation of the password when encrypting. Data encrypted with versions 1 and 2 can still be decrypted using version 3.

thanks for a great program !!
i've been testing some programs (using either rijndael or blowfish) and i ended up using MYSECRET.. why?
because..
 it's fast !!
 it's a command-line program (easy to use with vb ;)
 it's blowfish and it supports large keys..
 it copies the encrypted/decrypted text to the clipboard (easy to use with vb)
thanks again, blowfish is indeed a great algoritm..
-Noaz
Your "MySecret" has got to be just about the best freeware utility of its type available - Thanks!!
I love its simplicity, the ability to en/decrypt text or files easily (I knocked up a trivial script to help with that), the fact that it compresses text before encryption and that it ignores whitespace when decrypting and also looks only for data between the delimiters.
All this makes it exceptionally powerful and robust, whilst still being incredibly simple to use.
-Tom
But...

Having said all that [and meant it too], there is just one small thing that I *don't* like about it....the name "MySecret" ! It just doesn't do the program justice: to be honest, it makes the program sound like something some script-kiddy has knocked up instead of the exceptional bit of software it actually is. I suspect that a number of people might not take it [the program] seriously, which would be a shame.
-Tom

Download

Download the latest version of MySecret.zip (183 kB) from here.

The MySecret.exe file version 3.2.0.0 was recompiled and signed on 8 February 2026 (using our signing certificate issued to "D.I. MANAGEMENT SERVICES PTY LIMITED"). This compilation includes executables compiled for both Win32 and X64 platforms. (The 32-bit compilation should work on most Windows computers; the 64-bit version is there if you need it.)

Terms and Conditions

Copyright 2002-26 David Ireland DI Management Services Pty Ltd https://di-mgt.com.au/contact
These executables are licensed under the BSD 2-Clause License.

To install

  1. Copy the file MYSECRET.EXE into a directory on your PC's path, e.g. C:\Windows.
  2. That's it!
  3. We recommend you set up a C:\Bin directory for files like this.

To use to encrypt a message in CLIPBOARD mode

  1. Copy the text you want to encrypt into the clipboard. This might have been typed first into Notepad, for example, or be from the body of an email.
  2. Open an Command Line window: Start > Programs > Accessories > Command Prompt.
  3. Type:
    MYSECRET
  4. The contents of the clipboard will display (this is a useful check).
  5. Enter a password when prompted. This is case-sensitive, so be careful. Your password can be any phrase with any normal characters including spaces and punctuation. The password is not displayed. Press Enter to finish. (New in Version 3) You will be asked to confirm the password, so type it again.
  6. The encrypted message will display.
  7. The encrypted message is now also in the clipboard. It can be pasted into an email or into a text editor.

To use to decrypt a message

  1. A message created with MySecret looks like this: 
    -----BEGIN MYSECRET-----
TVn8APjdMOdLPUBQ2OWsEh7wWnihhKKOKf11Vj0oo4pM20BPwrRXJyL+nBOL
dpxdc+PQQoQlr0Vz1n1Fv932HQ16DG712ui69T3O0jI3NfX8jRjtZkal/sFy
Vu9JJEWPfZ2Ri1fkfOCqe9ZvFEmJ78BcUVmf37SYbgKi8UcAv4i1heHfJ05e
nde6nFeiyDptYflT7SiIGHcO1cVya22b1OLHakAE2paS1OJqQrHYc+5wEAdo
DU/0BmNvNNYOekmHZT19C1+cIwZFo3ACLRN44gZffx+KIng570UcoNYa7NWn
hzt6gvQHXEp2jnE=
-----END MYSECRET-----
  2. Copy the message into the clipboard. Make sure you include the BEGIN and END lines, including the five dashes before the word BEGIN. It doesn't matter if there is other text before or after these lines; text outside will be ignored.
     
  3. In an Command Prompt (MS-DOS) window type: 
    MYSECRET
    or, to be sure you mean decrypt, type 
    MYSECRET -d
    where -d means decrypt.
  4. The contents of the clipboard will display as a check.
  5. Enter the correct password (in the example above it is "abc").
  6. If correct, the decrypted message will display on the screen.
  7. The decrypted message will also be in the clipboard for you to paste into a text document.

Syntax

Usage: MySecret [OPTIONS] [-p password] [[-i] infile [[-o] outfile]]
OPTIONS:
-e|-d force Encrypt or Decrypt
-n do Not ask to confirm password
-w Warn before overwriting existing outfile
-@ use stdin/stdout pipes if in/outfile not given
-L display Licence conditions and exit
-?|-h display this Help and exit
EXAMPLES:
MySecret                (=clipboard-mode, prompts for password)
MySecret -p "my pass phrase"
MySecret infile outfile (=file-mode)
MySecret -@ infile      (output to stdout)
MySecret -@ -o outfile  (input from stdin)
MySecret -@             (input from stdin/output to stdout)

Using the in-line password option

The default mode is to prompt for a password which will not be displayed when typed. Alternatively, you can use the -p option to enter a password in the command line. 
MYSECRET -p abc
will use the password "abc" to encrypt the contents of the clipboard.

To use a pass phrase with spaces or other punctuation characters in it, surround the pass phrase with double-quote characters, e.g. 

MYSECRET -p "hello world#"
Note that a space is required between the "-p" and the password itself.

To use to encrypt a file

If you enter both an input and an output filename in the command line, you can encrypt or decrypt files. When encrypting. the output file will be an ordinary ANSI text file that can be viewed in any text editor, albeit in encrypted and base64 encoded form. The input file for encryption, however, may be a text or binary file of any type. 
MYSECRET C:\mydrive\myfile.txt C:\mydrive\myfile.txt.mys
will create the encrypted file myfile.txt.mys. Alternatively 
C:
CD \mydrive
MYSECRET myfile.txt myfile.txt.mys
To decrypt 
MYSECRET -d myfile.txt.mys myfile.txt
If the name of the file or the folder contains spaces, enclose the name in double-quotes 
MYSECRET "My Documents\myfile.txt" "My Documents\myfile.txt.mys"

Using MySecret in Batch Files

This example will allow you to do "automated" encryption of a particular file using a batch file.
  1. Create a text file ENCR.BAT as follows: 
    =====(cut)=====
echo password is "%1"
if "%1"=="" goto NOPASSWORD

set mypwd=%1

mysecret -p %mypwd% $backup.zip $backup.zip.mys
if not errorlevel 1 del $backup.zip

set mypwd=
goto DONE
:NOPASSWORD
echo no password
:DONE
=====(cut)=====
  2. Open a command prompt window in the relevant directory where your file is.
  3. At the command prompt type 
    ENCR password
    where "password" is your password.
  4. The file in this example "$backup.zip" will be encrypted and the output will be the new file "$backup.zip.mys".

Remarks

Security Considerations

MySecret is a software application that provides a method for encrypting data using the Blowfish block cipher algorithm. The security provided in theory is the lesser of 128-bits and the entropy provided by the user's password. No opinion is offered on the security of the Blowfish algorithm itself. It is the responsibility of the user to provide a password or pass phrase of sufficient strength and to protect the secrecy of that password, including protecting against exposure by malware or keystroke loggers on the user's computer.

Examples in Use

There is a demonstration VB6 project using CryptoSys API.

For a Linux-based demonstration on our Apache-based website, see My Secret On-line.

Linux Version

The file 'MySecret' is an executable compiled for an X86_64 Linux system: MySecret-3.2.0.bin.tbz (398 kB). It is compiled from the same source code as the Windows version, but it only works in file-to-file mode. (Hint: You may find the -@ option useful.) If it works for you on your X86_64 Linux system, please use it.

This Linux version has been compiled using the "-static" option so it is independent of other libraries. It works for us on our Apache-based website: see My Secret On-line.

Acknowledgements

The source code used in MySecret is original code written by David Ireland except for the following:

Thanks to 'Chris' for pointing a bug in version 3.1.0 with strings of a certain length (like "abc").

The Program

MySecret is written in ANSI C and has been compiled using Microsoft Visual C++. The program is a Win32 executable that requires Windows XP or above. There is also a version compiled on a Linux machine. The first version was published on 8 February 2002. Version 2 was released in June 2003. The current Version 3 was first released on 11 May 2007. MySecret is Copyright © 2002-26 DI Management Services Pty Ltd. All rights reserved.

Technical details

For the technical minded, here's how it works in Version 2 and Version 3.

The program takes its input buffer from either the clipboard or the specified file. Unless the program is explicitly instructed to encrypt or decrypt with the -e or -d options in the command line, it will examine the input buffer for the "-----BEGIN MYSECRET" framing characters. If the framing is present, the program will attempt to decrypt the characters up to "-----END MYSECRET". In all other circumstances, it will encrypt the entire input buffer.

To encrypt, the program does the following:-
  1. Checksum: Compute a 24-bit CRC checksum of the plaintext input buffer.
  2. Generate an IV: Generate a 64-bit Initialisation Vector (IV) by making an MD5 hash of the current time and the CRC value computed above. Set the IV to be the first 8 bytes of the resulting message digest value.
  3. Set key: Generate a 128-bit key by using the IV as a salt (s) and stretching the user's pass phrase (p) by hashing with MD5 repeatedly as follows:
    • Set X(1) = MD5 (p || s)
    • For i = 2 to 1024, set X(i) = MD5 (X(i-1) || p || s)
    • Set the key as the final value of X(i).
    where || denotes ordered concatenation of two strings.
  4. Construct a padded encryption block:
    Version 2:
    1. Append the 3-byte CRC-24 checksum to the input buffer in big-endian order.
    2. Pad the result of the previous step by appending a padding string of between 1 and 8 bytes to make the total length of the encryption block an exact multiple of 8 bytes. The value of each byte of the padding string is set to the number of bytes added - i.e. 8 bytes of value 0x08, 7 bytes of value 0x07, ..., 2 bytes of 0x02, or one byte of value 0x01. This is the padding method recommended in RFC 2630, RFC 3370, RFC 1423, PKCS#5, and PKCS#7.

    Version 3:
    1. Compress the plaintext input using the ZLIB 'compress' function.
    2. Prepend the compressed data with a 10-byte header:
      • a 2-byte signature ZS: 0x5A04 ('Z' + 0x04), plus
      • the compressed length CLEN as a 32-bit integer in big-endian order, plus
      • the original, uncompressed length ULEN as a 32-bit integer in big-endian order.
    3. Append the 3-byte CRC-24 checksum in big-endian order.
    4. Append a padding string of length NPAD between 9 and 72 bytes to make the total length of the encryption block an exact multiple of 8 bytes. This padding string consists of
      • a "guard" block of 8 bytes each of value equal to the length, NPAD, of the padding string; plus
      • a sequence of length 8*k of bytes each of random value [0,255] where k is a random integer between 0 and 7; plus
      • a final block of size [1,8] bytes of value NPAD.
  5. Encrypt: Create the ciphertext by encrypting the encryption block using the Blowfish algorithm in Cipher Block Chaining (CBC) mode with the key and IV as generated above.
  6. Add header: Prepend the ciphertext with a 12-byte header consisting of
    • A 4-byte signature: 0x4D59FC00 ('M' + 'Y' + 0xFC + 0x00) for Version 3, or 0x4D59FD00 ('M' + 'Y' + 0xFD + 0x00) for Version 2; plus
    • The 8-byte IV
  7. Encode: Encode the resulting output using base64 encoding (RFC 2045 s6.8).
  8. Frame: Add CR-LF characters every 60 characters and surround with BEGIN and END frames in a similar manner to that used in PGP (RFC 2440 s6.2) and in Privacy Enhanced Mail (RFC 1421 s4.4).

Version 2

                 +---------------+
                 | Input buffer  |
                 +---------------+
                 |               |
                 +---------------+--------+----------+
                 | Plaintext...  | CRC(3) | PAD(1-8) |
                 +---------------+--------+----------+
                 |<----------(encrypt this)--------->|
+------+---------+-----------------------------------+
|SIG(4)|  IV(8)  | Ciphertext...                     |
+------+---------+-----------------------------------+
|<-------------------(encode this)------------------>|
+----------------------------------------------------+
| Base64-encoded output...                           |
+----------------------------------------------------+

Version 3

                                     +-----------------------+
                                     | Plaintext...          |
                                     +-----------------------+
                                     |<----(compress this)-->|
                                     |                      /
                                     |                     /
               +-----+-------+-------+--------------------+------+---------+
               |ZS(2)|CLEN(4)|ULEN(4)| Compressed data... |CRC(3)|PAD(9-72)|
               +-----+-------+-------+--------------------+------+---------+
               |<----------------------(encrypt this)--------------------->|
+------+-------+-----------------------------------------------------------+
|SIG(4)| IV(8) | Ciphertext...                                             |
+------+-------+-----------------------------------------------------------+
|<-----------------------------(encode this)------------------------------>|
+--------------------------------------------------------------------------+
| Base64-encoded output...                                                 |
+--------------------------------------------------------------------------+

Decryption is the reverse process. The program will decode any base64-encoded data found between the framing characters. It will then look for and skip over the signature and extract the IV from the input before deciphering the remaining ciphertext using the key generated from the user's pass phrase and IV. If there is no signature, the program will assume that the ciphertext was created using MySecret Version 1 and decrypt accordingly.

After decryption, the program checks that decryption has been successful by examining the decrypted block.

Version 2: Working backwards from the end of the decrypted data, there should be between 1 and 8 padding bytes each of the same value between 0x01 and 0x08 preceded by a 3-byte CRC-24 checksum which should match a CRC checksum of the preceding plaintext data.

Version 3: Confirm that the first two bytes are 'Z' and 0x04. Convert the subsequent 8 bytes into the two 32-bit integers CLEN and ULEN. Check that the values of these integers are reasonable (not negative, not too large, CLEN < decrypted block size). Get the length NPAD of the padding string from the last byte in the block. Verify that the first 8 bytes of this padding string are all of value NPAD. Extract the 3-byte CRC-24 checksum immediately before the padding string, uncompress the compressed data to recover the original plaintext, compute the CRC-24 checksum of this, and make sure the two checksum values are equal.

If any of these checks fail, the program will indicate a "Decryption Error". Otherwise it will output the recovered plaintext either to the clipboard or to a file.

There is a VB6 project that demonstrates the algorithm available here.

Security Enhancements in Version 3

Contact

For more information or to comment on this page, please send us a message.

This page last updated 10 February 2026