Easy encrypt, ee for short, is a command line shell with built-in support for exchanging and maintaining cryptographic keys, comparing exchanged keys efficiently during conversations, achieving forward security, backing up and restoring key stores and using keys to encrypt and decrypt files. It sets a different focus compared to other tools.
When the usability of encryption tools is debated, most of the discussion revolves around ease of use for non-technical users. However, techies have a need for encryption tools as well. However, even security experts complain that GPG/PGP can be hard to use. ee's design emphasizes ease of use and straightfowardness.
If an adversary becomes root on a machine then nothing stops him from getting a user's keys, encrypted or not. Without root privileges he may still steal encrypted key rings. If that happens, only a strong password defends the keys against an offline brute-force attack. A strong password is necessarily long and users must enter it whenever they wish to use their private keys. Usability suffers.
ee keeps the keystore in a directory that only root can traverse. ee runs as a SUID root program, traverses the directory, maps they keystore into memory and drops its root privileges. They key store contains a counter that limits password entry to three consecutive false attempts. The password can be short, and it must be entered only once, when ee starts, no matter how often private keys are used.
ee has few commands but flexible concepts. add, delete, rename, info and show manage nick names, a core concept of ee. Each nick represents a communication partner and holds a unique key pair. The import and export commands are used when exchanging keys with a communication partner. Keys can be imported only once so that usage errors cannot cause the loss of a key.
Publishing a single public key for use by unknown senders is handled with the clone command. The clone command creates a new nick with the private keys of another but without already imported keys.
The check command supports the verification of exchanged keys, for example, during a phone call. The check's security is independent of the computational power of the adversary. No amount of CPU power or data center capacity yields an advantage when performing a MITM attack. The transfer and confirm commands support the transfer of authority from one nick to a new one, with fresh key pairs. This yields forward secrecy.
The backup and restore commands support backing up, restoring and merging key stores in an encrypted form. Together, these commands allows one to synchronize one's keys across different machines.
The attach and fetch commands extract mail attachments from selected mail and compose mail windows with a given file as the attachment. If the nick field is set in the address book then the e-mail address of the recipient is filled in as well. (limited to Mail.app on OSX)
The man page of ee explains everything, with examples, in about 460 lines.
ee uses a limited set of concepts based on nicks and key exchange and allows to combine them explicitly to achieve more complex goals. Operations are direct and simple so that users can build an accurate mental model of what is going on and hence understand how ee will behave. The concept of authority transfers emerged from these considerations as well as private nicks and nick cloning (see the man page for details).
ee is designed to be self-contained and small. Its only dependencies are tweetnacl and libc. It supports command-line editing, a command history and UNIX pipes. Most importantly, its SLOC count is less than 5K (including tweetnacl) which is small enough to be inspected manually.
For comparison, the GnuPG 2.1 distribution contains 178K SLOC. The comparison is not entirely fair, because GnuPG has a much larger feature set. On the other hand, this is exactly what we wish to avoid with ee.