Skip to content

Crayonic File Encryption

Overview

Crayonic File Encryption is a certificate-based single-file protection tool that uses a user's X.509 certificate stored on a Crayonic wallet as the key. It is delivered as an open-source utility with Python example code so developers can integrate certificate-based file protection into their own workflows.

The project is published on GitLab as PIVCrypt:

https://gitlab.com/crayonic/pivcrypt

Please file issues, patches and feature requests directly in the GitLab repository.

When to Use It

  • You want to encrypt a file such that only the holder of a specific X.509 certificate on a Crayonic wallet can decrypt it.
  • You need a reference implementation for integrating PIV-based asymmetric file encryption into your own tooling.
  • You want to demonstrate enterprise-grade, hardware-backed file protection without deploying a full DRM or rights-management product.

How It Works

  1. A symmetric key is generated at random to encrypt the file contents.
  2. The symmetric key is wrapped with the public key of the target X.509 certificate read from the Crayonic wallet.
  3. The wrapped key and the ciphertext are stored together.
  4. To decrypt, the recipient inserts the Crayonic wallet that holds the matching private key; the wallet performs the unwrap on-device and the decrypted symmetric key is used to recover the file.

Because the private key never leaves the Crayonic secure element, a stolen copy of the encrypted file cannot be decrypted off-device.

Requirements

  • A Crayonic wallet (Badge or KeyVault) enrolled with an X.509 certificate (see Crayonic PIV Manager)
  • Python 3.8 or later
  • Standard PKCS#11 / PIV tooling on the host OS

Getting Started

Clone or download the sample from the GitLab repository above, follow the README, and run the supplied examples against a connected Crayonic wallet. The repository includes a short scripted walkthrough that encrypts and decrypts a test file using a certificate you choose.