Encryption
Military-Grade Encryption
DodaZIP uses XChaCha20-Poly1305 AEAD (Authenticated Encryption with Associated Data) with Argon2id key derivation — the same algorithms used by WireGuard, macOS FileVault, and modern cryptographic libraries.
Why XChaCha20-Poly1305?
| Feature | XChaCha20-Poly1305 | ZIP 2.0 AES-CBC |
|---|---|---|
| Cipher | XChaCha20 (stream) | AES-256 (block) |
| Authentication | Poly1305 MAC (built-in) | None (separate, optional) |
| Nonce size | 24 bytes | 16 bytes |
| KDF | Argon2id (GPU-resistant) | PBKDF2 (weak) |
| Metadata encryption | Yes (filenames, timestamps) | No |
| Modern | Yes (2015, used by WireGuard) | No (1998, aging) |
Features
- Authenticated encryption — Any tampering with the archive is detected on extraction
- Metadata encryption — Filenames, timestamps, and file sizes are encrypted, not just contents
- GPU-resistant KDF — Argon2id requires significant memory and computation, making brute-force attacks impractical
- No weak options — One algorithm, one mode. No legacy compatibility modes that weaken security
Usage
dodazip compress --input ./secret/ --output archive.dodaz --encrypt
# Prompts for passwordOr with a key file:
dodazip compress --input ./secret/ --output archive.dodaz --key-file ./key.binSecurity Considerations
- Always use a strong password (12+ characters, high entropy)
- The encryption key file should be 256 bits (32 bytes) of cryptographically random data
- DodaZIP does not store passwords or keys anywhere — you must remember them
- There is no “password recovery” or “backdoor” — if you lose the password, the data is unrecoverable