Xipher is a collection of cryptographic primitives for key/password-based asymmetric encryption, with optional post-quantum security. It lets you share encrypted data between parties over insecure channels using public keys derived from passwords.
- Asymmetric encryption using key/password-derived public keys
- Stream processing with built-in compression
- Quantum-safe security (optional hybrid X25519 + ML-KEM-1024 support)
- Available as CLI tool, Go library, WebAssembly module, and web interface
- Optimized for both small and large data
# CLI (Homebrew, macOS)
brew install --cask shibme/tap/xipher
# CLI (Linux/macOS install script)
curl -fsSL https://xipher.org/install/install.sh | sh
# Go package
go get -u xipher.org/xipherSee the installation guide for Windows, Docker, binary downloads, and version pinning.
See the Go library guide for derive-key/encrypt/decrypt and streaming examples, and the API reference for the full surface.
Try it out at xipher.org. Keys are generated and stored in your browser, and all encryption happens locally. See the web app guide for the full send/receive flow.
Full command reference, flags, and copy-paste examples for the CLI, GitHub Action, WebAssembly module, and self-hosting the web app live in the documentation.
Anywhere a public key is accepted, you can instead point Xipher at an HTTPS URL (or bare domain) that serves the key, giving recipients a friendly, memorable reference instead of a long XPK_… string.
xipher encrypt text --fetch -k "alice.example.com" -t "Secret message"A bare domain resolves to /.well-known/xipher. See key references for resolution rules, the published key format, and hosting (including the CORS requirement for the web app).
Argon2id key derivation, Curve25519 / X25519 (with an optional quantum-safe hybrid that combines X25519 and ML-KEM-1024), and XChaCha20-Poly1305. See the cryptographic primitives for parameters, security levels, and the data format.
Note: v1.19+ uses Go's native ML-KEM package for post-quantum crypto (FIPS 203 compliant). This breaks compatibility with previous Kyber implementations. Standard ECC encryption is unaffected.
Note: Quantum-safe mode now defaults to a hybrid of X25519 and ML-KEM-1024 instead of pure ML-KEM, so security holds as long as either primitive is unbroken. Ciphertexts and public keys self-describe their algorithm, so data produced with the earlier pure ML-KEM mode still decrypts.
- Guides & examples: xipher.org/docs
- Architecture & cryptography: xipher.org/docs/#arch-overview
- Go API reference: pkg.go.dev/xipher.org/xipher
- Web interface: xipher.org
Contributions are welcome. Fork the repo, make your changes, and submit a pull request. For bugs or feature requests, open an issue.
This project is experimental - use with caution in production. If you find security issues, please report them.
A few things to keep in mind:
- Password strength matters
- Post-quantum algorithms are still evolving
- Keep your dependencies updated
See the architecture & security analysis for cryptographic details.
This project is licensed under the terms specified in the LICENSE file.