Welcome to PassLok





 Anonymous     Signed      Read-once



  Interface:       Basic     Advanced     Email
  Color scheme:       Light     Dark

     Red     Green     Blue     Custom

Click to edit color:  

     Tabs     Backg.     Btns.     Box

  Other:       Learn     ezLok     File output

     Hidden msg.     Binary file     Text file


For instructions on how to do things, click on each title below. Click again to hide.

To get instructions as you click buttons in PassLok, check Learn on the Options tab.


What is PassLok?

Before you do anything else, you may want to watch this three-minute video, which explains the essential concepts in a lighthearted way (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=UxgrES_CGcg

This approach has a number of advantages over other privacy apps that you may be familiar with:

PassLok is still in experimental phase since there has not been enough time for security experts to uncover possible flaws. Bear this in mind before entrusting critical secrets to it.

If you find PassLok too difficult, you may want to try SeeOnce instead, from https://SeeOnce.net. SeeOnce implements the Read-once mode of PassLok plus one type of text hiding, but you never have to worry about maintaining a directory of Locks. PassLok . Even easier is URSA, available at https://passlok.com/ursa, which includes only the shared Key mode of PassLok. Finally, there's PassLok for Email, an extension for Chrome and Firefox that integrates with popular email clients (currently Gmail, Yahoo, and Outlook). All of these apps are fully compatible with PassLok, although they are not compatible with each other.


Invite others to PassLok

Before you can communicate with others using PassLok, they must have obtained the app, come up with a secret Key (which they won't tell you), generated a Lock from it, and sent it back to you.

You can tell others about PassLok any way you want, but PassLok can help you to start your network with a single keystroke, this way:

1. Type a message in the main box. Don't write anything sensitive, since invitation messages are not secure.

2. Click the Invite button.

3. After confirmation, a new page should open in your default email, containing a link to PassLok that includes your personal Lock plus your encrypted message and a short set of instructions. Edit it as needed, then write the recipients' email addresses and send it.

This is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=0wTJWyd9s64

Click here for More:

The invitation link loads the web version of PassLok, but pasting it into any other version of PassLok, or opening the email in PassLok for Email or SeeOnce works just as well. Invitations made in PassLok for Email or SeeOnce can also be opened in PassLok Privacy.

People who did not get your email will still be able to obtain your Lock if you post it in the General Directory. To do this, click the myLock button if your Lock is not already displayed, then the small Edit button near the top, and then the large General Directory button. A new page will open where you only need to supply your email address, click Post, and reply to a confirmation email.

Those who get PassLok from your email invitation will have your Lock automatically stored in their directories, so they can encrypt items for you right away.


Learn how to use PassLok

If you check the Learn box in the Options tab, a text explaining what is about to happen will pop up every time a button is clicked.

And here are a few more resources you may want to check out:

The Learn PassLok website at https://passlok.com/learn contains a working copy of PassLok and a number of lessons on the different things you can do with it.

The PassLok information website at http://passlok.weebly.com contains a number of videos and PDF documents.

The PassLok manual in PDF format.

If you want to learn what's under the hood, read the PassLok technical document.


Change PassLok's look

PassLok opens with the default Light colors. You can also select the Dark, Red, Green, and Blue schemes on the Options tab, or even make your own custom scheme, this way:

1. Click Custom on Options.

2. Select the color you wish to modify: Tabs, Background, Buttons, or Boxes.

3. Click the colored box, which will open a selector. Hue and saturation are set on the main area, brightness on the sidebar.

4. Repeat steps 2 and 3 for each color type.

PassLok will pick random colors if you click the Random button. You can then edit them using the selector.


How to make a strong Key

You should be able to remember your secret Key without having to write it down. PassLok does not store the Key anywhere. In fact, it deletes it from memory after five minutes of not being used (this can be overridden via a checkbox).

Your Key will be stronger if it contains caPiTals in unusual places, numb3rs, and $ymbol$. If you use common words, miespell them to make harder a "dictionary attack." Break the words up with num334bers and sy#$%mbols. Avoid anything that might be easy to guess. PassLok knows frequently used words, but hackers' dictionaries are bigger. Do not use grammatically correct sentences, even if PassLok gives a big score.

PassLok compensates for weak Keys by adding spurious computations and may even appear to have crashed. If PassLok is slow, this may be because your Key strength is less than Medium.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=JbNM_cf8My0

Click here for More:

If you plan to use PassLok only with shared Keys, you do not need a secret Key at all. Simply Cancel when you are asked for your Key when PassLok starts, and write or paste the encryption Key into the lower box that appears when you you click the Edit button located next to the directory.

If instead of a short shared Key you paste in a piece or text at least three times as long as the message to be encrypted, PassLok uses it in Pad mode, which theoretically is much more secure than the regular mode (more on this in a help item below).


Get a hint to remember my Key

If you are reading this, likely you have gained Guest access to PassLok by clicking Cancel at the Key entry screen. The good news is that you can still encrypt messages if you know the recipient's Lock or shared Key, verify signatures, and use the Locks stored in your local directory as well as all the auxiliary functions of PassLok. You can even seal items and display the matching Lock if you enter a Key when PassLok asks for it.

The bad news is that you cannot change anything stored in the local directory, and your use of it is limited to Locks. You cannot do anything that would involve your secret Key, such as decrypting messages encrypted with your Lock, or continuing a Read-once conversation in course.

Well, we've got even worse news for you: we cannot help you to recover your secret Key, because PassLok never stored it or sent it out. There are no hints, either. If you forgot your Key, it's gone, along with all encrypted items in the local directory.

Click here for More:

Hopefully Guest mode will let you get by until you remember your secret Key. But if you want to get full access to PassLok with a new Key, here are the steps:

1. Go to the Options tab.

2. Click the Backup/Remove Options only box. When a popup asks for confirmation to delete your settings, click OK.

3. Reload PassLok.

4. The user selection screen will appear, and this time PassLok will accept whatever new Key and email or suchlike you want to give it for the user in question. Now you're back in business and can use PassLok with the new Key to seal, decrypt, store items in the local directory, etc.

At this point, the only directory entry that will work fully is "myself". You can reset or delete the entries that don't work one by one, by typing each name in the directory Edit dialog and clicking Reset (leave essential data intact) or Delete (take out everything) when the name is recognized, or all at once by following the process described in a help item below, about "moving the entire local directory."


Use a different Key temporarily

For a given user name, there is only one "secret Key" that unlocks all the capabilities of PassLok, but if you are willing to accept a limited access to its functions, you can use a different Key for the session, or whenever PassLok asks you for the Key. This way:

1. Select the user and enter the new Key in the box (optional).

2. Click the Cancel button.

3. If asked for your email etc., enter it and click OK. (the Random button will write a new random value, different from the original random token, if any, so beware)

Click here for More:

You can do pretty much everything, except things that would have involved the secret Key. You cannot modify anything in the local directory. When you reload PassLok and enter the correct Key, a warning will tell you that last session was run in Guest mode. If you don't select a user from the list, you won't have access to any stored Locks.


Make PassLok even more secure

When you first opened PassLok, you were asked to optionally enter your email or similar public, easy to recall personal information. But if instead of entering your email you click the Random button next to the input box, an 43-character random token is used. This makes your Lock much harder to crack, but it becomes tied to the device where it was created (except for the Chrome app, which can sync it across devices).

To back up your random token to a safe place in case of accidental deletion or to be able to use a different device:

1. Click the Backup/Remove Options only button on the Options tab (visible in the Advanced interface). A backup item bracketed by "PL**bak" tags appears on the main box, from where you can save it to file, copy it, email it, etc.

2. Then a dialog asks you if you want to reset your settings. If you click OK, PassLok will restart as if it had never started before, except that the local directory remains intact.

To restore the random token from a backup item, paste the packup into the main box and click Decrypt.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=4DjhIjU_nuM

Click here for More:

The reason for the email or other additional data is to combat the "rainbow table" attack, where hackers pre-compute Locks made from the words in a dictionary. This data is encrypted and stored along with other settings, so you won't need to enter it again. The Lock depends both on the Key and the email or random token; this adds extra security, but it also means that if the random token gets erased you will not be able to decrypt anything that was encrypted with your Lock. The backup item contains your settings, including the random token, double-encrypted by your secret Key. One reason to delete your settings while leaving the local directory intact is to be able to change the random token to a new value. You can also proceed without entering any email or token.

If you plan to use both PassLok and PassLok for Email, it is best if you write your real email in this box, for in this case your PassLok ezLok will be identical to the one used in PassLok for Email and you'll be able to use their main features interchangeably. This precaution is not necessary if you only use one of the versions.


Display the Lock matching your secret Key

Click the myLock button on the Main tab. The Lock matching that Key will appear in the lower box, from where you can copy it or email it.

If then you click the Edit button next to the local directory box, and after that click the button labeled General Directory, PassLok's General Directory website will open, with its lower box filled with the Lock you just made. To post your Lock so others can find it, just write your email in the upper box and click the Post button.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=L00yybDzN6k

Click here for More:

By default, PassLok displays the Lock in ezLok format, consisting only of smallcase letters (except L) and numbers, so it is easier to authenticate by reading aloud a portion of it. To display it in base64 format like all other PassLok items, go to the Options tab and uncheck ezLok. The General Directory can take ezLok Locks as well as base64 Locks. PassLok for Email and SeeOnce are compatible with PassLok ezLoks, but not with regular Locks. If you wrote your real email when asked about it, rather than something else, then your ezLok is the same as that used in PassLok for Email, and the encrypted items made by PassLok Privacy and PassLok for Email can be decrypted in the other app. This precaution is not necessary for SeeOnce.

If you need to make a Lock for a different Key (for instance, in order to receive hidden messages), it is best if you start PassLok in Guest mode by clicking Cancel when you are first asked for your Key, which will make PassLok accept a different Key. Then click myLock and supply the new Key and your email, if requested (if you use a random token you will need to copy it before, by typing "myself" at the top box of the directory Edit dialog followed by Enter, or by clicking Change Email on Options).


Encrypt a message with a Lock, to be decrypted with the matching Key (Anonymous mode)

1. Make sure Anonymous mode is selected at the bottom of the Main tab. This is the default.

2. If the recipients' Locks have been previously stored in the directory, simply select their names in the top box of the Main tab.

3. Write or paste your message in the lower box of the Main tab. You can give it rich formatting or add images and files if you display the formatting toolbar by clicking the Rich button (non-mobile).

4. Click the Encrypt button. The encrypted message will appear in the box, replacing the original message.

Copy it and paste it into your communications program or click Email to open your default email.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=nBA5JNY4gmQ

Click here for More:

This mode is called Anonymous not because it provides any protection against tracking over a network, but because the identity of the sender cannot be deduced from the encrypted message. This message can be decrypted only by someone having the Key matching one of the Locks selected. Alternatively, you can retrieve a stored Lock by beginning to type the name associated with it in the top box of the directory Edit dialog, until the encrypted Lock appears in the lower box. You can also write the names, one per line, in the lower box. It is okay if the tags up to the "==" signs on the Lock are missing, or carriage returns have been added (such as for a video URL).

This mode is not available in Email mode because it is not compatible with PassLok for Email, but the other two modes are.


Decrypt an Anonymous encrypted message (tags are PL**msa)

1. Paste the encrypted message in the lower box of the Main tab.

2. If the message doesn't decrypt automatically, click the Decrypt button. The decrypted message will appear in the box, replacing the encrypted message.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=nBA5JNY4gmQ

Click here for More:

It is okay if the message is broken up by carriage returns or is missing its tags. It doesn't matter which encryption mode is selected at the botton of the Main tab.

Even though this mode is not available in Email mode, messages encrypted in this mode will decrypt fine anyway.


Encrypt a message with a Lock, to be decrypted with the matching Key, and sign it with your secret Key (Signed mode)

1. Make sure Signed mode is selected at the bottom of the Main tab.

2. If the recipients' Locks have been previously stored in the directory, simply select their names in the top box of the Main tab.

3. Write or paste your message in the lower box of the Main tab. You can give it rich formatting or add images and files if you display the formatting toolbar by clicking the Rich button (non-mobile).

4. Click the Encrypt button. The encrypted message will appear in the box, replacing the original message.

Copy it and paste it into your communications program or click Email to open your default email.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=R9UanENF3ro

Click here for More:

This mode is called Signed not because a digital signature is involved, but because the message can be decrypted only by someone having the Key matching one of the Locks selected, and your Lock. Alternatively, you can retrieve a stored Lock by beginning to type the name associated with it in the top box of the directory Edit dialog, until the encrypted Lock appears in the lower box. You can also write the names, one per line, in the lower box. It is okay to strip the tags up to the "==" signs, but not recommended. It is also okay to split the encrypted message with line returns. This message can be decrypted only by someone having the Key matching the Lock used to encrypt it. Additionally, they must have your Lock in order to verify that it comes from you.

Messages encrypted in this mode can be decrypted by PassLok for Email, if the Email mode checkbox is checked in Options before the message is encrypted.


Decrypt a Signed message (tags are PL**mss)

1. If the sender's Lock has been previously stored in the local directory, simply select its name in the top box of the Main tab.

2. Paste the encrypted message in the lower box of the Main tab. You can give it rich formatting or add images and files if you display the formatting toolbar by clicking the Rich button (non-mobile).

3. If the message doesn't decrypt automatically, click the Decrypt button. The decrypted message will replace the encrypted message.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=R9UanENF3ro

Click here for More:

Alternatively, you can retrieve the sender's stored Lock by typing the name associated with it in the top box of the directory Edit dialog until the encrypted Lock appears on the lower box. It is okay if the message is broken up by carriage returns or is missing its tags. It doesn't matter which encryption mode is selected at the botton of the Main tab.

A message encrypted by PassLok for Email in Normal mode can be decrypted by PassLok in this mode. Just paste it in and supply a name for the included ezLok, if requested.


Encrypt a message so that nobody can read it after the exchange is over (Read-once mode)

1. Make sure Read-once mode is selected at the bottom of the Main tab.

2. Select the recipients' Locks in the top box of the Main tab. This mode requires the recipients' Locks to be previously stored in the local directory.

3. Write or paste your message in the lower box of the Main tab. You can give it rich formatting or add images and files if you display the formatting toolbar by clicking the Rich button (non-mobile).

4. Click the Encrypt button. The encrypted message will appear in the box, replacing the original message.

Copy it and paste it into your communications program or click Email to open your default email.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=VutWfWZW5bY

Click here for More:

This message can be decrypted only by someone having the Key matching one of the Locks selected, and your Lock, and then typically only once. In order to restart a Read-once conversation that has gone out of sync, clear the old data for that recipient by clicking the Reset button in the directory Edit dialog after the recipient's name is displayed above the upper box, then encrypt the message normally. The first message after a reset does not have forward secrecy, so be careful with this one. It is okay to strip the Lock tags up to the "==" signs, but not recommended. It is also okay to split the encrypted message with line returns.

Messages encrypted in this mode can be decrypted by PassLok for Email, if the Email mode checkbox is checked in Options before the message is encrypted. They can be read in SeeOnce if Compatibility mode is checked in Options.


Decrypt a message that was encrypted in Read-once mode (tags are PL**mso)

1. Select the sender's Lock on the top box of the Main tab. This mode requires the sender's Lock to be previously stored in the device's local directory.

2. Paste the encrypted message in the lower box of the Main tab.

3. If the message doesn't decrypt automatically, click the Decrypt button. The decrypted message will replace the encrypted message.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=VutWfWZW5bY

Click here for More:

Usually you can decrypt the message only once, since the ephemeral key needed to decrypt it is overwritten in the process, but after a reset the first message can be decrypted forever, and the second becomes decryptable only after it is replied to. It is okay if the message is broken up by carriage returns or is missing its tags. It doesn't matter which encryption mode is selected at the botton of the Main tab.

A message encrypted by PassLok for Email in Read-once mode can be decrypted by PassLok in this mode. Just paste it in and supply a name for the included ezLok, if requested. Same if it was encrypted in SeeOnce.


Reset a Read-once conversation

This may be needed if the conversation with a given correspondent has gone out of sync so that you are unable to decrypt a new Read-once message from him/her. Resetting clears ephemeral Keys and Locks on both sides, and re-initiates the Read-once exchange.

1. Click the Edit button next to the Lock selection box.

2. Start writing the name given to the correspondent in the top box of the dialog. As you type, the line above the box displays existing items matching what you have typed so far, and the Lock or encrypted shared Key appears in the lower box. You can stop typing once you see the complete name you're looking for. Search is case-insensitive.

3. Click the Reset button. A popup asks you to confirm the action, and then a message tells you that it has been done.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=VutWfWZW5bY


Send a PassLok item (Lock, encrypted message, etc.) by email

1. Check that the item displayed on the Main tab is PassLok output. If it is not, the button you need to press in the next step won't be there.

2. Click the Email button. If the device is so configured, a window appears containing the item and some explanatory text. You only need to supply the recipient's email address and a subject line before clicking the Send button.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=LsljKvjAi9I

Click here for More:

Be aware that there is a limit to the size of a message that is made this way. If you get an error, you can always copy the contents of the box and paste it into a normal mail compose screen.The email includes a link that, if clicked, will open the contents in the web app version of PassLok. To open it in a different email client or in case the button is not visible or the new window fails to appear, copy it to the clipboard and then paste it into the "compose" box of your favorite email.


Send a PassLok item by Text messaging (mobile only)

1. Check that the item to be sent is displayed on the Main tab. Usually it will have been produced with Short mode selected in Options, to make sure it fits in a single message.

2. Long-tap the item so the selection dialog appears. Then select it and copy it to clipboard.

3. Tap the button dealing with text messaging, which is labeled SMS. A window appears with the default texting app.

4. Tap the input box and then paste the clipboard. Send the message in the usual way.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=LsljKvjAi9I

Click here for More:

To decrypt a encrypted message received by texting, you must first copy it to the clipboard, and then paste it on the Main tab of PassLok. Due to browser restrictions, there is no way to know whether the item has been copied to clipboard, but hopefully the process above is fairly foolproof. (Advanced) If you want to make sure the encrypted message fits within a single text message, encrypt it with the Short option on.


Load files to be encrypted, sealed, or split (non-mobile)

1. The button to load files is the rightmost one on the formatting toolbar, which is displayed by clicking the Rich button. It looks like this:

2. When you click it, a dialog will appear so you can navigate to the file. If all goes well, the file loads into the box as a link. You will see only its name, but the whole file is actually in there.

Now you can encrypt it, seal it, or split it just like a text-based message. You can also add more files if you want. The process to retrieve the original files is explained in the help item below.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=tPeUv6BRTrg

Click here for More:

If the file is a text file, it will load as plain text rather than as a link. This command is not available on mobile devices because of their severe restrictions on accessing stored content. If using a Chromebook, be aware that the Files extension does not load Google documents completely; save the file locally in a different format and try loading it again.

You can also put images in your message, by clicking the button immediately to the left of the one to load files. In this case the content is displayed as an image rather than a link.

If you plan to send large files by email or other means, it is best to encrypt them with an archiving program such as 7zip, Winzip, or Winrar (Windows), Keka (OSX), or p7zip (Linux) using AES and a random symmetric key, and then use PassLok to encrypt that symmetric key for transmission, along with the encrypted files as attachments.


Retrieve a file that has just been decrypted, unsealed, of joined (non-mobile)

1. Make sure the file appears as a link on the Main box.

2. Right-click on it and select the Save link as option. The file will be saved at the location you select.

If there are several file links, repeat the process for each one. This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=tPeUv6BRTrg

Click here for More:

Chrome will not display the Save link as option if the file is larger than 1.5MB. Use Firefox or Safari in this case.


File output

If you select File output on the Options tab before encrypting, sealing, or splitting, the result of the operation appears as a file (several, in the case of splitting), which you can then save anywhere by right-clicking on the file labels. Doing this will speed up things considerably if you are encrypting, sealing, or splitting something large (especially on Chrome).

The file can be either binary with extension .plk (default), or text with extension .txt. This can be selected on the Options tab.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=Sm4f6FIOShI

Click here for More:

An output item loaded as a file can be decrypted, unsealed, or joined just like an item loaded as text. It can also be sent by email as an attachment, which is handy when the item is large. Firefox and Safari have no problems with file size, but Chrome won't save the output file if it is larger than 1.5MB. Feel free to change the file name or text or extension to something else, but to decrypt, unseal, or join files made this way, you must make sure the extension is .plk or .txt before you load them or PassLok may fail to recognize them as its own output.


Make an invitation to join a real-time multi-party chat session

1. Select the other participants in the chat on the list at the top of the Main tab. You are added automatically.

2. Click the Chat button. A dialog will appear asking you whether this chat is going to involve text and files only, or also will involve audio, or even video. There is also a text box where you can optionally type something that will be shown to the users (such as the date and time for the chat) before they join the chat.

3. Supply the required information and click OK. If the main box did not contain a chat invitation, a new one is generated and placed there. You can now email it with the Email button, or send it out by any other means.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=XytUN0T_2zQ

Click here for More:

Please tell participants about the time for the chat. When the time comes, you will join the chat using the same invitation as the other parties, so make sure to save it somewhere. All browsers can make a chat invitation, but some (Internet Explorer, Safari, native Android app, anything on iOS) don't support joining the actual chat.

PassLok chat invitations encrypted in Signed or Read-once mode can be decrypted in PassLok for Email, and vice-versa. If you set encrypt Compatible mode in Options before encryption, they can be decrypted in SeeOnce (Read-once only) or URSA.


Use an invitation to join a real-time chat session (tags are PL**chat)

1. Place the invitation in the Main box and click the Chat or the Decrypt button. If the sender added a message, it will be displayed and you will have to click OK to go on, or Cancel to try later.

2. A new screen opens. Write the name you want to use for the chat in the top box, and then click Start or Join (depending on whether or not you are the first to arrive at the virtual chat room).

3. As participants join the chat session, their chosen names will appear at the top of the chat screen (or a randomly-chosen tag, if they didn't supply a name). You can then post text by writing it in the Text box, followed by Enter. You can also post files by clicking the Browse or Files button.

4. If the chat involves audio or video, you may be asked to give permission to access you microphone and camera. After you grant it, you will see or hear the other participants as they join, and likely yourself too.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=XytUN0T_2zQ

Click here for More:

Connections between participants are direct, but a signaling server is used at the start so the participants can find one another, and then it is contacted no more. PassLok will remind you that this may lead to your being tracked. After the chat has started, you can go back to PassLok and do other things, then return to the chat by clicking the Chat button. The connection will stay alive until you reload PassLok or the other participants leave. If things get out of hand, you can always reset your session with the Reset Chat button. Browsers are not equal as far as support for chat: Firefox is best, followed by Chrome and the Android browser, Maxthon, and then Opera (with problems). Internet Explorer, Tor, Safari, and anything on iOS don't yet support joining a chat, though you can make a chat invitation from them.

PassLok chat invitations encrypted in Signed or Read-once mode can be decrypted in PassLok for Email, and vice-versa. Likewise, PassLok can open chat invitations made in SeeOnce and URSA.


Encrypt a message with a shared Key, to be decrypted with the same Key

1. Make sure the Anonymous or Signed modes are selected at the bottom of the Main tab.

2. If the Keys shared with each of the recipients have been previously stored in the local directory, simply select their names in the top box of the Main tab.

3. Write or paste the message in the lower box of the Main tab.

4. Click the Encrypt button. The encrypted message will appear in the box, replacing the original text.

Copy it and paste it into your communications program or click Email to open your default email program.

This and more is explained in this video tutorial (warning: watching it may leak your IP number):https://www.youtube.com/watch?v=sRdpWe4zya8

Click here for More:

This message can be decrypted only by someone having the same shared Key. It does not matter whether Anonymous or Signed mode is selected, since they use shared Keys identically. Alternatively, you can search for a stored shared Key by typing the name associated with it in the top box of the directory Edit dialog. When you type "Enter", the stored Key is decrypted for you to see.It is okay to strip the tags up to the "==" signs, but not recommended. It is also okay to split the encrypted message with line returns. The tags will depend on the encryption mode selected. There is no special tag to indicate that a shared Key was used instead of a Lock.

Messages encrypted with a shared Key cannot be decrypted in PassLok for Email. They can be decrypted in URSA if Short or Compatible mode are chosen in Options prior to encryption.


Decrypt a message encrypted with a shared Key

1. If the Key shared with the sender has been previously stored in the local directory, simply select its name in the top box of the Main tab.

2. Paste the encrypted message in the lower box of the Main tab.

3. If the message does not decrypt automatically, click the Decrypt button. The decrypted message will appear in the main box, replacing the encrypted message.

This and more is explained in this video tutorial (warning: watching it may leak your IP number):https://www.youtube.com/watch?v=sRdpWe4zya8

Click here for More:

It is okay if the message is broken up by carriage returns or is missing its tags. It doesn't matter which encryption mode is selected at the botton of the Main tab.

Messages encrypted with URSA can be decrypted in PassLok, using this procedure.


Encrypt a message with a Pad, to be decrypted with the same Pad

1. Copy the text to be used as Pad from its source. It should be at least five times as long as the message, or Pad mode won't engage. You can also load a whole file that is at least five times as long as the message.

2. Click the Edit button next to the directory box and paste the shared Pad in the lower box of the dialog that appears. You can also load a file by means of a button visible in the Advanced interface. Then click Done.

3. Write the message in the lower box of the Main tab.

4. Click the Encrypt button. If Pad mode is engaged, a popup will ask for the starting position in the Pad, otherwise encryption will proceed using the regular shared Key mode (a warning popup will appear if there are several paragraphs).

5. Write a number within the range given in the dialog and click OK. The encrypted message will appear in the box, replacing the original text.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=BEXYuaCxciM

Click here for More:

Pad mode is theoretically impossible to break, even by brute force. Use it when you need utmost security. The text material can be taken from a digital book, for instance. You may transmit in plain text the page number and starting position, so long as the text source is kept secret.

It is okay to split the encrypted message with line returns or to eliminate the tags at either end. It doesn't matter which encryption mode is selected at the botton of the Main tab.

Messages encrypted this way can also be decrypted in URSA.


Decrypt a message encrypted with a Pad (tags are PL**msp)

1. Copy the text to be used as Pad from its source. It should be at least five times as long as the message, or Pad mode won't engage. You can also load a whole file that is at least five times as long as the message.

2. Click the Edit button next to the directory box and paste the shared Pad in the lower box of the dialog that appears. You can also load a file by means of a button visible in the Adbanced interface. Then click Done.

3. Paste the encrypted message in the lower box of the Main tab.

4. Click the Decrypt button if decrypting does not start automatically. A popup will ask for the starting position in the Pad.

5. Write a number within the range given in the dialog and click OK. The decrypted message will appear in the main box, replacing the encrypted message.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=BEXYuaCxciM

Click here for More:

It is okay if the message is broken up by carriage returns or is missing its tags. It doesn't matter which encryption mode is selected at the botton of the Main tab.

URSA messages encrypted this way can also be decrypted in PassLok.


Encrypt in Human mode, so it can be decrypted by hand

1. If the three-part Key shared with the recipient has been previously stored in the local directory, simply select its name in the top box of the Main tab.

2. Write the message in the lower box of the Main tab. This mode understands only Latin characters, and removes any accents and diacritic marks.

3. Click the Encrypt button.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=npROBlHjxmc

Click here for More:

This mode engages automatically if the Key consists of three strings separated by vertical bars. If you have a single string, write two bars after it in order to use this mode. It doesn't matter which encryption mode is selected at the botton of the Main tab or on the Options tab.

The method is described in detail in this page, which can also encrypt and decrypt messages: https://passlok.com/human. URSA can also encrypt and decrypt in this mode. Even though encryption and decryption can be performed without a computer, security against computer-based cryptanalysis is comparable to that of computer-based ciphers.


Decrypt a message encrypted in Human mode (tags are PL**msh)

1. If the three-part Key shared with the recipient has been previously stored in the local directory, simply select its name in the top box of the Main tab.

2. Paste the encrypted message in the lower box of the Main tab.

3. Click the Decrypt button if decrypting does not start automatically. Unlike in other modes, you won't get a message telling you whether or not the decryption has been successful.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=npROBlHjxmc

Click here for More:

It is okay if the message is broken up by carriage returns or is missing its tags. It doesn't matter which encryption mode is selected at the botton of the Main tab.

If you want to learn how to encrypt or decrypt in this mode, using simply paper and pencil, look at the instructions in this page, which also does encryption and decryption: https://passlok.com/human. URSA can also encrypt and decrypt in this mode.


Add a Lock or shared Key to the local directory

From the Main tab (this works only for Locks):

1. Paste the Lock into the Main box. If the item is identified as a Lock, a prompt will ask you to give it a name.

2. Write a name in the prompt box and click OK. You will see the name added to the selection box at the top of the Main tab.

From the directory Edit dialog:

1. Cick the Edit button next to the directory box.

2. Write a name for the Lock or shared Key (or whatever you want to save) in the top box of the dialog that appears.

3. Paste the Lock or shared Key in the lower box, replacing whatever was there before. Usually PassLok will recognize a Lock and display a message saying so.

4. Click the Save button. A message confirms that the item has been saved under the name given.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=vQrED7eIkLA

Click here for More:

If the given name is already in the directory, the Lock or shared Key will be replaced rather than added. You can store a cover text or a List besides somebody's Lock or shared Key. In the case of a List, the given name will be displayed bracketed by double dashes. Items that are not Locks are stored encrypted. When you load PassLok from an email link, a popup may open asking you to accept saving the sender's Lock to your directory. You can change its name at this point.

(Chrome app only) If Chrome sync is checked in Options, the item will also be added to the Chrome sync area, so it is available on a different computer after you log into Chrome.


Retrieve a Lock or shared Key from the local directory

1. Click the Edit button next to the directory box.

2. Start writing the name of the item in the top box of the dialog that appears. As you type, the line above the box displays existing names that match what you have typed so far, and the item (decrypted, if it is a Lock) appears in the lower box.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=vQrED7eIkLA

Click here for More:

You can stop typing once you see the complete name for the item you're looking for. The process also works for Lists, and cover texts stored in the local directory. Search is case-insensitive, so if the item does not appear, this probably means that the name is wrong. If the item is a cover text, it loads automatically for use in Text hiding.

(Chrome app only) If you type "Enter" after a name that was not found on the local database and Chrome sync is checked in Options, PassLok will look for it in its Chrome sync area, which syncs across computers, and then adds it to the local directory.


Delete a stored item

1. Click the Edit button next to the directory box.

1. Start writing the name of the item in the top box of the dialog that appears. As you type, the line above the box displays existing names that match what you have typed so far, and the item (encrypted, unless it is a Lock) appears in the lower box.

2. Click the Delete button. A popup asks for confirmation before the item is deleted from the local directory.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=vQrED7eIkLA

Click here for More:

You can stop typing once you see the complete name for the item you are looking for. Search is case-insensitive, so if the item does not appear, that probably means the name is wrong.

(Chrome app only) If Chrome sync is checked in Options, the item will also be deleted from there, after a confirmation popup.


Make a video to authenticate your Lock

What should the video include:

What to do with the video:

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=zkcqEz3UjnM

Click here for More:

It is highly recommended that you make a video whenever you change your secret Key, so that others can be assured that the matching Lock really belongs to you. When you post your Lock so that people can use it to encrypt messages for you, write the address of the video on the line immediately below the Lock, to facilitate the verifying process. Video URLs don't affect the function of Locks, so it is okay to handle the Lock and its video address as a unit. Obviously, you wouldn't do this for a shared Key, only for a Lock.

Your PassLok ezLok is also used in PassLok for Email, so one video will suffice for both programs. PassLok for Email displays your ezLok at the beginning of any item you encrypt.


Use the General Directory

The General Directory is a Web page that can store Locks and their authentication videos, as associated with email addresses.

To get to the General Directory: Click the Edit button next to the directory box, Then click the General Directory button.

The General Directory has its own Help page, which is structured like this one.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=QQQ2df2vPgs

Click here for More:

PassLok does not guarantee the authenticity of the Locks posted on its General Directory. Email confirmation is required to post or update Locks, but this is not completely secure. Since users are encouraged to add authenticating videos and the General Directory has a button to play them, you should watch the video attached to a Lock before you use it.

The General Directory is meant as a convenience, not as a replacement for your local directory. The General Directory is not available when you are offline (the local one is). You cannot post anything but Locks on the General Directory. Be aware that opening the General Directory involves contacting a server, which may lead to being tracked.


Add, remove, and backup users

To add a new user:

1. Reload PassLok. Then click the New User button next to the user selection box.

To backup and optionally remove an existing user (advanced):

1. While you are logged in with that user's Key, go to the Options tab and click the Backup/Remove Whole Directory button (visible in the Advanced interface).

2. Then a prompt asks you to confirm deleting the directory from the device. If you click OK, the entire local directory for that user is deleted, leaving no traces. If you click Cancel, the process ends and the directory contents are not deleted. In both cases the backup on the Main tab remains.

3. To retrieve a backed-up directory (has PL**dir tags), paste it into the Main tab, and click Decrypt if it does not decrypt automatically. The database will be decrypted and placed in the directory Edit dialog. Then you can add it to the device's current local directory by clicking Merge.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=8zo-N5O82iM

Click here for More:

You can maintain multiple identities, using different Keys. The backup process is useful whenever you stop using a device or just want to transfer your data to another device.

(Chrome app only) Even if the local directory is completely deleted, the items in your Chrome sync area remain available if you click Cancel when PassLok offers to remove them from sync as well. They will load back automatically, even on a different machine, if you set up a user with the same user name.


Access the advanced functions of PassLok

PassLok launches first in Basic mode, so you are able to encrypt and decrypt messages and perform the essential directory management functions. But PassLok has a lot more capabilities, which become available when you click the Advanced checkbox in the Options tab. To get back to Basic mode, click the Basic checkbox. PassLok will remember your choice of interface next time you open it.

Some advanced capabilities include:

There is also Email mode, which displays only the functions that are available in PassLok for Email. In this mode, PassLok's output is nearly identical to that of PassLok for Email, so it can be decrypted in that program. The ouput of PassLok for Email can always be handled by the standalone PassLok, no matter which interface mode is selected in Options.

Finally, you can choose Compatible mode in Options, which will cause PassLok's output to be accepted by URSA and SeeOnce.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=Ttyvb0Qt7h0


Are there any keyboard shortcuts?

The main functions in PassLok can be accessed directly from the keyboard. The button tooltips tell you what the shortcut is for each button that has a shortcut, but below is a complete list, just in case:

Click here for More:

The list is made for access from Windows or Linux, so that each shortcut is of the form Alt-letter. If you are using a Mac, you should type ctrl-alt-letter instead. Shortcuts do not work on mobile devices.


Check the authenticity of the code

If you got PassLok from an app store, that app store is ensuring that the code you have is what the author gave to them. The following is to check the integrity of the web app version of PassLok running in a browser:

1. Direct your browser to "view source." If your browser has a command to save the source (Chrome, Firefox, and Safari do), go ahead and save it to file. Alternatively, you can go to Online-convert (http://hash.online-convert.com/sha256-generator) and type the URL of your version of PassLok there, then skip step 2.

2. Now you have to take the SHA256 checksum of the code (or the MD5 or SHA1 checksums) using a program different from PassLok. You have several options:

3. Look up the checksum for this version of PassLok, which is published on the PassLok information website at passlok.weebly.com and a number of other places. If this value and the one obtained above are not the same, the program has been tampered with. Here are some places where this information is published:

4. Now, a hacker who could alter the source code at the server might also be able to change the published checksums so they match the tampered code. To make sure that the value is authentic you should watch the one-minute video where the author or PassLok, Francisco Ruiz, reads the SHA256 checksum aloud. A link to the video usually accompanies the published SHA256 value.

This and more is explained in this video tutorial (warning: watching it may leak your IP number): https://www.youtube.com/watch?v=NrAfSo2xjnY

Click here for More:

Typically, you load the source on a separate tab by typing CTRL-U (Windows) or option-cmd-u (OSX). Another way to save the source is to copy it by first selecting the the whole source code (CTRL-A or cmd-a), then copy to clipboard (CTRL-C or cmd-c), and then paste it into a text editor (CTRL-V or cmd-v), and save it from there. DO NOT save the code using the "save" command when the working PassLok page is displayed, since then the browser would modify the source code before saving it. The correct encoding is UTF-8, no BOM (notes: Windows Notepad is unable to save text in the correct format. Cut and paste from Chrome introduces artifacts for big items like the source code).

SHA256 is built into the OS in Linux and OSX, not so in Windows, but there are free programs available, such as Checksum Utility and Bitser. There are also online utilities where you can upload a file and get the hash. Online-convert (http://hash.online-convert.com/sha256-generator), fileformat.info (http://www.fileformat.info/tool/hash.htm) and freeformatter.com (http://www.freeformatter.com/sha256-generator.html) have worked well in our tests.

If you want a clipboard-based SHA256 utility, the one at Xorbin (http://www.xorbin.com/tools/sha256-hash-calculator) has worked quite well in our tests. Don't copy and paste from Chrome, since this introduces artifacts.


I have an item that was encrypted/sealed with a previous version of PassLok, and the current version cannot handle it

We do not recommend using old versions for new work. Newer versions have enhanced security and are more user-friendly. But sometimes you may need to handle an item that is incompatible with the current version. Here is a pretty complete list of old PassLok versions, with links to them.

The current version of PassLok can be obtained from the following servers (as always, be aware that following any link may reveal your location):

source server: https://passlok.com/app

information page: http://passlok.weebly.com

GitHub page: https://github.com/fruiz500/passlok

Chrome app: https://chrome.google.com/webstore/detail/passlok-privacy/epcchpdljafmfegifkigklfcmkphfmbh

Android app: https://play.google.com/store/apps/details?id=com.fruiz500.passlok

mirrors:

https://www.autistici.org/passlok (non-US, self-certified)

https://passlok.site44.com

https://fruiz500.github.io/passlok

SHA256 for this version and video of the author reading it at:

http://passlok.weebly.com/get-passlok.html

 

Previous versions (SHA256 for each):

2.3.5 (b0a7-b564-26c1-1bd5-4f23-0829-63be-5a52-20c3-915c-96c3-8d85-7d43-b32f-5fdb-e5df)

PassLok.com

Autistici

Site44

Author reading the SHA256

2.2.8 (1580-d524-c402-53bc-c973-6305-bee8-64ec-0853-2623-d9d3-a21e-1400-4a38-4b19-b07e)

PassLok.com

Autistici

Site44

Author reading the SHA256

2.1.03 (fdc9-8bae-45c0-902f-bf6d-da01-ae7e-704c-8e32-4679-e691-a20d-4aee-2254-63af-b8d6)

PassLok.com

Autistici

Site44

Author reading the SHA256

2.0.03 (627e-45e4-0160-c885-b668-896a-7f79-766e-b93c-c6e3-0094-a28f-4380-b060-7830-48d0)

PassLok.com

Autistici

Site44

Author reading the SHA256

1.7.08 (87a4-fee6-8916-99fb-c59b-9d73-32dd-3023-5af0-3e69-18e0-caa3-d9e7-8a53-2385-957c)

PassLok.com

Autistici

Site44

Author reading the SHA256

1.6.02 (2c64-63d5-5d68-c7b2-9350-68cc-8bef-1a75-ddc1-1fa0-cd04-4428-f3ef-c079-e14f-4133)

PassLok.com

Autistici

Site44

Author reading the SHA256

1.5.03 (0061-4b79-8ba1-8fee-34c5-e243-96e9-4c7c-a0ea-cfc5-82c1-a44d-4cbb-06c4-ca00-985c)

PassLok.com

Autistici

Site44

Author reading the SHA256

The following (except 1.0) were edited so the archived help file works, changing the SHA256 from the original value (therefore no video)

1.4.03 (f1cc-8931-1d31-4d65-4dfe-fb0d-5368-f854-3766-b240-f131-c93f-a0e9-8d14-752e-018e)

PassLok.com

Autistici

Site44

1.3.03 (7c6f-3d59-1059-e712-15ea-8dcf-dcde-861a-7359-6508-3b29-5720-41c9-8271-cb69-f01a)

PassLok.com

Autistici

Site44

1.2 (c17b-c529-8757-578a-6bc2-bdc4-122e-c607-8c16-19ef-b9ee-8d4d-75aa-cf0a-b703-e0ec)

PassLok.com

Autistici

Site44

1.1 (8e5c-9714-eec3-cc65-aa8f-640d-d434-2747-aa24-624c-74c5-65ea-4077-0f0f-3b22-cc30)

PassLok.com

Autistici

Site44

1.0 (a907-25eb-50e3-e4a6-5f4b-27c1-684e-f590-6094-6fae-52f3-c7ca-47b1-732c-9eab-3e9b)

PassLok.com

Autistici

Site44


None of the help items answers my question / I want to give feedback

Then you can send us an email at passlokprivacy@gmail.com (the link will open your email client). We'll do our best to reply in a timely fashion. If you are a GitHub user, you can also go to our page on GitHub and post issues or submit improvements there.

Good constructive feedback is hard to get, so let us thank you right now, before we read your email.


Privacy Statement and Warrant Canary

PassLok is a self-contained piece of code that neither relies on servers nor requires the storage of secret information to do its job. Therefore:

1. We cannot give your secret Key to anyone (not even yourself) because we don't have it. Your Key is never stored or transmitted, and by default gets deleted from memory after five minutes of not being used.

2. We cannot give your private data to anyone because PassLok does not send anything out of your device. When you download the app from its server, you get only the code, without any cookies, plugins, or anything of that sort. We do store Locks that have been posted on our General Directory by their owners, but those are public by nature.

3. We cannot eavesdrop on your chat sessions, or enable anyone to do so. Establishing a chat session does involve contacting a signaling server (Firebase) and giving it your IP address and a disposable chatroom name so that others can contact you; the signaling server never sees the content of your chat, which is between participants only. The PassLok server doesn't even see the connection data.

4. We will never weaken the cryptography methods contained within PassLok at the request of a third party, private or public. This also means no backdoors will ever be added. We would rather shut down PassLok than be forced to do this, which would betray the very essence of our efforts. If we learn that counterfeit versions of PassLok are circulating, whether placed by hackers or government agencies, we will make the fact known to users.

Notice: Since PassLok is distributed as a piece of human-readable code, we consider it an expression of free speech protected by the laws of many countries. Putting into circulation tampered versions of PassLok, whether by individuals or public entities, violates free speech and copyright protection laws.

PassLok contains strong cryptographic methods, which may be illegal to use in some countries. Please check the local laws before using PassLok.

This paragraph and the canary logo above attest to the fact that, up until the release of version 2.4 (March 2017) we have not received any requests under gag order for user data or modifications of the code. This paragraph will be periodically updated as this situation continues.


PassLok v2.4 © F. Ruiz 2017
This document may be used, modified or redistributed under GNU GPL license, version 3.0 or higher.

JAVASCRIPT OFF, PASSLOK CANNOT RUN






Show    

You will need to re-enter your Key if you don't use it for 5 min.

PassLok will be very slow if your Key is worse than Medium.

To display or refresh your Lock, click myLock on the Main tab.

Cancel for limited functionality in Guest mode.







Show



 

Enter the Hidden Message

Enter the Key/Lock


  Show  


Enter the Key for the Hidden message



  Show 

 

The Hidden message will appear on the Main tab


Enter the total number of parts (between 2 and 255)


And the number of parts needed to retrieve the item



 



Choose the type of chat, then optionally write in the box a message including the date and time

  Text and files     Audio     Video