Skip to main content

Uses libsodium for symetric, secret key encryption of files and folders

Project description

Salt Cellar Encryption Tool

Salt Cellar is a Python program that protects your files and folders using hard encryption. The pynacl-cellar package provides the command line tool cellar to encrypt and decrypt your files/folders using a secret key and protect them from prying eyes. Files are quickly encrypted/decrypted fully asynchronously using asyncio/aiofiles.


The hard encryption is accomplished using the PyNaCl package and the libsodium library. The underlying encryption algorithm is Salsa20 which is fast and increases the file size very minimally. By default, cellar encrypts the files in place, overwriting the original files with the encrypted version.

:warning: DO NOT FORGET YOUR KEY! This program will encrypt your files and make them unusable until you decrypt them. If you lose/forget the secret key then the files will not be recoverable. Use at your own risk


A secret key for use with the tool should be 32 bytes long. It can be stored as a file, environment variable or entered in the command line. If the key is too short it will be truncated and if it's too long it will be padded with null bytes.


  • Install libsodium

  • Recommend using pipx for installing the CLI tool

    pipx install pynacl-cellar

  • Then run the command with pipx

    pipx run cellar ...


The CLI command is cellar and you can call encrypt or decrypt on a set of paths. Paths can be files, folders or - for stdin

Usage: cellar [OPTIONS] COMMAND [ARGS]...

  --version                Show the version and exit.
  -v, --verbosity          Output level WARN/INFO/DEBUG
  -l, --log-file FILENAME  File path to write logs to
  -k, --key-file FILENAME  File path to use for secret key or CELLAR_KEYFILE env var
  -p, --key-phrase TEXT    Text to use as secret key. Use "-" to read from stdin. Do NOT type your key via command line! It will show in your shell history
  -P, --key-prompt         Prompt for the secret key (default)
  --help                   Show this message and exit.

  decrypt  Decrypts given paths.
  encrypt  Encrypts given paths.

Env Vars


A file that contains the content of your private key (32 bytes)


A string that contains the content of your private key (32 bytes)


A filename to use for logging


# Encrypt a given directory
$ cellar -vv encrypt test-dir/
Secret key: 
WARNING cellar __init__: Key too short, padding to to 32 characters
INFO cellar encrypt_file: Encrypted file test-dir/mypic.jpg
INFO cellar encrypt_dir: Encrypted directory test-dir
# Encrypt stdin
$ echo foobarbaz | cellar encrypt -
# Decrypt it using pipes
$ echo foobarbaz | cellar encrypt - | cellar decrypt -

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pynacl-cellar-0.1.0.tar.gz (8.1 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page