Built for secrets that need a longer horizon.
Fury is a command-line file encryption tool, file format and Go library for people who want post-quantum choices to be the default, not a flag they might forget.
It is deliberately small in shape: generate a key, encrypt to a public recipient, decrypt with your identity. Under the surface, the format has no classical public-key recipient path, stores private identities encrypted with Argon2id, and keeps old files decryptable as future suites are added.
Two assumptions, one file key
FrodoKEM-640-SHAKE and ML-KEM-768 both wrap the file key. The design goal is simple: breaking one KEM is not enough.
Post-quantum only
There are no X25519, SSH-key or plugin recipients in v1. Fury recipients carry a postquantum label and mixed-label encryption fails closed.
No plaintext identity files
A Fury identity can only be serialised under a passphrase. Argon2id parameters are stored with the file and capped on parse.
STREAM-style chunks
The payload is encrypted with ChaCha20-Poly1305 in fixed-size chunks, using a 256-bit file key and a header MAC bound to the encrypted recipient blocks.
Short fingerprints, verified resolution
Large post-quantum public keys can be shared as files, while short furyfp1 fingerprints resolve through cache, files or HTTPS key servers and are verified before use.
Versioned suites
Suites are self-describing in encrypted files. New defaults can be added later without stranding data encrypted today.
Small commands. Serious defaults.
The archive includes fury, fury-keygen and fury-inspect. Input defaults to stdin, output defaults to stdout, and binary ciphertext is kept out of the terminal unless you ask for --armor or redirect it.
$ fury-keygen -o key.fury
$ fury -R key.fury.pub -o report.pdf.fury report.pdf
$ fury -d -i key.fury -o report.pdf report.pdf.fury
$ fury-keygen --change-passphrase key.fury
See what a Fury file is made of.
fury-inspect reports the file version, recipient suite, post-quantum status and size breakdown. Use --json when the result belongs in a script.
Readable guide first, precise design notes when you need them.
The user guide is written for everyday use: creating an identity, encrypting files, decrypting them, changing passphrases, using fingerprints, and troubleshooting common errors. The design document records the wire format and security rationale for review.
Choose your operating system and CPU architecture.
Each archive contains the command-line tools for that platform. Prefer building from source? Use go install github.com/andydixon/fury/cmd/...@latest.
Linux
BSD family
Inspect it. Build it. Review the assumptions on purpose.
Fury is free software under the GNU General Public License version 3 or later. The source, format notes and user guide are public so the security model can be checked against your own threat model.