DI Management Home > Cryptography > MySecret Blowfish Encryption Utility

MySecret Blowfish Encryption Utility

MySecret is a command-line freeware utility that can be used to encrypt and decrypt messages in an email-friendly manner. It works by encrypting or decrypting the contents of the clipboard. It can also work in file mode.

MySecret.exe is small - 150 kB - and quick. It uses the Blowfish algorithm to create base64-encoded text output that can be easily transmitted over the Internet or stored on any computer system. For more information on Blowfish see the web site of its inventor, Bruce Schneier and his references to Products that Use Blowfish.



I wrote the first version after I'd been travelling and needed a simple utility I could keep on a floppy that would enable me to create and receive encrypted emails from Internet cafes and friends' PCs. You can also use it in batch files to carry out automated encryption of backup files.

Version 3 has improvements including compression of data before encryption, random padding characters, and confirmation of the password when encrypting. Data encrypted with versions 1 and 2 can still be decrypted using version 3. There is an option to encrypt using the Version 2 algorithm, if needed.

thanks for a great program !!
i've been testing some programs (using either rijndael or blowfish) and i ended up using MYSECRET.. why?
 it's fast !!
 it's a command-line program (easy to use with vb ;)
 it's blowfish and it supports large keys..
 it copies the encrypted/decrypted text to the clipboard (easy to use with vb)
thanks again, blowfish is indeed a great algoritm..
Your "MySecret" has got to be just about the best freeware utility of its type available - Thanks!!
I love its simplicity, the ability to en/decrypt text or files easily (I knocked up a trivial script to help with that), the fact that it compresses text before encryption and that it ignores whitespace when decrypting and also looks only for data between the delimiters.
All this makes it exceptionally powerful and robust, whilst still being incredibly simple to use.

Having said all that [and meant it too], there is just one small thing that I *don't* like about it....the name "MySecret" ! It just doesn't do the program justice: to be honest, it makes the program sound like something some script-kiddy has knocked up instead of the exceptional bit of software it actually is. I suspect that a number of people might not take it [the program] seriously, which would be a shame.


Download the latest version of MySecret.zip (82.6 kB) from here [sha1=952707b94d6197af90e800c878be0c9fe943a29f].

The MySecret.exe file version was recompiled and signed on 20 September 2017 (using our signing certificate issued to "D.I. MANAGEMENT SERVICES PTY LIMITED"). The executable is 148960 bytes and has an SHA-1 checksum of 6559f4de561c332affc7ed2d0136a71cb1a99b88.

Why is the executable so large now? It used to be 50 kB, now it's 150. I mean, what's with all this bloat? The old version (2007) was compressed using UPX. Sadly, that triggers too many false positives with the poorer AV programs, so we've stopped using it. Plus the newer MSVC compilers add a bit more overhead.

Terms and Conditions

MySecret is copyright (C) 2002-17 DI Management Services Pty Ltd, all rights reserved. MySecret is freeware. Install and use entirely at your own risk. This Program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. By using the Program YOU EXPRESSLY AGREE to these conditions. If you do not agree to these conditions, DO NOT USE THE PROGRAM.

To install

  1. Copy the file MYSECRET.EXE into a directory on your PC's path, e.g. C:\Windows.
  2. That's it!

To use to encrypt a message in CLIPBOARD mode

  1. Copy the text you want to encrypt into the clipboard. This might have been typed first into Notepad, for example, or be from the body of an email.
  2. Open an Command Line window: Start > Programs > Accessories > Command Prompt.
  3. Type:
  4. The contents of the clipboard will display (this is a useful check).
  5. Enter a password when prompted. This is case-sensitive, so be careful. Your password can be any phrase with any normal characters including spaces and punctuation. The password is not displayed. Press Enter to finish. (New in Version 3) You will be asked to confirm the password, so type it again.
  6. The encrypted message will display.
  7. The encrypted message is now also in the clipboard. It can be pasted into an email or into a text editor.

To use to decrypt a message

  1. A message created with MySecret looks like this:
    -----BEGIN MYSECRET-----
    -----END MYSECRET-----
  2. Copy the message into the clipboard. Make sure you include the BEGIN and END lines, including the five dashes before the word BEGIN. It doesn't matter if there is other text before or after these lines; text outside will be ignored.
  3. In an Command Prompt (MS-DOS) window type:
    or, to be sure you mean decrypt, type
    where -d means decrypt.
  4. The contents of the clipboard will display as a check.
  5. Enter the correct password (in the example above it is "abc").
  6. If correct, the decrypted message will display on the screen.
  7. The decrypted message will also be in the clipboard for you to paste into a text document.


Usage: MySecret [OPTIONS] [-p password] [[-i] infile [[-o] outfile]]
-?|-h display this Help
-e|-d force Encrypt/Decrypt
-n do Not ask to confirm password
-w Warn before overwriting existing outfile
-2 use v2.0 algorithm (no compression)
-@ use stdin/stdout pipes if in/outfile not given
-L display licence conditions
MySecret                (=clipboard-mode, prompts for password)
MySecret -p "my pass phrase"
MySecret infile outfile (=file-mode)
MySecret -@ infile      (output to stdout)
MySecret -@ -o outfile  (input from stdin)
MySecret -@             (input from stdin/output to stdout)

Using the in-line password option

The default mode is to prompt for a password which will not be displayed when typed. Alternatively, you can use the -p option to enter a password in the command line.
will use the password "abc" to encrypt the contents of the clipboard.

To use a pass phrase with spaces or other punctuation characters in it, surround the pass phrase with double-quote characters, e.g.

MYSECRET -p "hello world#"
Note that a space is required between the "-p" and the password itself.

To use to encrypt a file

If you enter both an input and an output filename in the command line, you can encrypt or decrypt files. When encrypting. the output file will be an ordinary ANSI text file that can be viewed in any text editor, albeit in encrypted and base64 encoded form. The input file for encryption, however, may be a text or binary file of any type.
MYSECRET C:\mydrive\myfile.txt C:\mydrive\myfile.txt.mys
will create the encrypted file myfile.txt.mys. Alternatively
CD \mydrive
MYSECRET myfile.txt myfile.txt.mys
To decrypt
MYSECRET -d myfile.txt.mys myfile.txt
If the name of the file or the folder contains spaces, enclose the name in double-quotes
MYSECRET "My Documents\myfile.txt" "My Documents\myfile.txt.mys"

Using MySecret in Batch Files

This example will allow you to do "automated" encryption of a particular file using a batch file.
  1. Create a text file ENCR.BAT as follows:
    echo password is "%1"
    if "%1"=="" goto NOPASSWORD
    set mypwd=%1
    mysecret -p %mypwd% $backup.zip $backup.zip.mys
    if not errorlevel 1 del $backup.zip
    set mypwd=
    goto DONE
    echo no password
  2. Open a command prompt (MS-DOS) window in the relevant directory where your file is.
  3. At the command prompt type
    ENCR password
    where "password" is your password.
  4. The file in this example "$backup.zip" will be encrypted and the output will be the new file "$backup.zip.mys".


Security Considerations

MySecret is a software application that provides a method for encrypting data using the Blowfish block cipher algorithm. The security provided in theory is the lesser of 128-bits and the entropy provided by the user's password. No opinion is offered on the security of the Blowfish algorithm itself. It is the responsibility of the user to provide a password or pass phrase of sufficient strength and to protect the secrecy of that password, including protecting against exposure by malware or keystroke loggers on the user's computer.

Using from Web Mail

Peter Brown suggests emailing MySecret.exe as an e-mail attachment to each of your web-mail accounts. Simply double-clicking on the attachment runs the program in clipboard mode (depending on your browser security settings). In this way you can encrypt and decrypt from any computer in the world that can access the web. Thank you for an excellent suggestion, Peter.

Examples in Use

There is a demonstration VB6 project using CryptoSys API.

Linux Version

The file 'MySecret' is an executable compiled using gcc version 2.91.66 on an i686 computer running Linux 2.4.30: MySecret-3.1.1.bin-i386.tbz (44 kB), MySecret-3.1.1.bin-i386.zip (43 kB). It is compiled from the same source code as the Windows version, but it only works in file-to-file mode. (Hint: You may find the -@ option useful.) If it works for you on your ix86 Linux system, please use it.


The source code used in MySecret is original code written by David Ireland except for the following:

The executable was compressed using UPX, the Ultimate Packer for eXecutables available from http://upx.sourceforge.net. Sorry, too many false positives from AV products.

Thanks to 'Chris' for pointing a bug in version 3.1.0 with strings of a certain length (like "abc").

The Program

MySecret is written in ANSI C and has been compiled using Microsoft Visual C++ v12.0. The program is a Win32 executable that requires Windows XP or above. There is also a version compiled on a Linux machine. The first version was published on 8 February 2002. Version 2 was released in June 2003. The current Version 3 was first released on 11 May 2007. MySecret is Copyright © 2002-17 DI Management Services Pty Ltd. All rights reserved.

Technical details

For the technical minded, here's how it works in Version 2 and Version 3.

The program takes its input buffer from either the clipboard or the specified file. Unless the program is explicitly instructed to encrypt or decrypt with the -e or -d options in the command line, it will examine the input buffer for the "-----BEGIN MYSECRET" framing characters. If the framing is present, the program will attempt to decrypt the characters up to "-----END MYSECRET". In all other circumstances, it will encrypt the entire input buffer.

To encrypt, the program does the following:-
  1. Checksum: Compute a 24-bit CRC checksum of the plaintext input buffer.
  2. Generate an IV: Generate a 64-bit Initialisation Vector (IV) by making an MD5 hash of the current time and the CRC value computed above. Set the IV to be the first 8 bytes of the resulting message digest value.
  3. Set key: Generate a 128-bit key by using the IV as a salt (s) and stretching the user's pass phrase (p) by hashing with MD5 repeatedly as follows:
    • Set X(1) = MD5 (p || s)
    • For i = 2 to 1024, set X(i) = MD5 (X(i-1) || p || s)
    • Set the key as the final value of X(i).
    where || denotes ordered concatenation of two strings.
  4. Construct a padded encryption block:
    Version 2:
    1. Append the 3-byte CRC-24 checksum to the input buffer in big-endian order.
    2. Pad the result of the previous step by appending a padding string of between 1 and 8 bytes to make the total length of the encryption block an exact multiple of 8 bytes. The value of each byte of the padding string is set to the number of bytes added - i.e. 8 bytes of value 0x08, 7 bytes of value 0x07, ..., 2 bytes of 0x02, or one byte of value 0x01. This is the padding method recommended in RFC 2630, RFC 3370, RFC 1423, PKCS#5, and PKCS#7.

    Version 3:
    1. Compress the plaintext input using the ZLIB 'compress' function.
    2. Prepend the compressed data with a 10-byte header:
      • a 2-byte signature ZS: 0x5A04 ('Z' + 0x04), plus
      • the compressed length CLEN as a 32-bit integer in big-endian order, plus
      • the original, uncompressed length ULEN as a 32-bit integer in big-endian order.
    3. Append the 3-byte CRC-24 checksum in big-endian order.
    4. Append a padding string of length NPAD between 9 and 72 bytes to make the total length of the encryption block an exact multiple of 8 bytes. This padding string consists of
      • a "guard" block of 8 bytes each of value equal to the length, NPAD, of the padding string; plus
      • a sequence of length 8*k of bytes each of random value [0,255] where k is a random integer between 0 and 7; plus
      • a final block of size [1,8] bytes of value NPAD.
  5. Encrypt: Create the ciphertext by encrypting the encryption block using the Blowfish algorithm in Cipher Block Chaining (CBC) mode with the key and IV as generated above.
  6. Add header: Prepend the ciphertext with a 12-byte header consisting of
    • A 4-byte signature: 0x4D59FC00 ('M' + 'Y' + 0xFC + 0x00) for Version 3, or 0x4D59FD00 ('M' + 'Y' + 0xFD + 0x00) for Version 2; plus
    • The 8-byte IV
  7. Encode: Encode the resulting output using base64 encoding (RFC 2045 s6.8).
  8. Frame: Add CR-LF characters every 60 characters and surround with BEGIN and END frames in a similar manner to that used in PGP (RFC 2440 s6.2) and in Privacy Enhanced Mail (RFC 1421 s4.4).

Version 2

                 | Input buffer  |
                 |               |
                 | Plaintext...  | CRC(3) | PAD(1-8) |
                 |<----------(encrypt this)--------->|
|SIG(4)|  IV(8)  | Ciphertext...                     |
|<-------------------(encode this)------------------>|
| Base64-encoded output...                           |

Version 3

                                     | Plaintext...          |
                                     |<----(compress this)-->|
                                     |                      /
                                     |                     /
               |ZS(2)|CLEN(4)|ULEN(4)| Compressed data... |CRC(3)|PAD(9-72)|
               |<----------------------(encrypt this)--------------------->|
|SIG(4)| IV(8) | Ciphertext...                                             |
|<-----------------------------(encode this)------------------------------>|
| Base64-encoded output...                                                 |

Decryption is the reverse process. The program will decode any base64-encoded data found between the framing characters. It will then look for and skip over the signature and extract the IV from the input before deciphering the remaining ciphertext using the key generated from the user's pass phrase and IV. If there is no signature, the program will assume that the ciphertext was created using MySecret Version 1 and decrypt accordingly.

After decryption, the program checks that decryption has been successful by examining the decrypted block.

Version 2: Working backwards from the end of the decrypted data, there should be between 1 and 8 padding bytes each of the same value between 0x01 and 0x08 preceded by a 3-byte CRC-24 checksum which should match a CRC checksum of the preceding plaintext data.

Version 3: Confirm that the first two bytes are 'Z' and 0x04. Convert the subsequent 8 bytes into the two 32-bit integers CLEN and ULEN. Check that the values of these integers are reasonable (not negative, not too large, CLEN < decrypted block size). Get the length NPAD of the padding string from the last byte in the block. Verify that the first 8 bytes of this padding string are all of value NPAD. Extract the 3-byte CRC-24 checksum immediately before the padding string, uncompress the compressed data to recover the original plaintext, compute the CRC-24 checksum of this, and make sure the two checksum values are equal.

If any of these checks fail, the program will indicate a "Decryption Error". Otherwise it will output the recovered plaintext either to the clipboard or to a file.

There is a VB6 project that demonstrates the algorithm available here.

Security Enhancements in Version 3


For more information or to comment on this page, please send us a message.

This page last updated 20 September 2017