This is a summary of features and properties of a number of popular desktop file encryption tools, along with a longer section on each item describing the situation in more detail. This page has been compiled using information from respective home pages of the products, if you find any errors or need for further clarification, please contact support and we'll update as soon as possible.
Your choice of tool or tools all depend on how you want to use them. All software compared here are considered secure from a cryptographic point of view, (possibly with some caveats concerning 7-zip which is not primarily an encryption tool). But you should make an informed choice on which tools you use, depending on your situation. There is no one tool that fits all needs.
| Xecrets Ez | Xecrets Cli | AxCrypt | Cryptomator | VeraCrypt | Picocrypt | AESCrypt | 7-zip | |
|---|---|---|---|---|---|---|---|---|
| Cost/year | $0/$15 | $0/$100 | $60/$125 | ($0) | $0 | $0 | $0 | $0 |
| Open Source | (✅) | ✅ | 🟧 | ✅ | ✅ | ✅ | 🟧 | 🟧 |
| Windows | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Linux | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | 🟧 |
| macOS | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 🟧 |
| Portable | ✅ | ✅ | 🟧 | (❌) | 🟧 | ✅ | ❌ | ❌ |
| No Internet | ✅ | ✅ | ❌ | 🟧 | ✅ | ✅ | ✅ | ✅ |
| Zero-Knowledge | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Public Key Sharing | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| GUI | ✅ | ✅ | ✅ | (✅) | (✅) | (✅) | 🟧 | 🟧 |
| CLI | ✅ | ✅ | ❌ | ❌ | ❌ | 🟧 | ✅ | ✅ |
| Xecrets Ez | Xecrets Cli | AxCrypt | Cryptomator | VeraCrypt | Picocrypt | AESCrypt | 7-zip | |
| SDK | ✅ | ✅ | ❌ | (🟧) | ❌ | ❌ | ❌ | ❌ |
| No Admin Permissions | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Easy Viewing & Editing | ✅ | N/A | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| File Encryption | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| Auto Wipe | ✅ | N/A | ✅ | (✅) | (✅) | ❌ | ❌ | ❌ |
| Cryptography | AES-256 RSA-4096 | AES-256 RSA-4096 | AES-256 RSA-4096 | AES-256 | Many | XChaCha20 | AES-256 | AES-256 |
| Authentication | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ |
| Compression | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ |
| Modern Tooling | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | (✅) |
A simple checkbox is not really enough to fully describe the situation, so here follows some more information when needed.
Xecrets Ez is free, but additional premium features are available with a premium subscription, for $15 or €15/year.
Xecrets Cli is free, unless you need the features for programmatic use, via the SDK for example, then it's $100 or €100/year as a maintenance subscription. Binaries build during the maintenance subscription validity period are valid "for ever".
Cryptomator is entirely free for the desktop, although you can unlock a few features by donating and getting a supporter license. The android and iOS apps do require a one-time purchase of approximately €15.
AxCrypt used to be entirely free when it was named version 1, then there used to be a freemium model with the free app still able to encrypt, but with AES-128, and some other limitations.Now there is no free AxCrypt app, unless you count the read-only viewer. It now comes in two flavors, with very few actual feature differences, premium at €60/year and business at €125/year. The primary difference is that the business version has user administration, and the option of a file-recovery back door for corporate recovery of employee-encrypted files.
While technically a software is open source if you can get a zip file with all the raw source files, we don't think this is enough. An open source software should be available through a well known public free repository such as github, and also include all commit history, and preferably a public issue tracker. It should come with complete and as easy as possible instructions on how to build it, including how to get, and if needed build, dependencies.
The GUI part of Xecrets Ez is not open source, but all actual work is performed by Xecrets Cli which is fully open source with a public github repository with issue tracker and commit history. From a security and auditing perspective, all relevant code is open source. The desktop app is only a user interface frontend for the command line tool with no cryptography (except for license validation).
AxCrypt is partially open source, more specifically the core encryption, as well as an older version of the Windows desktop app. There is no public repository, and no public issue tracker. The source must be requested, and you'll only get a snapshot zip archive without commit history.
AESCrypt is open source, but there are many parts of it and in different locations. Not all source is available in a public repository with issue tracker and commit history. It's not entirely clear if all versions for all platforms are available.
7-zip only provides a zip package of source files, there is no public repository.
7-zip only has a command line for Linux, no desktop app or integration.
AxCrypt has no support for Linux.
7-zip only has a command line for macOS, no desktop app or integration.
With portable we mean that it's distributed as a single executable that is directly runnable without any kind of installation.
Cryptomator does have a "portable app" version by a third party, but it still needs installation of the privileged mode file system WinFsp driver to work, it's not really portable.
AxCrypt has a portable version for Windows only, not for macOS and doesn't support Linux in any form.
All claims to zero-knowledge and similar aside, the strongest assertion that can be made about the software manufacturer not knowing anything about your data or your keys, is that the data and keys in no form ever leaves your own system.
Any kind of Internet connection for whatever purpose, including payments, embedded in the software creates the potential for an attack vector.
We believe the only really safe assertion for zero-knowledge is to simply ensure there is no code present in the software with the capability to connect over the Internet. This promise is upheld by Xecrets Ez, Xecrets Cli, Picocrypt, 7-zip and AESCrypt (probably, there are many versions published).
AxCrypt not only keeps your password in memory on their servers, the key sharing mechanism will under some circumstances even keep the private key in a decryptable form persistently stored. The AxCrypt web site even claims to be zero-knowledge, this is patently false. (We know this, because we are the original designers of it. The system has it's advantages, but it's far from zero-knowledge.) That's the risk when any parts of your keys, passwords or plain-text data ever leaves your system. You're at the mercy of promises about zero-knowledge that may be violated by mistake or perhaps by marketing taking liberty with the technical reality or just not knowing what zero-knowledge means.
Cryptomator will under certain circumstances communicate over the Internet, supposedly using a zero-knowledge protocol, but there are some limitations there as is described on their site. Also it has a version checking function, which means it has the capability to use the Internet.
Zero-knowledge is a term that is often used to describe a system where the service provider does not have access to the keys or the data. This is a very strong assertion, and it's very hard to prove.
Xecrets Ez and Xecrets Cli are zero-knowledge by design and definition, since the keys never leave your system.
AxCrypt on the other hand is not zero-knowledge, not even close. While the keys are not stored permanently on their servers, your password is routinely sent from their app to their servers for verification of your account. Any use of their web site to sign in sends your password in clear text to their servers, albeit over a secure connection. But the password is kept in clear text in memory on their servers in both cases. This is a very strong violation of zero-knowledge, and it's not clear why they claim to be zero-knowledge.
The other softwares listed here are also offline, and your password never leaves you system.
Public key cryptography enables sharing of encrypted files without sharing a password. Instead, the recipient shares their public non-secret key with you, and you then encrypt the file with that public-key, as well as your own password. The recipient can then decrypt and open the file without any secret passwords ever having been shared.
Only Xecrets Cli, Xecrets Ez and AxCrypt support public key cryptography, and they are compatible with each other.
Xecrets Ez and AxCrypt have traditional desktop window user interfaces, and are in many ways similar although AxCrypt has suffered from feature creep, adding more and more features and options that can make it a bit intimidating. Xecrets Ez tries to take just the best and most needed parts, by removing a lot of features, it is still perfect for the majority of users but not overloaded with options.
Xecrets Cli has a Graphical User Interface via the Xecrets Ez frontend.
Cryptomator does have a traditional desktop GUI, but since it's really a virtual folder (vault) wrapped around individual file encryption, it does not really have to be used when working with files, only when starting up and "opening" the vault. This makes working with files locally super-easy, but also limits the use to that particular scenario. You can't for example send files encrypted with Cryptomator, or back them up with regular software as they are decrypted as soon as they leave the vault.
Xecrets Ez has a command line interface via the Xecrets Cli backend. Since Xecrets is developed "command line first", there is nothing the desktop app can do that the command line can't, and there are many things the command line can do that are not available in the desktop app.
AxCrypt does not offer any kind of command line interface.
Cryptomator does not offer a command line interface.
Picocrypt offers what they call an "extremely limited" command line interface.
A SDK enables direct integration of the software into other software, and often consists of one or more libraries that can be linked with ones own software and providing functions by way of an Application Programming Interface. This makes it possible to easily write custom software using the advanced features provided by the SDK.
Xecrets Cli offers a .NET SDK making it easy to write applications using the functionality to encrypt and decrypt files and much more. This is how Xecrets Ez is implemented. This architecture has the added advantage of being able to provide all of the features under a GPLv3 open source license, without being affected by "Copyleft" contagion, the property of many open source licenses that causes custom software using or including the open source software to also automatically be forced to become open source under the same license.
Cryptomator offers some form of libraries that can be used by third party developers, but the pricing and capabilities of these are not clear. They are not free, and not directly available.
If a software requires administrative permissions for installation or running, this means that the potential damage caused by a vulnerability or bug is so much the greater. It also means that it may not be possible to install in all systems. Also, if the software requires installation, it can't be run directly of a USB-stick, or a cloud drive etc.
Xecrets Ez and Xecrets Cli are distributed as a single executable file that require no installation and no extra permissions.
AxCrypt does offer an install-free portable version for Windows, but not for macOS. Cryptomator requires the installation of special driver which needs permissions. AESCrypt and 7-zip are also installed into the system, and requires permissions during installation.
If your intention with file encryption is something else than sending off a copy to some other place but rather to keep using the file where it is, it's important that it doesn't require a lot of manual work.
Xecrets Ez and AxCrypt[2] work in similar ways. When you want to view or edit an encrypted file, you open it via the application, and it will then keep track of it so it can be automatically or with a single click be re-encrypted if needed, and the decrypted copy wiped and deleted. This is a premiumfeature, it's not available in the free version of Xecrets Ez.
Cryptomator is pretty much transparent, in that your normal workflow is not interrupted at all and local applications see the file as if it is a normal plain text file. The drawback is that if you do copy the file elsewhere, it is also automatically decrypted, thus complicating for example backups and making it easy to make a mistake. Also, in Windows, you can achieve the same thing or even better with the built-in Windows Encrypting File System, EFS. For Linux and macOS, there are also similar options.
For Picocrypt, AESCrypt and 7-zip you have to manually first decrypt the file, view or edit it, then remember to re-encrypt it and finally to wipe the decrypted copy. This gets quite difficult and annoying if you work with more than one file, or frequently with one file.
Not all encryption software work the same, and it depends on your situation which is to prefer. Often it's useful to use several types complementing each other. Generally we speak of full hard drive encryption, virtual drive encryption, folder encryption and file encryption.
Full hard drive encryption, encrypts the entire hard drive in a transparent manner. This protects all your data if you for example lose your laptop. Examples are BitLocker for Windows and FileVault for macOS. There are various similar solutions for Linux, it varies according to the distribution.
VeraCrypt is an example of virtual drive encryption, creates a virtual drive - in Windows through a drive letter for example, that is kept encrypted as a unit, and is physically stored as one large file on your real drive. This is very similar to full hard drive encryption, but doesn't protect the full hard drive by default. Backing up the encrypted container is tricky, and can easily result in corrupted copies. Backing up the contents, will remove the encryption. Generally we'd recommend full hard drive encryption instead, except in some very special cases.
Cryptomator is an implementation of folder encryption, which is similar to virtual drive encryption, but only keeps a specific folder and possibly sub-folders encrypted. It does have the advantage, if implemented through encryption of discrete files, of being suitable for keeping cloud stored files encrypted when they are synchronized from the local drive.
7-zip is a little odd in this taxonomy. It's really a compressing multiple-file archive utility, with encryption tacked on, on top. This is not optimal, and there's historically been quite a few cryptographic mistakes made in various versions of the zip archiver.
Picocrypt is actually similar to 7-zip in that it allows archiving of multiple files in one encrypted file, but it's built on top of zip compression with a focus on the cryptography, so it's probably a better choice, but otherwise they are functionally equivalent with the same uses cases.
File encryption, such as Xecrets Ez etc finally keeps each file encrypted separately. The big advantage is that the data stays encrypted however you copy or move it around. It never gets decrypted when moved from it's original storage which typically hard drive-, virtual drive- and folder encryption does. It works very well with synchronized cloud storage, and any other copying or replication of the files. Combined with an easy way to work with and view files, with automatic decryption, wiping and re-encryption, it's in many cases the best of many worlds. It also enables the capability to both work with files personally, and also to encrypt them to send them to other persons for example. But full hard disk encryption never hurts as a complement! In some cases it's also a great idea to use an archiver such as 7-zip to archive multiple files as one unit, and then apply a separate encryption utility on top.
When encrypting a file for other purposes than sending an encrypted copy elsewhere, it's very inconvenient that the original file is left behind. Auto wiping of the original is important when the file is encrypted and kept for further editing or viewing by the owner.
Cryptomator and VeraCrypt do not wipe or delete anything but has a similar effect on files created and kept in it's encrypted vault or container. But beware, when you first move files into the container, the originals are not wiped or even deleted! Even if overwriting of file contents is less effective in a world with SSD wear levelling, it's still better than just deletion, or even leaving the original as these do! Also, files are unprotected and decrypted as soon as you move or copy them out of the container.
Picocrypt, AESCrypt and 7-zip all require you to manually keep track of originals, delete them or even better overwrite and wipe them with a third party utility.
All of the tools listed here use strong and safe cryptographic primitives, and are likely fairly equivalent. Most use AES-256, or can use it. Only Picocrypt stands out with the use of XChaCha20, but while it has some different properties when implementing and using it, if done properly it is considered equivalent from a security standpoint.
Cryptography is used not only for confidentiality, but also for integrity which means that nothing can be changed without detection, also referred to as authentication. Similar to the concept of a checksum, but with the added strength of cryptography. Typically an HMAC, a Hashed Message Authentication Code is used, which uses a secret key in combination with a hash algorithm.
VeraCrypt and 7-zip do not implement any integrity checking mechanism, which means that there is no assurance that the data is unmodified.
It's typically a good idea to combine compression and encryption, if you're anyway processing the data, the extra processing for compression is often insignificant, and can even in some cases increase speed as the amount of data needing to be read from the storage medium is reduced. Also, in some cases compression may increase the security of the encryption since there is much less redundancy that may be exploited in a cryptanalytic attack.
Xecrets Ez, Xecrets Cli and AxCrypt[2] not only compresses, but also does so intelligently and conditionally, since there's no point compressing already compressed data.
Cryptomator, VeraCrypt and AESCrypt do not compress, they only encrypt.
It's important both for the ability to actually use open source code to recompile and rebuild, but also for security, that the source is adapted for, and built with, modern updated tooling. Older runtime libraries may contain errors and vulnerabilities, older compilers and language versions may not give as detailed warnings, older compilers will probably produce larger and slower code. Use of modern and updated tooling is also an indication on how well maintained the software is.
Xecrets Cli and Xecrets Ez are always built with the latest available stable tooling from Microsoft, which in November 2023 means Visual Studio 2022 and .NET SDK 8.0.100.
Picocrypt while actually using quite a modern tool stack with Go etc, is also officially "temporarily" abandonware, from July 2023.
VeraCrypt build instructions specify use of Visual Studio 2010, it's not clear just how the official releases are built.
AesCrypt source code indicates that it's most recently built with Visual Studio 2010, which is completely outdated. This is a warning signal.
7-zip can be compiled in a number of different ways and supports very old compilers. This in turn is an indication, if not proof, that the code does not take advantage of newer compilers and language versions features for performance and security. It's not clear from the documentation how the pre-built binaries are built.
AxCrypt still relies on .NET Framework 4.8, and older versions of the C# language. This is not necessarily a security problem, but it is most likely a performance problem as a lot of improvements have been made in the many years since .NET 4.5, the original version of .NET 4.8 was released in 2012. It also indicates an increasing technical debt.