Status: Stable Release Development Status: Production
Version 1.4.2 introduces a Simple/Pro mode toggle for the desktop GUI, making encryption accessible to non-technical users while preserving full control for power users. The STANDARD security template has been significantly strengthened with modern hash algorithms, RandomX key derivation, cascade encryption, and Independent XOR (v11) composition as the default.
The desktop GUI now launches in Simple mode by default, showing only three tabs (Encrypt, Decrypt, Settings) with a clean interface: file/text input, password, and an encrypt/decrypt button. All cryptographic options are hidden — the CLI --standard template handles everything automatically. A Pro mode toggle in Settings restores the full UI with algorithm selection, hash/KDF chain configuration, cascade/asymmetric modes, HSM, steganography, and identity management.
The default encryption profile used by Simple mode and --standard has been upgraded:
- Hashes: SHA3-512 (10k rounds) + BLAKE3 (10k rounds) — two algorithms from different families
- KDFs: Argon2 (10 rounds) + RandomX light (10 rounds) — memory-hard + proof-of-work
- Key derivation: Independent XOR v11 (Massey's composition) — key is at least as strong as the strongest component
- Encryption: Cascade (AES-256-GCM + ChaCha20-Poly1305) — two cipher families for defense-in-depth
- RandomX now works correctly in the independent XOR (v11) key derivation path (both parallel and non-parallel)
- Argon2 and RandomX display progress bars in XOR mode when
--progressis enabled - Dependency bumps: cryptography 46.0.6, requests 2.33.0, black 26.3.1, nltk 3.9.4
Status: Release Candidate 1
Version 1.4.1rc1 is a security and feature release built on top of the stable 1.4.0 baseline. The headline addition is Format Version 12 streaming chunked AEAD encryption, enabling constant-memory encryption and decryption of arbitrarily large files. A broad security hardening sweep addresses ~30 issues identified in an internal audit, and full Windows compatibility is backported from v1.5.x.
Large files are now processed as a sequence of independently authenticated AEAD chunks rather than being loaded into memory in full. Each chunk carries its own nonce and is bound to a per-chunk counter to prevent reordering or truncation attacks. The streaming decryptor validates chunk_count from metadata against the actual payload and rejects any mismatch. Memory usage is proportional to chunk size regardless of file size.
All non-data output — progress bars, status messages, warnings, YubiKey touch prompts — now goes to stderr via the new eprint() helper (~1,500 call sites migrated). Piping or capturing stdout in scripts now works correctly without 2>/dev/null leaking status text into captured output. Interactive terminal prompts use cross-platform tty_write()/tty_clear_line() helpers that write directly to the controlling terminal (/dev/tty on Unix, msvcrt on Windows), surviving both 1>/dev/null and 2>/dev/null.
Full Windows support backported from v1.5.x: NTFS ACL-based file permissions via the new file_permissions.py module, UTF-8 encoding fixes across all file I/O and subprocess calls, emoji-safe fallback for Windows consoles, and an automated Whirlpool build step for Windows installations.
--infoaction: Display format version, algorithms, andencrypted_attimestamp for any encrypted file without decrypting it.
- Key zeroization via
SecureBytes/secure_memzeroin cascade, streaming, and crypt_core after key use - HKDF replaces bare SHA-256/KDF-output for: keystore password wrap key, streaming HMAC key, pepper derivation, PQC signature keys (v12+)
- Per-layer independently derived salts and all-layer AAD for cascade encryption (v12+)
- Per-chunk nonce bound into each cascade layer in streaming mode
- PQC signature HKDF salt pre-generated and bound into AEAD metadata before encryption
- Plugin sandbox: blocked
marshal/codecsmodules,__dict__/__func__/__self__attributes, string-concatenation-based dangerous name construction; TOCTOU mitigations for file validation and symlink checks; hardened AST analyzer (PL-4/5/6/H8/H9/H10) - Algorithm registries frozen after initialization to prevent runtime tampering (M9/M13)
- Keystore and pepper config files set to
0o600/0o700; keystore dual encryption includes AAD (M1/M20) - Identity import verifies fingerprint to detect tampering; identity names validated against path traversal (M5/H1/H2)
PQCKeystoregainsclose()/context manager for deterministic key zeroization- HSM pepper cache stored as
bytearrayfor effective memory zeroing PluginSecurityContext.capabilitiesstored asfrozenset;PluginResultstrips sensitive keys on construction (M10)KeyStretchmutable class state reset at start of each operation- Plugin threading-mode execution serialized with a lock
- Keystore warns when falling back from Argon2id to PBKDF2
- Dependency bumps:
authlib1.6.9,python-jose3.4.0,cryptography≥46.0.5
Status: Alpha Pre-Release Development Status: Testing Phase Target Final Release: Q1 2026
Version 1.4.0-alpha.1 represents a transformative milestone in OpenSSL Encrypt's evolution, introducing enterprise-grade infrastructure for key distribution, privacy-preserving telemetry, advanced multi-layer encryption capabilities, and post-quantum cipher additions. This alpha release delivers 127 commits across three major infrastructure components and multiple cryptographic enhancements, establishing the foundation for v1.4.0's production release in Q1 2026.
The centerpiece of this release is a production-ready post-quantum keyserver built on FastAPI and PostgreSQL, providing secure public key distribution with ML-DSA signature verification:
- Secure Key Distribution: Public key upload, search, and revocation with bearer token authentication for write operations
- Signature Verification: All uploaded keys verified using ML-DSA post-quantum signatures ensuring authenticity
- Plugin Architecture: Extensible system supporting HSM integration and custom storage backends
- Production Deployment: Docker support with health monitoring, deployed at https://keyserver.rm-rf.ch
- CORS and Rate Limiting: Production-grade security with comprehensive request throttling
- liboqs 0.12.0: Full HQC algorithm support (HQC-128/192/256) via source-built integration
A completely opt-in telemetry infrastructure designed with privacy as the primary concern:
- Privacy-First Design: Anonymous client identifiers with explicit user consent required
- Configurable Data Collection: Plugin-based architecture with granular data collection controls
- Minimal Data Footprint: Only collects essential usage metrics with data minimization principles
- Transparent Policies: Clear data usage documentation and user controls
- Production Infrastructure: FastAPI REST API with PostgreSQL backend, deployed at https://telemetry.rm-rf.ch
- Automated Migrations: Database schema management with Alembic migration framework
Revolutionary multi-layer encryption providing unprecedented security through cipher diversity:
- Sequential Encryption: Encrypt data through multiple cipher layers (minimum 2, unlimited maximum)
- Chained Key Derivation: Each layer's key includes entropy from previous layer via HKDF
- Break-All Requirement: Attacker must compromise ALL ciphers to decrypt data
- CLI Integration: Simple syntax
--cascade "aes-256-gcm,chacha20-poly1305,xcha-poly1305" - Automatic Validation: Cipher diversity validation prevents weak configurations
- New Metadata Format V8: Native cascade encryption support with backward compatibility
Example Usage:
# Three-layer cascade encryption
crypt encrypt --cascade "aes-256-gcm,chacha20-poly1305,threefish-512" secret.txt
# Five-layer maximum security
crypt encrypt --cascade "threefish-1024,aes-256-gcm,xcha-poly1305,aes-256-ocb3,chacha20-poly1305" data.binNew memory-hard post-quantum symmetric ciphers implemented in Rust:
- Threefish-512: 256-bit post-quantum security level with 512-bit block size
- Threefish-1024: 512-bit post-quantum security level with 1024-bit block size
- AEAD Mode: Authenticated encryption with embedded nonce for secure operations
- Quantum Resistance: Memory-hard construction resistant to quantum attacks
- Rust Implementation: High-performance Maturin-based Rust/Python integration
- Ideal for Cascade: Excellent choice for cascade encryption diversity
Centralized cryptographic algorithm management replacing scattered hardcoded lists:
- Cipher Registry: 12+ symmetric encryption algorithms with security metadata
- Hash Registry: 15+ cryptographic hash functions (SHA-2, SHA-3, BLAKE, SHAKE)
- KDF Registry: 8 key derivation functions (Argon2, Scrypt, Balloon, HKDF, RandomX, etc.)
- KEM Registry: 9 Key Encapsulation Mechanisms (Kyber-512/768/1024, ML-KEM-512/768/1024, HQC-128/192/256)
- Signature Registry: 15 post-quantum signatures (ML-DSA, MAYO, CROSS, Falcon, Dilithium, SPHINCS+)
- CLI Browse Command:
crypt list-algorithmsfor interactive algorithm exploration - Validation Framework: Automatic security level indicators and safe combination validation
- Help Integration: Registry powers CLI help text and configuration wizard
Enterprise HSM support for hardware-protected asymmetric key operations:
- HSM-Protected Identities: Create identities with keys stored in HSM devices
- CLI Arguments:
--hsm,--hsm-slot,--hsm-pinfor HSM configuration - Password-Free Operations: HSM_ONLY identities skip password prompts
- Seamless Auto-Detection: Automatic HSM usage when
--with-keyprovided - Persistent Configuration: Save/load HSM identities without password requirements
Comprehensive security improvements across all cryptographic operations:
- SecureBytes Implementation: All registries (KDF, Cipher, Signature, KEM) use secure memory handling
- Automatic Zeroing: Sensitive data automatically cleared after use
- Thread-Safe Operations: Secure memory operations safe for concurrent use
- Security Audit Resolution: All critical registry security issues resolved
- Vulnerability Reporting: SECURITY.md added to ALL 20 branches (including EOL releases)
- PGP Encrypted Reporting: PGP key fingerprint published for secure vulnerability disclosure
Production-ready deployment infrastructure:
- Docker Compose: Complete orchestration for both keyserver and telemetry
- PostgreSQL Backend: Reliable database layer with automated migrations
- Health Monitoring: Dedicated health check endpoints for both services
- Nginx Reverse Proxy: Production deployment with SSL/TLS termination
- liboqs 0.12.0: Source-built for complete HQC algorithm support in keyserver
Significant test infrastructure enhancements:
- Modular Test Suite: Domain-specific test files for better parallelization
- Performance Optimization: Reduced test execution time via optimized KDF parameters
- High-CPU Runners: GitLab CI uses high-CPU tagged runners for faster execution
- Worksteal Distribution: Dynamic load balancing across parallel test workers
- Comprehensive Coverage: Cascade encryption, Threefish, registry, HSM, and server tests
Major documentation cleanup:
- SECURITY.md: Comprehensive vulnerability reporting policy with PGP encryption
- Documentation Reorganization: Moved analysis/audit files to
openssl_encrypt/docs/ - Test Script Organization: Moved runner scripts to
tests/directory - Plan File Removal: Cleaned up implementation plans from repository
- Pre-Commit Hook: Automated plan file enforcement on main branch
Zero Breaking Changes - Full backward compatibility maintained:
- All existing encrypted files decrypt without changes
- Existing configurations work unchanged
- New features (cascade, Threefish) use new metadata format V8
- Metadata V1-V7 remain fully supported
This is an alpha pre-release intended for testing and feedback:
Recommended Testing:
- Test cascade encryption with various cipher combinations
- Evaluate Threefish-512 and Threefish-1024 performance
- Deploy keyserver in test environment
- Evaluate telemetry privacy controls
- Test HSM integration with your hardware
Not Recommended:
- Production deployment of critical data (use v1.3.0 stable)
- Permanent encryption with cascade mode (test thoroughly first)
- Public keyserver deployment without security review
Feedback Channels:
- GitHub Security Advisory for security issues
- PGP-encrypted email: tobster@brain-force.ch (C8E4 C58E 83AB B314 74C0 E108 0271 3C63 792B 8986)
- GitHub Issues for feature requests and bugs
Production Test Servers:
-
Keyserver: https://keyserver.rm-rf.ch
- Endpoint:
/api/v1/keys/search - Authentication: Bearer token for uploads
- Signature: ML-DSA verification required
- Endpoint:
-
Telemetry: https://telemetry.rm-rf.ch
- Endpoint:
/api/v1/register - Privacy: Opt-in with anonymous client IDs
- Data: Minimal usage metrics only
- Endpoint:
New Dependencies:
- FastAPI (keyserver/telemetry REST APIs)
- PostgreSQL + psycopg2-binary (database backends)
- liboqs 0.12.0 (HQC algorithm support)
- Maturin (Rust/Python integration for Threefish)
Infrastructure:
- Docker multi-stage builds
- Alembic database migrations
- Pytest parallelization improvements
- GitLab CI high-CPU runners
Planned for Beta and RC Releases:
- Comprehensive cascade encryption security audit
- Keyserver federation protocol
- Telemetry dashboard and analytics
- Mobile app integration with keyserver
- Performance benchmarks for cascade mode
- Extended HSM device compatibility
- Final security audit and penetration testing
Timeline:
- v1.4.0-alpha.2: January 2026 (bug fixes, feedback incorporation)
- v1.4.0-beta.1: February 2026 (feature complete, extended testing)
- v1.4.0-rc.1: March 2026 (release candidate, final stabilization)
- v1.4.0 Final: Q1 2026 (production release)
Status: Production Release Development Status: Stable
Version 1.3.0 delivered extensive testing capabilities, RandomX proof-of-work KDF, steganography GUI integration, and comprehensive security hardening. This release achieved an overall security score of 8.8/10 with zero critical vulnerabilities and production-ready status across all features.
[See CHANGELOG.md for complete v1.3.0 details]
Status: Production Release Development Status: Stable
Version 1.2.0 represents a transformative milestone in OpenSSL Encrypt's user experience, delivering a professional Flutter-based desktop GUI that provides native Wayland and X11 support, comprehensive CLI integration, and a modern desktop-optimized interface. This release revolutionizes the user experience while maintaining all cryptographic capabilities and introducing advanced configuration interfaces for power users.
- Native Desktop Application: Professional Flutter desktop GUI with native Wayland and X11 support eliminating display server compatibility issues
- Advanced CLI Integration: Complete Flutter-to-CLI bridge service providing real-time progress monitoring, error handling, and full algorithm access
- Desktop UX Standards: Professional menu bar, comprehensive keyboard shortcuts (Ctrl+O, Ctrl+S, F1), drag & drop file operations, and native desktop dialogs
- Responsive Design: Modern desktop-optimized layout with NavigationRail sidebar, tabbed interface, and professional visual hierarchy
- Professional Settings Interface: Searchable settings with theme switching (Light/Dark/System), cryptographic defaults, and application behavior controls
- Advanced Algorithm Configuration: Interactive parameter tuning interface for all KDFs (Argon2, Scrypt, Balloon, HKDF) with real-time validation
- Post-Quantum Algorithm UI: Complete graphical interface for ML-KEM, Kyber, HQC, MAYO, and CROSS algorithms with security guidance
- Algorithm Recommendation Engine: Intelligent algorithm selection with security level recommendations and performance considerations
- GUI Architecture Migration: Complete migration from tkinter to Flutter providing superior cross-platform compatibility and native desktop integration
- Simplified Flatpak Integration: Streamlined Flatpak permissions and launcher focusing on Flutter's native capabilities
- Enhanced Security Posture: Reduced attack surface through elimination of complex X11/XWayland compatibility layers
- Native Platform Security: Flutter's native desktop integration provides better sandboxing than X11-based solutions
- Algorithm Security Hardening: Removed deprecated PBKDF2 key derivation and Whirlpool hash algorithms from encryption operations to eliminate weak cryptographic options and strengthen security posture
- Segregated CLI Help System: Two-tier help (global overview + command-specific options)
- Improved User Experience: Context-aware help reduces cognitive load
- Better Discoverability: Clear command overview with focused option display
- Maintained Compatibility: All existing functionality and file formats unchanged
Status: Production Release Development Status: Stable
Version 1.1.0 represented a major advancement in OpenSSL Encrypt's cryptographic capabilities, delivering extensive hash algorithm support, modern key derivation functions, post-quantum signature algorithms, and a completely reorganized user interface. This release significantly expanded our cryptographic portfolio while maintaining the highest standards of security and usability.
- Complete SHA-2 Family: Added SHA-224 and SHA-384 to complement existing SHA-256 and SHA-512
- Complete SHA-3 Family: Added SHA3-224 and SHA3-384 to complement existing SHA3-256 and SHA3-512
- BLAKE3 Ultra-Fast Hash: Latest evolution of BLAKE family with tree-based parallelism for maximum performance
- SHAKE-128 Function: Additional extendable-output function complementing SHAKE-256
- Professional Organization: All hash algorithms now organized by cryptographic families in both GUI and CLI
- HKDF Implementation: RFC 5869 HMAC-based Key Derivation Function with configurable hash algorithms (SHA-224/256/384/512)
- Flexible Configuration: Support for chained KDF rounds and application-specific context information
- Legacy Categorization: PBKDF2 properly categorized as legacy with secure defaults (disabled by default)
- Modern KDF Promotion: Clear distinction between modern (HKDF, Argon2, Scrypt, Balloon) and legacy options
- MAYO Algorithm Support: MAYO-1/3/5 multivariate signature algorithms for quantum-resistant authentication
- CROSS Algorithm Integration: CROSS-128/192/256 code-based signature algorithms with comprehensive validation
- Hybrid Signature Architecture: Support for combining classical and post-quantum signature schemes
- Complete Portfolio: Authentication algorithms complement existing encryption portfolio (Kyber, ML-KEM, HQC)
Status: Production Release Development Status: Stable
Version 1.0.0 represents the official production release of OpenSSL Encrypt, delivering enterprise-grade quantum-resistant cryptographic capabilities with comprehensive security hardening and production stability. This milestone release completes our commitment to providing a robust, secure, and reliable cryptographic solution ready for production deployment across all environments.
- Complete post-quantum cryptography support (Kyber, ML-KEM, HQC algorithms)
- Production-grade type safety and runtime stability
- Comprehensive security hardening with constant-time operations
- Enterprise-ready keystore management for PQC keys
- Full backward compatibility with all previous file formats
- Industry-leading code quality standards with comprehensive static analysis
Status: Final Release Candidate Development Status: Production Ready
Version 1.0.0-rc3 served as the final stabilization release candidate, focusing on production deployment readiness and comprehensive testing validation. This release completed final type safety improvements, resolved remaining edge cases in post-quantum cryptography operations, and achieved 100% test coverage for all critical security functions.
- Complete resolution of all remaining MyPy type errors
- Final security audit completion with zero HIGH/MEDIUM severity issues
- Comprehensive integration testing across all supported platforms
- Final documentation review and production deployment guides
- Performance optimization for production workloads
Status: Production Ready Release Candidate Development Status: Production/Stable Ready
Version 1.0.0-rc2 represents a significant milestone in achieving production readiness through comprehensive type safety and runtime stability improvements. We've resolved all critical MyPy type errors that could cause runtime failures in post-quantum cryptography operations, fixed variable naming conflicts between AESGCM and PQCipher classes, and corrected string/bytes type mismatches in password handling. This release achieves 90%+ resolution of critical runtime issues, reducing type errors from 529 to approximately 480, while maintaining security analysis confirmation of 0 HIGH/MEDIUM severity issues.
This release achieves production-ready HQC algorithm support, completing our comprehensive post-quantum cryptography portfolio. The HQC implementation includes all three security levels (hqc-128/192/256-hybrid) with extensive testing infrastructure covering 15 test files across all symmetric encryption algorithm combinations. Key achievements include:
HQC Production Readiness:
- Complete implementation with liboqs dependency integration and fallback mechanisms
- Full keystore integration with HQC key generation, storage, and retrieval
- Dual-encryption support combining HQC with additional password protection
- File format v5 compatibility ensuring cross-algorithm interoperability
Comprehensive Security Validation:
- Robust error handling for invalid keys, corrupted data, and wrong passwords
- Algorithm mismatch detection and memory corruption prevention
- Complete security validation test suite covering all HQC attack vectors
- Integration testing verifying compatibility with all supported symmetric ciphers
Complete Test Matrix:
- HQC-128: 5 test files (AES-GCM, AES-GCM-SIV, AES-OCB3, ChaCha20-Poly1305, XChaCha20-Poly1305)
- HQC-192: 5 test files (AES-GCM, AES-GCM-SIV, AES-OCB3, ChaCha20-Poly1305, XChaCha20-Poly1305)
- HQC-256: 5 test files (AES-GCM, AES-GCM-SIV, AES-OCB3, ChaCha20-Poly1305, XChaCha20-Poly1305)
The combination of Kyber, ML-KEM, and HQC algorithms provides complete quantum-resistant encryption capabilities with mathematical diversity (lattice-based and code-based approaches) and hybrid encryption architecture, ensuring both current security and future quantum-resistance.
We've completed a comprehensive documentation overhaul, consolidating 37+ scattered documentation files into 10 well-organized, comprehensive guides. This represents a 73% reduction in file count while preserving all important information and dramatically improving usability. The new structure includes: User Documentation with a complete User Guide covering installation, usage, examples, and troubleshooting, plus a dedicated Keystore Guide for PQC key management; Security Documentation featuring comprehensive Security Documentation covering threat models and cryptographic architecture, an Algorithm Reference with complete cryptographic algorithm audit, and Dependency Management documentation for security assessment and version policies; Technical Documentation including Metadata Formats specifications and Development Setup guides; and Project Documentation with complete version history, dependency versioning strategy, and development roadmap. Each consolidated file features comprehensive table of contents, improved cross-referencing, and consistent formatting. The README.md has been updated with clickable links to all documentation sections for easy navigation.
Version 1.0.0-rc1 introduced comprehensive multi-layered static code analysis with 7 GitLab CI jobs, 18+ pre-commit hooks for immediate development feedback, and a legacy algorithm warning system for deprecated cryptographic algorithms. We implemented comprehensive code formatting via Black and isort, enhanced CI pipeline with Docker improvements and job isolation, and completed repository cleanup removing unnecessary development artifacts. This release established industry-leading code quality standards with comprehensive static analysis integration and enhanced security scanning capabilities.
Enhanced password security across all interfaces with CRYPT_PASSWORD environment variable support for CLI with secure multi-pass clearing, comprehensive GUI password security with SecurePasswordVar class, and extensive unit test suite with 11 tests covering environment variable password handling. This release significantly strengthened password handling security with secure clearing verification for environment variables.
Extended our post-quantum capabilities with ML-KEM algorithms (ML-KEM-512/768/1024) and re-enabled HQC algorithms with comprehensive testing (HQC-128/192/256). Enhanced keystore integration for all PQC algorithms, improved concurrent test execution safety, and removed bcrypt dependency due to incompatible salt handling. This provided extended quantum-resistant algorithm support with comprehensive post-quantum testing infrastructure.
Implemented comprehensive security hardening including constant-time cryptographic operations, secure memory allocator for cryptographic data, and standardized error handling to prevent information leakage. Added Python 3.13 compatibility, enhanced CI pipeline with pip-audit scanning, SBOM generation, and thread safety improvements with thread-local timing jitter. This major security release provided comprehensive dependency security with version pinning while maintaining backward compatibility.
Focused on Python version compatibility fixes for versions < 3.12, more resilient Whirlpool implementation during package build, enhanced build system reliability, and cross-platform compatibility improvements.
Introduced new metadata structure v5 with backward compatibility, user-defined data encryption when using PQC, enhanced PQC flexibility with configurable symmetric algorithms, and comprehensive testing and documentation updates.
Completed keystore implementation for post-quantum keys with comprehensive testing and updated documentation. Version 0.7.2 added new metadata structure with backward compatibility, improved data organization, and enhanced file format versioning. Version 0.7.0-rc1 introduced the PQC key management system and local encrypted keystore for post-quantum keys.
Version 0.6.0-rc1 delivered feature-complete post-quantum cryptography implementation with hybrid encryption architecture. Version 0.5.3 provided additional buffer overflow protection and enhanced secure memory handling. Version 0.5.2 introduced post-quantum resistant encryption via hybrid approach with Kyber KEM integration.
The foundation period saw rapid development from initial release (0.1.0) with basic Fernet encryption through algorithm expansion including AES-GCM and ChaCha20-Poly1305 (0.2.0), Argon2 key derivation (0.3.0), secure memory handling (0.4.0), Scrypt support (0.4.4), and BLAKE2b/SHAKE-256/XChaCha20-Poly1305 support (0.5.0).
We've updated several key dependencies to address security vulnerabilities, most notably upgrading cryptography from 42.0.0 to 44.0.1 to fix CVE-2024-12797. All dependencies now follow strict version pinning with both lower and upper bounds to prevent unexpected breaking changes. We've implemented comprehensive dependency security scanning using pip-audit (replacing Safety) for continuous vulnerability monitoring in both development and CI environments. This update also includes improvements to our CI security pipeline, with automated scanning of both production and development dependencies.
Beyond dependency updates, we've significantly improved our development and deployment infrastructure. We implemented a robust dependency management system using pip-tools, creating lock files (requirements-prod.txt, requirements-dev.txt) for reproducible builds. Our security posture has been strengthened with pre-commit hooks for local security scanning and a multi-stage CI pipeline that performs vulnerability scanning, code security analysis via Bandit, and generates a Software Bill of Materials (SBOM) in CycloneDX format. The custom gitlab_dependency_scan.py script provides reliable CI security scanning that integrates with GitLab's security dashboard.
We've implemented multiple layers of security hardening to strengthen our cryptographic operations. Key improvements include implementing comprehensive constant-time operations across all sensitive data comparisons and MAC verifications, preventing timing side-channel attacks. Our memory security has been fortified through systematic auditing of secure memory zeroing practices, ensuring all sensitive data (keys, passwords) is properly cleared after use, and implementing a secure memory allocator specifically for cryptographic data. We've fortified error handling to prevent information leakage while standardizing error messages to prevent fingerprinting. Thread safety has been improved with thread-local timing jitter and comprehensive testing.
- February 2025 (0.5.2): Introduction of post-quantum resistance via Kyber KEM
- February 2025 (0.6.0-rc1): Feature-complete hybrid post-quantum architecture
- March 2025 (0.7.x): Local encrypted keystore for PQC keys
- May 2025 (0.9.1): ML-KEM algorithms and enhanced HQC support
- June 2025 (1.0.0-rc2): Complete HQC implementation and production readiness
- January 2025 (0.1.0): Fernet encryption foundation
- January 2025 (0.2.0): AES-GCM and ChaCha20-Poly1305 support
- January 2025 (0.3.0): Argon2 key derivation implementation
- January 2025 (0.4.4): Scrypt support and additional hash algorithms
- January 2025 (0.5.0): BLAKE2b, SHAKE-256, and XChaCha20-Poly1305
- January 2025 (0.4.0): Secure memory handling foundation
- February 2025 (0.5.3): Buffer overflow protection enhancements
- April 2025 (0.9.0): Major security hardening with constant-time operations
- May 2025 (1.0.0-rc1): Comprehensive static analysis and quality standards
- June 2025 (1.0.0-rc2): Production-grade type safety and stability
- Various releases: Progressive CI/CD pipeline improvements
- April 2025 (0.9.0): SBOM generation and pip-audit integration
- May 2025 (1.0.0-rc1): 18+ pre-commit hooks and 7-job CI analysis
- Ongoing: Comprehensive testing infrastructure and security scanning
This comprehensive release history demonstrates OpenSSL Encrypt's evolution from a basic encryption tool to a production-ready, quantum-resistant cryptographic solution with industry-leading security practices and comprehensive feature support.