Project Nayuki

NotepadCrypt format decrypter (Java)

This standalone program decrypts files that were encrypted in NotepadCrypt’s simple format. The intent of this program is to provide an independent, robust implementation for handling the file format, in case NotepadCrypt (or that author’s own small standalone decrypter) is inaccessible or has errors.

Source code


Usage: java DecryptNotepadCrypt InputFile [-m] Passphrase


  • -m: Use master key (only applicable for files with master key)


  • java DecryptNotepadCrypt myencryptedfile.bin password123
  • java DecryptNotepadCrypt myencryptedfile.bin -m masterPass456

Usage notes:

  • The program prints the decrypted text to standard output. You can redirect standard output to a file if you wish to save the text, tweak the character encoding, do further processing, etc.

  • The passphrase is a command-line argument, so it might be stored in the shell’s command history (e.g. for Bash shell). Be careful about this.

  • The program can be hacked to instead read the passphrase from standard input (with echoing): Add import*; in the block of imports; add passphrase = new BufferedReader(new InputStreamReader( after where inputFile is initialized; run the program with a dummy passphrase argument; type the passphrase into standard input and hit enter.


  • NotepadCrypt’s encryption format is essentially summarized as follows:
    ciphertext = header + initVector + CBC-AES-256(initVector, PKCS7-Pad(plaintext), SHA-256(passphrase)).
    (Plus denotes byte sequence concatenation.)

  • To my knowledge, this encryption format itself has no security flaws. However, the main program’s cryptography implementation could possibly have poor choices of initialization vectors, timing attacks, etc.

  • My decrypter implementation is completely standalone and contained in one small source file. It only needs Java’s standard library for I/O and a bit of utilities. It even implements from scratch SHA-256 (~60 lines), AES-256 (~160 lines), and CBC mode, for a total of just about 350 lines of code!

  • Due to the padding scheme used, most but not all misdecryptions can be detected. In fact, the probability of failing to detect a misdecryption is just about 1/255. (More accurately, the probability is exactly 1/256 + 1/2562 + ... + 1/25616, assuming that the block cipher behaves like a random oracle/permutation.) Of course, this detection rate is much worse than that of a real scheme such as a hash or a MAC.