v1.0.0 — Production
CRYPTORTOISE

Plug in to unlock.
Pull out to lock.
// zero passwords. ever again.

FIDO2 hardware-key encryption for Linux. Encrypt directories, browser profiles, app configs, and credentials. Your key is the only password. 427 tests. Open source. No telemetry.

🔐 Get the Shell Key View Source →
cryptortoise
UNLOCKED
// core.features

Everything encrypted. One key to rule them all.

🔒
Directory Encryption

Encrypt any directory into a .crpt vault using gocryptfs. FUSE-mounted, transparent to all apps. Hardware-derived keys never touch disk.

🔌
Plug & Play

USB daemon auto-mounts vaults when your key is inserted and auto-unmounts when removed. Magnetic breakaway connector for instant lock.

🌐
Browser Profiles

Encrypt Brave, Firefox, and LibreWolf profiles. History, passwords, cookies, extensions. Symlinked transparently—browsers just work.

🔑
Credential Vault

Hardware-encrypted password store. Add, get, edit, remove. Auto-copy to clipboard with configurable clear delay. Fuzzy search.

🛡
Software Passkeys

ECDSA P-256 passkeys stored in your vault. WebAuthn override routes auth automatically. Hardware passkey tracking built in.

🖥
App Protection

Encrypt Discord, Steam, Proton Mail Bridge, GNOME Keyring. Auto-detect with scan command. Original paths symlinked to vault mounts.

// system.architecture

Hardware key derives the secret. Nothing is stored.

Your FIDO2 key uses the HMAC-secret extension to derive a unique encryption passphrase on demand. The key never leaves the hardware. gocryptfs handles transparent FUSE encryption. No master password, no key file, no cloud sync. Tap the key. That's it.

FIDO2 KEY
HMAC-SECRET
HKDF-SHA256
ENCRYPTED VAULT
GOCRYPTFS
PASSPHRASE
// desktop.integration

Built into your workflow. Not bolted on.

System Tray
AppIndicator daemon

Vault status, quick mount/unmount, key presence indicator. Runs at login via XDG autostart.

File Manager
Right-click encrypt

Nautilus, Nemo, Caja, Dolphin, Thunar. Right-click any folder to encrypt or decrypt in place.

Browser
Extension + autofill

Chromium MV3 and Firefox MV2. Credential autofill, passkey creation, vault status popup.

PAM
Passwordless login

Optional pam_u2f integration. Screen auto-locks on key removal, auto-unlocks on insertion.

// command.line

Powerful CLI. Clean interface.

Encryption
cryptortoise encrypt ~/Documents cryptortoise open ~/Documents.crpt cryptortoise close-all
Credentials
cryptortoise cred add github.com cryptortoise cred get github cryptortoise cred list --json
Browsers & Apps
cryptortoise scan cryptortoise encrypt-browser brave cryptortoise encrypt-app discord
System
cryptortoise tray --daemon cryptortoise doctor cryptortoise status --json
// hardware

The Shell Key.

Pre-flashed FIDO2 key with magnetic USB-C snap connector. 540° swivel, 480Mbps data, 240W passthrough. Tested and verified before shipping. Pull the connector and your machine locks instantly.

$30 Shell Key
FIDO2 Pico firmware v7.4
USB-C Magnetic breakaway
427 Automated tests

Also works with YubiKey 5, SoloKeys Solo 2, Nitrokey FIDO2, or any key with hmac-secret support.

// install

Get Cryptortoise.

Debian / Ubuntu
sudo apt install cryptortoise
Fedora
sudo dnf install cryptortoise
Arch (AUR)
yay -S cryptortoise
PyPI
pip install cryptortoise
🔐 Get the Shell Key View Source → Support Development →