Every new version has improvements and changes behind the
scenes, but those will rarely be called out here as they would provide no
useful information to the end user.
- Changed the Windows startup sequence and fallback launch
.bat file. Storing EW's JAR file in an offline OneDrive folder involving
embedded spaces should no longer gives errors at startup.
- Fixed launching EW-Unified under recent Java releases
(no functionality changes, only third-party libraries). Note: a bug in
the Java installation itself,
can still prevent EW-Unified from functioning. If your copy of the JRE may
be affected by this issue, EW should detect and warn you at startup.
- Fixed some spurious warnings on non-Windows systems.
- New paths for smartcard libraries included in the
default search list, including 64-bit OpenSC under Linux and additional
ActivClient 7.1 locations under Windows. If you are using a saved custom
library list, your settings will not be affected by this change.
- Fixed kerning and other kinds of letter spacing in text
panels should use older rendering, to work around a font bug in a range of
Java releases. Eyestrain begone!
- Fixed text fields for filenames should no longer allow
leading whitespace to creep in at the start of the field.
- Fixed a regression in 3.5.6 saving a Keychain file
- Changed the "ask for output location" toggle
into a set of options.
-C/--config for redirecting or disabling
the location of the saved user preferences file; this is primarily meant for
- Fixed decrypting with CAC/PIV keys on some systems;
clicking the "Access Card" button should once again Access the Card
rather than halting the decryption entirely and leaving the user wondering.
- Fixed startup of EW-Govt under Java 12 and later.
- Changed how startup interacts with certain Ubuntu-derived
JRE installations. Users should have an easier time launching the GUI on such
- Fixed AES key length selection bug on certain Windows
systems. (If this bug affected you, it would entirely prevent encrypting;
no files have been mistakently encrypted with the wrong key size.)
- New splitting/concatenating support for files.
- New tab in Advanced Options affecting compatibility
with older versions. The tab contents will grow as needed.
- New entry in the "Help" menu to launch the
User's Guide in the system PDF reader, if the Guide is present.
- Fixed interaction between "delete originals"
and a previous failed decryption attempt.
- Fixed adding a file to the GUI, then later adding the
same file and a new file at the same time, no longer causes errors.
- Fixed [Windows only] launching from the Start menu will
no longer point certain file choosers (from "Browse" buttons) at
the Windows system folder.
- Changed hashing output with
be written to an "OUTFILE" via
-t/--output, for those
environments prohibiting standard output redirection.
- Changed how special Unicode sequences are implemented
on platforms where font support is uncertain. Anyone seeing
empty boxes or question marks should report it as a bug!
- Changed how public keys are loaded from X.509 certificates
to properly detect unsupported key algorithms. Additional algorithms for
key types will be added in future releases.
- Fixed launching wth
double-clicking an encrypted .wzd file in Windows will properly attempt to
decrypt it rather than offering to encrypt it a second time.
- Fixed the creation of FIPS-compliant X.509 certificates
in the "Tools -> Generate Public/Private Keys" utility when
running a FIPS 140-2 certified edition of Encryption Wizard.
- Fixed decrypting files on a CD/DVD will once again
properly ask for an output location unconditionally, instead of attempting
to write the files back to a read-only optical drive.
- Changed the Legion of the Bouncy Castle has fixed the
bug in their FIPS implementation that incorrectly required high-strength
keys to be available at launch even when only 128-bit keys were being used.
Starting with this release, EW-Unified no longer requires unlimited strength
jurisdiction policy files merely to launch.
- Changed hashing on large files should be faster.
- Changed how EW starts up, shuts down, and is logged in
between. Users with unusual runtime environments may need to be aware of
this, but the change will be transparent to the majority.
- Support for running under Java SE 9. Java SE 8 remains the minimum JRE
- New digital signatures (finally!) on the executable JAR
file. The certificate used for Public and Unified editions has a root CA
commonly included in most Java installations; the certificate for the Govt
- Fixed launching the JAR file via a UNC
"\\servername\path\to\the\EW.jar" path should be more robust now.
- New "OUTFILE" syntax hook for filename arguments
to certain options. This is intended to help in particular corner cases; see
-vh help output for details.
- New option
--list-inputs to assist when
doing tricky expansion and/or matching.
- New startup hooks and automatic logfiles to aid users
and IA staff when running in restrictive environments.
- Changed the treatment of files given at startup which
turn out to be unreadable (e.g., permission problems). Previously this
would halt processing; now a diagnostic will be issued listing the files,
but whatever-you-told-it-to-do will keep going. Users invoking EW as part
of a scripted operation should ensure that files are reachable prior to
- New 32-bit path for the ActivClient 6.2 smartcard DLL
included in the default search list. If you are using a saved custom
library list, your settings will not be affected by this change.
- Fixed saving Keychains via their sibling window.
- Fixed passphrase output when using
- Changed requesting semi-random logfile names during
special startup conditions should be more flexible.
- Changed handling of archive entries with unsafe embedded
pathnames. This will continue to improve, but the present treatment will allow
for recovering more inadvertently-dangerous files.
- Move to Java 8 as the minimum JRE version.
- Introducing the Unified edition, which will become a
standard edition going forward, and represents the best of the previous two
- Like the Public edition, Unified editions require no
special approvals to download and use, and may be redistributed without
- Like the Government edition, Unified editions are
FIPS 140-2 validated. The Unified editions include a FIPS cryptography
module provided by The Legion of the Bouncy Castle. Note: a known
bug in the module prevents it from properly working under all conditions
if you are not using unlimited strength jurisdiction policy files. The
bug is fixed in their next release; until then, EW-Unified will disable
FIPS 140-2 mode if started up with the default policy files.
- Custom editions thus have a choice of FIPS 140-2 cryptography providers.
- Adds support for the SHA-3 family of hash algorithms.
- Secure deletion can now be performed directly on files in the main GUI
window. Previously, secure deletion was only done as part of a larger operation,
or as an isolated action from the command line or shift-right-click on Windows.
- Adds support for pasting files and text from the system clipboard. Pasted
text will act as a self-contained file in the main GUI window.
- Fixed certain FIPS 140-2 libraries being loaded
under adjusted SecurityManagers in Java 8u131.
- Fixed shortcuts created by running the "Install"
step on MS-Windows should be more flexible with subsequent runs of Oracle
- Fixed passphrase compatibility when decrypting with 3.3.0
While the breakage was unintentional, this fix will be made user-toggleable
in 3.5, as (strictly speaking) the 3.3.0 behavior was buggy and can
someday become a security risk.
- Fixed opening Keychains with a particular flavor of
- New logo! As the Software Protection Initiative program
comes to a close, its strongest products -- some in the form of software,
some in the form of concepts and practices -- are moving to a new home. As
before, Encryption Wizard will continue to be included inside our most
well-known software: the bootable LPS, now called Trusted End Node
Security, or TENS.
- Changed some internal support libraries. Users on 64-bit
operating systems should see a speedup in long-running operations.
- This should be the final normal release of the 3.4 series. The next EW
major release will be 3.5.0, but we will of course create future 3.4.x releases
if any bugs or weaknesses in 3.4.11 or the Java platform are found to
threaten users' security.
- Fixed corrupting or deleting Keychains while saving them
with default passphrases under Java 7u21 or later.
- Changed the GUI startup scan for Keychain files to a
new search order:
Note that (2) is rarely useful for most Windows users. Note that (3) is
not useful when running the Encryption Wizard JAR while "browsing"
inside its own zip file (which is not recommended).
- Any Keychains in the current working directory.
- Any Keychains in the same location as the JAR file.
- Any Keychains in the application data location. This can be
easily accessed via "Tools -> Platform Support -> Open
Application Data Location".
Fixed directories/folders are properly tracked and displayed
in addition to their files.
The correction of directory/folder tracking can potentially cause an odd
situation. Specifically, if this version of Encryption Wizard is used
to create an archive that contains directories which are empty,
then expanding that archive with older (pre-bugfix) versions may create
zero-length files instead of recreating the empty directory.
The safest way to avoid this situation is by updating the
"receiving/extracting" copy of EW to 3.4.9 or later. If
doing so is infeasible, then putting a placeholder file into an otherwise
empty directory is also an option. (We recommend automating that to
reduce the chance of making mistakes.)
- New performance enhancements. The exact changes visible
to end users will depend strongly on platform characteristics and the
kind of workload presented.
- New methods of launching file managers on Linux. This
support is somewhat experimental. If the defaults for your platform do
not work, contact the ATSPI office. The currently active method may be
tested via "Tools -> Platform Support -> Open Application Data
Location" or by clicking the Location link on any File Info dialog.
- Changed More stringent safety/permission checks while
adding files to the main window.
- Changed Improved decryption of certain unusual file types.
- Changed Be more aggressive when trying to recover from
system provider errors, as we can in some cases avoid third-party bugs.
- Fixed More robustness when running in nonstandard environments.
- Fixed The output of
-H/--hash with fewer than
-v/--verbose flags no longer strips partial paths down
to only the filename.
- Changed Smarter security when handling and encrypting passwords.
- Changed Improved diagnostics reporting in GUI mode.
- Changed Improvements to command-line archive name handling
and option parsing, including new options
-M/--match added along with
@file "command file" support; see the
User Manual or the output of
"-v -h" for a description.
- Fixed Unusual filenames archived on certain platforms
and then expanded on more restrictive platforms should no longer cause
errors; instead the filenames will be manipulated into a safer local
form (and the user alerted).
- Fixed secure deletion triggered automatically after crypto
operations when the OS has not yet finished closing the file. (One
workaround is to disable the secure deletion option; another is to not delete
input files during crypto operations, and then manually use secure deletion
on the file afterwards.)
- Changed the command-line mode interaction when an option
prompt is cancelled. Now a final line will be displayed reflecting the
- Changed the password generator to reduce the potential
for back-to-back repeated characters.
- New log control unique-name capabilities.
- Fixed locking/buffering on temporary files on certain
platform/JRE combinations. Ciphering operations under those conditions
should no longer be abysmally slow.
- Changed installation steps on Microsoft Windows platforms
with restrictive security policies. Files copied into the user's own
application data folder should no longer become unreadable.
- New page in the builtin help, summarizing best practices
from the User Manual.
--run-platform option adapts most of
the Platform Support submenu to the command line. The exact syntax is
described in the usual
- New MIME wrapping and unwrapping of arbitrary files via
the File and popup menus. This produces RFC 2045 output with some
surrounding optional text.
- Changed expansion/parsing of file paths passed during
startup. This should result in fewer surprises when launching the GUI
with initial filenames.
- Changed the primary cryptography actions to do as many
file-related safety and sanity checks as possible before any actual
crypto steps. Permission problems, questions about overwriting files,
and the like should now all be done before any potentially time-consuming
tasks. Also, if the user chooses to overwrite only some existing files
and skip others, confirmation will be sought before starting.
- As part of the above work, changed when and how output
files are created. If you are processing many files at a time,
you might experience problems related to running out of file
descriptors. (In practice this depends on operating system and
administrative policies.) Should this occur, contact ATSPI.
- Changed how files in a folder tree are individually
encrypted. Previously the tree would be "flattened" to save
all .wzd files into the same folder. Now the folder tree is duplicated
in the output, which should cause fewer surprises.
- Fixed temporary files being left behind, a bug in the
JRE on Windows. If EW cannot work around the bug when it occurs, EW will
do so when exiting. A warning to the user will be displayed, as a
reminder to close the program.
- Fixed cancelling decryptions on very large files.
- Changed the "restart with full logging"
capability to pull in additional, previously unavailable, debugging text.
- Changed the reading of smart cards to provide a modest
speedup when reading large numbers of certificates/identities from a
- Changed default password length in the generator to 12.
- Fixed a bug with the command-line parser when calculating
- Fixed a bug where certain environments could prevent
proper loading and migration of saved options.
- New command-line password generator capability.
- New During cipher operations, if the source is a temporary
file, behave as if "ask for output locations" is always on,
using a safe starting destination. This should help when opening files
directly out of other software (for example, encrypted email attachments
won't be decrypted into some obscure location buried in the filesystem).
- Changed the logging subsystem; the Log window and similar
outputs should be much less cluttered and noisy now.
- Changed minor improvements to the graphical UI: link
directly to the local application data folder (buried and hidden by default
on some platforms), improved messages during Windows install/uninstall,
much faster password generation under unusual criteria, try to catch
accidental uses of "Decrypt" on archive files.
- Fixed the various smartcard windows to not explode if
an access check is done without a card, but a card is inserted before the
check times out. (The card should be properly detected in such a case.)
- New for the File Info dialog:
- A 'Location' line with the full path to the file in question (good for
finding output files after encrypting/decrypting, if you forget where the
original file was)
- Clicking the 'Location' opens a file manager in that path, with the
file in question selected if possible
- Double-clicking a file in the main GUI opens the File Info dialog
- Fixed the Password Generator to give up if it cannot
create a passphrase within a time limit; particularly stringent creation
parameters can take excessively long.
- Fixed the Password Generator in those custom builds which
require password complexity to be enforced. During encryption, the generator
tab's "Add" button will once again not become clickable until a
password is generated which meets the same requirements as one typed in by
the user. To see which parameters have not been met by a given generated
password, hover the mouse over the grayed-out "Add" button.
(The "Copy" button remains active for all generated passwords
regardless of complexity requirements.)
- Changed the various tests performed during startup. More
errors in unusual situations should be handled properly, and users on some
platforms should see faster startup times when using the GUI.
- New check for Keychain files (*.wzk) in the Data Path
during startup. Users will be prompted to open or skip any Keychains found
in that folder, just as they have been for Keychains found in the current
directory at startup. To find the exact Data Path for your system, see the
System Info window in GUI mode, or use --sys-info on the command
line. (Windows users may not have an existing Data Path until performing the
optional install step under the Tools menu.)
- Internal changes to code supporting custom build configurations. This has no
visible effect on standard EW-Govt or EW-Public editions.
- Fixed a bug where users of the Government FIPS edition storing
public keys in their Keychains, or using a CAC/private key to encrypt their
Keychains, could find themselves unable to re-open the stored Keychain file.
Version 3.4.2 can re-open such Keychains and will automatically correct them
to be usable again with older (or non-Government) versions.
- Changed keytool wrapper utility will store public certificates
in Base64 encoded PEM format instead of binary DER format, to be accessible
to more tools, and will display its command line for users who need access
to options beyond what the wrapper utility offers at any given time.
- New keytool wrapper utility for interactively creating a
public/private keypair, reachable under the Tools menu.
- New command-line capability to extract metadata into a file
during decryption operations. The file can be edited by hand, and can be
used to apply metadata during subsequent encryption operations.
- Fixed stored options to use a portable file rather than
the native Java Preferences system. Air Force users of certain SDC versions
should no longer encounter problems with stored options. (The file is in
the 'Data Path' location shown in System Info.)
- Fixed startup issues when trying to run EW when the JAR
file is on specific kinds of network storage. Air Force users of certain
SDC versions will see warnings and instructions at the very beginning
rather than eventually running into problems later.
- Fixed some startup and logging problems occasionally
seen when running in a text-only environment.
- Fixed restarting with JVM options inherited from the
environment which also contain unprotected whitespace. Air Force users of
certain SDC versions should no longer see the restarted window vanish.
- Fixed temporary files handling on Windows systems with
unusual temporary folder settings. Air Force SDC users should no longer
see temporary files left behind after exiting (which were being cleaned
up on the next run anyway but took up space in the meantime).
- Move to Java 7 as minimum JRE version.
- Store and restore file attributes inside archives.
- Support for 256-bit AES.
- New command-line interface.
- Secure erasure and checksum/hashing without running the main GUI.
- Lots of under-the-hood improvements.