Encryptic

Encryptic is a dedicated hardware encryption engine designed to make strong cryptography sovereign, secure, and accessible. The goal of the project is to provide a dependency free way for individuals to encrypt and archive their data without relying on third party services, operating systems, or complex software stacks.

Instead of running encryption in software, Encryptic performs all cryptographic operations directly in hardware on an FPGA. This reduces the attack surface, improves determinism, and removes the need to trust the host system beyond basic data transfer.

Inspiration

We wanted to create a hardware based encryption solution that is both faster and more secure than traditional software implementations. Software encryption is typically executed inside a general purpose operating system, which introduces unnecessary complexity and potential vulnerabilities.

By implementing cryptography directly on an FPGA, we can achieve deterministic, wire speed encryption without relying on the security of the host CPU or operating system. This approach also aligns with the broader goal of making secure archiving accessible to users who want full control over their data.

What It Does

Encryptic is a hardware encryption device that turns a Basys3 FPGA into a USB connected cryptographic accelerator. A user connects the device to a computer, sends files through a serial interface, and receives encrypted or decrypted data in return.

The system uses AES 256 for encryption and SHA 256 for password based key derivation. A user supplied password is hashed using SHA 256 and used as the AES key. The FPGA does not store files, keys, or passwords. Data is processed as a stream and only exists in hardware registers while being encrypted or decrypted.

From the user perspective, encryption and decryption are performed with a single command, making the system simple to use while keeping all sensitive operations in hardware.

How We Built It

Encryptic is composed of three main components: the hardware layer, the communication protocol, and the host software.

Hardware Layer

The hardware layer is implemented on a Basys3 FPGA using SystemVerilog. We integrated the open source Secworks AES 256 and SHA 256 cores and built a custom finite state machine to manage command handling, data flow, and cryptographic operations.

The FPGA runs at 50 MHz, derived from the Basys3 onboard 100 MHz oscillator. The clock runs continuously and reset is handled purely through logic to avoid undefined startup behavior.

Communication Protocol

Communication between the host and the FPGA occurs over USB UART at 115200 baud.

Data is transmitted as 32 hexadecimal characters representing a 16 byte AES block. Each block is processed entirely in hardware and returned in the same format.

Software Layer

The host software is a Python based command line tool. It handles file input and output, PKCS#7 padding, and hexadecimal encoding and decoding.

Files are split into 16 byte blocks, sent to the FPGA one block at a time, and reassembled after encryption or decryption. All cryptographic computation is handled by the FPGA, not the host.

Front End Implementation

The front end is built as a lightweight web application using a modern JavaScript framework. It provides a clean, minimal interface for file selection, password entry, and encryption or decryption actions.

The front end communicates with a local backend service that interfaces with the Python encryption tool. This backend streams data to the FPGA and returns the processed output to the browser. At no point are files written to disk or transmitted to third party services.

Challenges We Faced

One major challenge was character loss during UART communication. Without FIFO buffering, the FPGA would occasionally drop incoming characters while transmitting output, leading to corrupted data. To resolve this, we implemented slow character by character transmission with 25 ms delays to ensure reliable state transitions.

We also encountered clock domain and reset issues early in development. An initial design froze the clock during reset, which caused the FPGA to enter undefined states on startup. This was fixed by allowing the clock to run continuously and managing reset logic internally.

Timing closure was another challenge due to the computational complexity of AES 256. The long combinational paths required careful state machine design and signal timing to meet setup and hold requirements at 50 MHz.

Finally, we discovered a block assembly bug where the input buffer was not cleared between encryption blocks. This caused new blocks to inherit stale data from previous blocks and resulted in repeated ciphertext. Resetting the block register between operations resolved the issue.

Accomplishments

Successfully integrated AES 256 and SHA 256 cryptographic cores into a single FPGA design
Achieved correct and repeatable hardware based encryption and decryption with full data integrity
Debugged and resolved multiple hardware and software synchronization issues
Built a complete end to end system from FPGA hardware to a Python command line interface
Gained experience using Vivado Integrated Logic Analyzer for real time hardware debugging

What We Learned

This project reinforced that hardware design requires a different mindset than software. There is no concept of blocking or waiting, and all behavior must be expressed through state machines and clock cycles.

We learned that FIFOs are essential for any real UART based system and that removing them requires careful timing control. We also gained experience working with production quality open source cryptographic cores and understanding their handshaking requirements.

Hardware debugging differs significantly from software debugging. Issues often appear as corrupted data or missing signals rather than explicit errors, making tools like ILA critical for visibility into internal logic.

What’s Next

Planned future improvements for Encryptic include:

Adding FIFO buffering to support full speed UART operation
Implementing CBC mode instead of ECB for stronger security
Supporting higher speed interfaces such as USB 3.0
Adding support for additional algorithms such as ChaCha20 and RSA

Technical Details

FPGA: Xilinx Artix 7 (Basys3, XC7A35T)
Clock: 50 MHz derived from 100 MHz onboard oscillator
Encryption: AES 256 in ECB mode, 14 rounds
Hashing: SHA 256 for password to key derivation
Interface: UART over USB, 115200 baud, 8N1
Throughput: Approximately one 16 byte block per second, limited by UART
Languages: SystemVerilog and Python
Tools: Vivado 2023.2 and Secworks cryptographic cores