qTe Docs — Security & Protection

Security & Protection

File protection, encryption, password chains, and security phrases

Security Overview

qTe provides multiple layers of security: file-level protection via extension renaming, content-level encryption using password-derived keys, an 11-character password chain system, and application-level security phrases for access control.

SECURITY LAYERS File Protection .qTe → .qTp rename Hides from decoder Encryption DES with password key Content-level protection Password Chain 11-char password Required for decode Security Phrase SHA-256 hashed App-level lock Privacy Levels: 0 = Public | 1 = Contacts Only | 2 = Private (default)

File Protection (.qTe → .qTp)

File protection is a simple but effective mechanism: offset files are renamed from .qTe to .qTp. The decoder only scans for .qTe files, so protected files are invisible to the decoding process until unprotected.

PROTECTION WORKFLOW Unprotected symph_filename.qTe Protect File.Move → .qTp Protected symph_filename.qTp Unprotect File.Move → .qTe Visible .qTe again Decoder scans: *.qTe (visible) | Ignores: *.qTp (hidden) Password required: 11 characters matching the PasswordChain format

Implementation (qTeLite Reference)

  1. LoadProtectFilesList() — Scans qte_offsets for *.qTe files
  2. User selects files and enters 11-character password
  3. ProtectFiles() — Calls File.Move(path, Path.ChangeExtension(path, ".qTp"))
  4. Protected files disappear from decoder file list

Encryption (DES)

Content-level encryption uses DES with a key derived from the user's password. The password is padded or trimmed to 16 characters, then split into an 8-byte key and 8-byte IV. 

Password (any length) → Pad/trim to 16 chars
  Key = first 8 chars (UTF-8 bytes)
  IV  = last 8 chars (UTF-8 bytes)
  DES-CBC encrypt → Base64 output
Legacy consideration: DES is used for backward compatibility. The encoding itself provides significant obfuscation through the bijection/offset system, making the DES layer an additional convenience protection rather than the primary security boundary.

Password Chain

The PasswordChain system generates and validates 11-character passwords. When a file is encoded with a password, the password is required for decoding. Passwords can be shared with contacts via the app.qte.share.password AT Protocol collection.

Password Requirements

  • Exactly 11 characters
  • Used as the encryption key (padded to 16 chars for DES)
  • Stored hashed — never in plaintext
  • Can be shared securely via AT Protocol password share records

Security Phrase

The security phrase is an application-level lock. When enabled, users must enter the phrase to access the app. The phrase is hashed with SHA-256 and stored locally.

SecurityViewModel Flow

  1. User enters security phrase (minimum 8 characters) and confirms it
  2. Phrase is hashed: SHA256(UTF8(phrase)) → Base64
  3. Hash stored in security_settings.json
  4. On app launch, user prompted to enter phrase — hash compared
  5. Protected file count shown by scanning *.qTp files in offsets folder

Privacy Levels

LevelValueDescription
Public0Visible to anyone, can be syndicated
Contacts1Visible only to accepted contacts
Private2Local only, never shared (default)