Heads up to anyone considering using this: the author wrote their own crypto code[1]. I would recommend against using this until that is fixed... I've already spotted a few vulnerabilities.
That doesn't immediately mean that the library is useless.
> until that is fixed
I disagree with the word "fixed", as if it's broken. He probably used the highest-level primitives he could to achieve the requirements.
> I've already spotted a few vulnerabilities.
It'd probably be more constructive to open an issue detailing the vulnerabilities rather than saying "I've spotted some, use NaCl" and leaving it at that. What makes you so sure that NaCl is even a suitable replacement without knowing all the considerations that went into the project?
I don't necessarily disagree, but at some point the buck has to stop, right? How would you implement this any other way? The author didn't implement AES or so on himself, he uses standard library encryption and applies it as appropriate. You should probably report the issues you find to federico.ceratto-at-gmail.com (from Github).
The author should use a library that provides a simple "encryptWithPublicKey" method, so that any choices about RSA key size, AES mode of operation, etc are all taken care of. NaCl[1] would probably be best, since it's written and audited by prominent cryptographers.
There are a tremendous number of other ways this could be implemented.
Authenticated encryption? GCM? XTS?
Salt the CFB? Guard against interblock attacks?
The crypto needs to be completely reworked. This is an asymmetric kek around symmetric encryption, which is done in many other projects.
Half-backed crypto such as this is worse than no crypto at all, as it lulls people into believing they are using a valid cryptographic system. But, the project implements (poorly) a subset of what is needed and pushes the rest into application code - but app writers don't know this and wouldn't know what to implement even if they know of the shortcomings.
Cryptographers see this all the time. People think they invented a new concept but only implemented a well-known design but did it incompletely and with well-known flaws in the crypto. Then, people defend the system, when it would be far easier to use better primitives.
It says something if you're using a package called PyCrypto for RNG and that happens to be an insecure approach. You would think with that name it was the right way to do it.
It looks like the file is replaced every write, too, which removes most of the hard use cases. It really seems to me that he could just use PyNaCl to encrypt the files and not have to bother with all the custom crypto. I don't know what the intentions and tradeoffs are, though, so I can't be sure.
You could make similar threat-model arguments as are made about FDE, but that's not really a good excuse when authentication would be technically easy in this case.
I have no intention to mislead any user into running it so I'll remove the repository for the time being.