Right-Click Cryptography
Building a Crypto Tools Menu in Openbox
When you run a minimal Linux desktop environment like Openbox, every interaction counts. No bloated application menus, no hidden settings buried in system trays — just you, a right-click, and the tools you need.
This is why I built a Crypto Tools submenu directly into my Openbox right-click context menu. Two operations I run constantly — generating encryption keys and signing artifacts — are now one right-click away.
The Problem with Default Desktop Environments
Most Linux distributions ship with heavyweight desktop environments (GNOME, KDE, Cinnamon) that assume you want:
- Application launchers buried in nested menus
- System tray icons fighting for attention
- GUI wrappers around CLI tools that hide what's actually happening
- Configuration scattered across dconf, KDE settings, and random XML files
For cryptographic operations — where you need to see exactly what command runs and verify the output — this abstraction is dangerous.
Openbox solves this: one XML file (~/.config/openbox/menu.xml), explicit shell commands, no hidden magic.
What's in the Crypto Tools Menu
My setup includes four operations, split into key generation and key viewing:
1. Age Keygen
Age is a modern file encryption tool designed to replace GPG for simple use cases. One command generates a keypair:
age-keygen -o ~/.config/age/key.txtThe menu entry wraps this in a terminal session that:
- Creates
~/.config/age/if missing - Checks if a key already exists (prevents accidental overwrites)
- Prompts for confirmation before generating a new key
- Extracts the public key to
~/.config/age/pubkey.txt - Displays the public key on screen (ready to copy/share)
Why Age? No keyservers, no web-of-trust complexity, no 4096-bit RSA. Just Curve25519 + ChaCha20-Poly1305, same primitives as modern protocols (Signal, WireGuard, Nym mixnet).
2. Minisign Keygen
Minisign is a dead-simple signature tool for verifying file integrity. Think of it as "GPG signatures without the PGP baggage."
minisign -G -p minisign.pub -s minisign.keyThe menu entry:
- Generates Ed25519 keypair in
~/.config/minisign/ - Displays the public key immediately (for publishing on your website/repo)
- Prompts for a passphrase to protect the secret key
Use case: Every file I publish on contact.virebent.art has a detached .sig file. Minisign generates these signatures. Readers verify with:
minisign -Vm file.md -P <my-public-key>No keyserver lookup, no expiration drama, no "which subkey do I use?" — just one public key, published once, verified instantly.
3. View Age Public Key
Opens ~/.config/age/pubkey.txt in a Zenity dialog window. One-click access to copy your public key for sharing.
Typical workflow:
- Someone asks "what's your Age public key?"
- Right-click → Crypto Tools → View Age Public Key
- Copy from dialog, paste in email/chat
No terminal commands, no file manager navigation, no cat ~/.config/age/pubkey.txt muscle memory needed.
4. View Minisign Public Key
Same as above, but for ~/.config/minisign/minisign.pub. Essential when publishing software releases or signed documents.
Why Right-Click Context Menus Matter
Openbox's design philosophy: the desktop is a workspace, not a framework.
Every action you take should be:
- Visible: you see the exact command that runs
- Auditable: no hidden daemons, no background telemetry
- Fast: zero clicks wasted on launcher animations
- Reproducible: copy the command from
menu.xml, run it elsewhere
For cryptographic operations, this transparency is security. When you click "Age Keygen," you watch the terminal output. You see:
# created: 2026-06-03 22:45:12.345678900 +0200 CEST
# public key: age1zy4c7v3n5x2w...No "key generated successfully ✓" toast notification. You see age-keygen run. You see the public key format. You know what file was written.
If something breaks (wrong permissions, missing directory, corrupted config), the error appears in the terminal — not hidden in ~/.xsession-errors or systemd journal hell.
The Code: Openbox menu.xml
Here's the full Crypto Tools submenu configuration:
<menu id="crypto" label="🔐 Crypto Tools">
<item label="Age Keygen">
<action name="Execute">
<command>xfce4-terminal -e "bash -c 'mkdir -p ~/.config/age; if [ -f ~/.config/age/key.txt ]; then echo \"Key already exists:\"; age-keygen -y ~/.config/age/key.txt; echo; read -p \"Generate a NEW key and overwrite? [y/N] \" ans; [ \"$ans\" = y ] || [ \"$ans\" = Y ] || { echo Aborted.; read -p \"Press Enter\"; exit 0; }; fi; age-keygen -o ~/.config/age/key.txt; age-keygen -y ~/.config/age/pubkey.txt > ~/.config/age/pubkey.txt; echo \"New key generated:\"; cat ~/.config/age/pubkey.txt; read -p \"Press Enter\"'"</command>
</action>
</item>
<item label="Minisign Keygen">
<action name="Execute">
<command>xfce4-terminal -e "bash -c 'mkdir -p ~/.config/minisign && cd ~/.config/minisign && minisign -G -p minisign.pub -s minisign.key; cat minisign.pub; read -p Press Enter'"</command>
</action>
</item>
<separator/>
<item label="View Age Public Key">
<action name="Execute">
<command>zenity --text-info --title="Age Public Key" --filename=$HOME/.config/age/pubkey.txt</command>
</action>
</item>
<item label="View Minisign Public Key">
<action name="Execute">
<command>zenity --text-info --title="Minisign Public Key" --filename=$HOME/.config/minisign/minisign.pub</command>
</action>
</item>
</menu>Copy this into ~/.config/openbox/menu.xml, then reload Openbox:
openbox --reconfigureRight-click anywhere on the desktop → Crypto Tools should appear.
Integration with My Workflow
This menu exists because I do three things constantly:
1. Signing Published Content
Every Markdown file on contact.virebent.art has a detached signature:
minisign -Sm contact.md
# creates contact.md.sigReaders verify with my public key (published at /.well-known/minisign/minisign.pub). If the signature fails, the page was tampered.
2. Encrypting Sensitive Files for Air-Gap Transfer
When moving GPG keyrings or SSH keys between machines:
age -r age1zy4c7v3n5x2w... -o secrets.tar.age secrets.tar
# encrypted with my Age public key
# only decryptable on machine with ~/.config/age/key.txtNo GPG passphrase prompts, no "which key do I use?" — just encrypt to my Age public key, decrypt on the target machine.
3. Sharing Public Keys with Sources
When a journalist or researcher contacts me securely, they need my public key. Instead of:
- Opening terminal
cat ~/.config/age/pubkey.txt- Select text, Ctrl+C
- Paste in email
I do:
- Right-click → Crypto Tools → View Age Public Key
- Zenity dialog opens with key displayed
- Ctrl+C, paste
Two clicks instead of four steps. Muscle memory for a task I do weekly.
Why Age and Minisign, Not GPG?
I still use GPG for email (compatibility with existing workflows), but for new cryptographic needs:
| Tool | Use Case | Why Not GPG? |
|---|---|---|
| Age | File encryption, backups, secrets | No keyservers, no subkey management, no 15-year-old PGP RFCs |
| Minisign | Code signing, document integrity | No expiration dates, no "which key signed this?" confusion |
| GPG | Email (legacy), Debian package signing | Required by ecosystem, not by choice |
Age and Minisign share a philosophy: do one thing, do it well, make it auditable. No web-of-trust, no photo UIDs, no "key transition statements" — just modern cryptography (Curve25519, Ed25519, ChaCha20) in a CLI tool that fits in 500 KB.
Extending the Menu: What Else Belongs Here?
Future additions I'm considering:
- OpenTimestamps: one-click timestamping for signed documents (
ots stamp file.md) - YubiKey operations: trigger
yubisignerfor hardware-backed signatures - Tomb encrypted volumes: mount/unmount LUKS containers via right-click
- SSH key generation: Ed25519 keypairs for new servers
The pattern is simple: if you run a command more than twice a week, it belongs in the menu.
Openbox as a Security Posture
Running Openbox isn't just about aesthetics (though I like the minimalism). It's a security decision:
- Attack surface reduction: no GNOME Online Accounts, no KDE Baloo indexer, no Tracker daemons scanning your files
- Auditability: one XML file defines your entire desktop menu — inspect it, verify it, version-control it
- No telemetry: Openbox doesn't phone home, doesn't have "usage statistics," doesn't integrate with cloud services
- Offline-first: works perfectly on air-gapped machines (no "sync settings" requirements)
For privacy infrastructure work — running Tor services, managing encrypted email, operating mixnet nodes — this matters. Every daemon you don't run is one less thing an attacker can compromise.
Try It Yourself
If you're on Arch, Debian, or any Linux distribution with Openbox available:
# Install dependencies
sudo pacman -S openbox age minisign zenity xfce4-terminal # Arch
sudo apt install openbox age minisign zenity xfce4-terminal # Debian
# Copy the menu configuration
mkdir -p ~/.config/openbox
curl -o ~/.config/openbox/menu.xml https://contact.virebent.art/openbox-menu.xml
# Reload Openbox
openbox --reconfigure
Right-click anywhere on your desktop. You should see Crypto Tools in the menu.
Run "Age Keygen" once. Watch the terminal output. See the public key appear. That's the workflow — transparent, auditable, no hidden steps.
This menu configuration is part of my dotfiles, published at git.virebent.art. All scripts are signed with Minisign and timestamped with OpenTimestamps. If you find this useful, consider it public domain — use, modify, share.
For questions or suggestions, reach me via the channels at contact.virebent.art.