We propose the new technique of physical-layer cryptography based on using a massive MIMO channel as a key between the sender and desired receiver, which need not be secret. The goal is for low-complexity encoding and decoding by the desired transmitter-receiver pair, whereas decoding by an eavesdropper is hard in terms of prohibitive complexity. The massive MIMO system has a channel gain matrix that is drawn i.i.d. according to a Gaussian distribution, subject to additive white Gaussian noise. The decoding complexity is analyzed by mapping the massive MIMO system to a lattice. We show that the eavesdropper's decoder for the MIMO system with M-PAM modulation is equivalent to solving standard lattice problems that are conjectured to be of exponential complexity for both classical and quantum computers. Hence, under the widely-held conjecture that standard lattice problems are of worst-case complexity, the proposed encryption scheme has security that exceeds that of the most common encryption methods used today such as RSA and Diffie-Hellman. Additionally, we show that this scheme could be used to securely communicate without a pre-shared secret key and little computational overhead. In particular, a standard parallel channel decomposition allows the desired transmitter-receiver pair to encode and decode transmissions over the MIMO channel based on the singular value decomposition of the channel, while decoding remains computationally hard for an eavesdropper with an independent channel gain matrix, even if it knows the channel gain matrix between the desired transmitter and receiver. Thus, the massive MIMO system provides for low-complexity encryption commensurate with the most sophisticated forms of application-layer encryption by exploiting the physical layer properties of the radio channel.