Skip to content

Crazegi/SFT

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
HOW-TO-USE.md
HOW-TO-USE.md
 
 
INSTALL.md
INSTALL.md
 
 
QUICKSTART.md
QUICKSTART.md
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
build.sh
build.sh
 
 

Repository files navigation

Secure File Tool

A robust Linux security tool written in Rust that provides:

  • AES-256-GCM file encryption/decryption with authenticated encryption
  • Argon2id password-based key derivation (resistant to GPU/ASIC attacks)
  • File permissions security checker to identify unsafe permissions

Security Features

Encryption

  • Algorithm: AES-256-GCM (Galois/Counter Mode)

    • Provides both confidentiality and authenticity
    • Detects tampering automatically
    • Industry-standard encryption

  • Key Derivation: Argon2id

    • Winner of the Password Hashing Competition
    • Resistant to GPU and ASIC cracking attempts
    • Memory-hard function
    • Protects against brute-force attacks

  • Random Generation: Uses OS-provided cryptographically secure random number generator

    • Unique salt per file (16 bytes)
    • Unique nonce per encryption (12 bytes)

  • Memory Safety:

    • Rust's ownership system prevents buffer overflows
    • Sensitive data (keys) are zeroized after use
    • No use-after-free vulnerabilities

  • Secure Defaults:

    • Encrypted files automatically set to 0600 permissions (owner-only access)
    • Minimum 8-character password requirement

Permissions Checker

  • Identifies world-writable files (critical security risk)
  • Flags sensitive files with world-readable permissions
  • Detects group-writable files
  • Notices unusual executable bits on data files
  • Recursive directory scanning support

Installation

Prerequisites

  • Rust 1.70 or newer
  • Linux/Unix system (uses Unix file permissions)

Build from Source

# Clone or navigate to the project directory
cd secure_file_tool

# Build release version (optimized)
cargo build --release

# Binary will be at: target/release/secure-file-tool

# Optional: Install to system
cargo install --path .

Usage

Encrypt a File

# Encrypt with default output name (adds .enc extension)
./target/release/secure-file-tool encrypt -i myfile.txt

# Encrypt with custom output name
./target/release/secure-file-tool encrypt -i myfile.txt -o encrypted.bin

# You'll be prompted for password (minimum 8 characters)

What happens:

  1. Prompts for password (hidden input)
  2. Asks for confirmation
  3. Generates random salt and nonce
  4. Derives 256-bit key using Argon2id
  5. Encrypts file with AES-256-GCM
  6. Saves: [salt][nonce][ciphertext]
  7. Sets output file to 0600 permissions

Decrypt a File

# Decrypt (automatically removes .enc extension)
./target/release/secure-file-tool decrypt -i myfile.txt.enc

# Decrypt with custom output name
./target/release/secure-file-tool decrypt -i encrypted.bin -o decrypted.txt

# Enter the same password used for encryption

What happens:

  1. Prompts for password
  2. Reads salt and nonce from file
  3. Derives key using Argon2id
  4. Attempts decryption
  5. Verifies authenticity tag (detects tampering)
  6. Saves decrypted file

Check File Permissions

# Check a single file
./target/release/secure-file-tool check-perms myfile.txt

# Check all files in a directory (non-recursive)
./target/release/secure-file-tool check-perms /path/to/directory

# Check directory recursively
./target/release/secure-file-tool check-perms -r /path/to/directory

Security checks performed:

  • ⚠️ CRITICAL: World-writable files (anyone can modify)
  • ⚠️ WARNING: Sensitive files readable by everyone (.key, .pem, "secret", "private")
  • ⚠️ WARNING: Group-writable files
  • ℹ️ INFO: Executable bits on non-executable files

Examples

Encrypt a private key

./target/release/secure-file-tool encrypt -i ~/.ssh/id_rsa -o id_rsa.enc
# Then securely delete original: shred -u ~/.ssh/id_rsa

Check home directory permissions

./target/release/secure-file-tool check-perms -r ~

Encrypt and send a file

# Encrypt
./target/release/secure-file-tool encrypt -i confidential.pdf

# Send confidential.pdf.enc via email/transfer
# Share password through separate secure channel (Signal, phone call, etc.)

# Recipient decrypts
./target/release/secure-file-tool decrypt -i confidential.pdf.enc

Security Best Practices

  1. Password Management

    • Use strong, unique passwords (16+ characters recommended)
    • Never reuse encryption passwords
    • Consider using a password manager
    • Share passwords through separate secure channels

  2. File Handling

    • Securely delete original files after encryption: shred -u original.txt
    • Don't email passwords with encrypted files
    • Verify file integrity after transfers
    • Keep backups of important encrypted files

  3. Permissions

    • Keep encrypted files at 0600 or 0400 (read-only)
    • Never make encrypted files world-readable
    • Regularly audit permissions with the check-perms command

  4. System Security

    • Keep your system updated
    • Use full-disk encryption
    • Encrypt swap space
    • Use secure boot
    • Monitor system logs

File Format

Encrypted files use this structure:

[16 bytes: Salt] [12 bytes: Nonce] [Variable: Ciphertext + Auth Tag]
  • Salt is used for key derivation (unique per file)
  • Nonce is used for encryption (unique per file)
  • Ciphertext includes 16-byte authentication tag (GCM mode)

Technical Details

Cryptographic Libraries

  • aes-gcm - AES-GCM implementation (RustCrypto)
  • argon2 - Argon2id key derivation
  • rand - Cryptographically secure randomness

Compilation Optimizations

  • LTO (Link-Time Optimization) enabled
  • Maximum optimization level
  • Single codegen unit for better optimization
  • Debug symbols stripped

Memory Safety

  • No unsafe code in main logic
  • Sensitive data zeroized after use
  • Rust's ownership prevents memory bugs
  • No null pointer dereferences possible

Limitations

  • Designed for files, not streaming data
  • Entire file loaded into memory during encryption/decryption
  • Maximum file size limited by available RAM
  • Password-based encryption only (no key files or certificates)
  • Unix/Linux only (uses Unix file permissions)

Troubleshooting

"Decryption failed - wrong password or corrupted file"

  • Verify you're using the correct password
  • Check if file was corrupted during transfer (verify checksums)
  • Ensure complete file was transferred

"Permission denied"

  • Check you have read access to input file
  • Check you have write access to output directory
  • Run with appropriate user permissions

Build errors

  • Ensure Rust 1.70+ is installed: rustc --version
  • Update Rust: rustup update
  • Clean build: cargo clean && cargo build --release

License

This is demonstration security software. Review and audit before production use.

Contributing

Security improvements welcome! Please report vulnerabilities responsibly.

Audit Checklist

Before using in production:

  • Review all source code
  • Run security audit: cargo audit
  • Test with various file sizes
  • Verify password strength requirements
  • Test error handling
  • Review cryptographic parameters
  • Check for memory leaks: valgrind
  • Fuzz test encryption/decryption

References

About

No description, website, or topics provided.

Resources

Readme

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages