enchive/README.md

# Enchive : encrypted personal archives

Enchive is a tool encrypts files to yourself for long-term archival.
It's intended as a focused, simple alternative to more complex
solutions such as GnuPG. This program has no external dependencies and
is very easy to build for local use. Portability is emphasized over
performance.

Files are secured with uses ChaCha20, Curve25519, and SHA-256.

## Usage

There are only three commands to worry about: `keygen`, `archive`, and
`extract`. The very first thing to do is generate a master keypair
using `keygen`.

    $ enchive keygen

By default, this will create two files in your home directory:
`.enchive.pub` (public key) and `.enchive.sec` (secret key).
Distribute `.enchive.pub` to any machines where you plan to archive
files. It's sufficient to encrypt files, but not to decrypt them.

To archive a file for storage:

    $ enchive archive file.tar.gz

This will encrypt `file.tar.gz` as `file.tar.gz.enchive` (leaving the
original in place). You can safely archive this wherever.

To extract the file later on a machine with `.encrypt.sec`:

    $ enchive extract file.tar.gz.enchive

This will reproduce `file.tar.gz`.

With no filenames, `archive` and `extract` operate on standard input
and output.

## Notes

There's no effort at error recovery. It bails out on early on the
first error. It should clean up any incomplete files when it does so.

The `--derive` key generation option can be used to produce
deterministic keys which you can re-derive should your secret key
lost. This key derivation function is run more aggressively (slowly)
when generating a master key.

## Format

The process for encrypting a file:

1. Generate an ephemeral 256-bit Curve25519 key pair.
2. Perform a Curve25519 Diffie-Hellman key exchange with the master
   key to produce a shared secret.
3. Generate a 64-bit IV for ChaCha20.
5. Initialize ChaCha20 with the shared secret as the key.
4. Write the 8-byte IV.
5. Write the 32-byte ephemeral public key.
6. Encrypt the file with ChaCha20 and write the ciphertext.
7. Write `sha256(key + sha256(plaintext))`.

The process for decrypting a file:

1. Read the 8-byte ChaCha20 IV.
2. Read the 32-byte ephemeral public key
3. Perform a Curve25519 Diffie-Hellman key exchange with the ephemeral
   public key.
4. Initialize ChaCha20 with the shared secret as the key.
5. Decrypt the ciphertext using ChaCha20.
6. Verify `sha256(key + sha256(plaintext))`.
Tweak README. 2017-03-03 20:06:43 +01:00			`# Enchive : encrypted personal archives`
Add some docs. 2017-03-03 20:04:41 +01:00
			`Enchive is a tool encrypts files to yourself for long-term archival.`
			`It's intended as a focused, simple alternative to more complex`
			`solutions such as GnuPG. This program has no external dependencies and`
Update README. 2017-03-04 01:36:32 +01:00			`is very easy to build for local use. Portability is emphasized over`
			`performance.`
Add some docs. 2017-03-03 20:04:41 +01:00
Update README. 2017-03-04 01:36:32 +01:00			`Files are secured with uses ChaCha20, Curve25519, and SHA-256.`
Add some docs. 2017-03-03 20:04:41 +01:00
			`## Usage`

			There are only three commands to worry about: `keygen`, `archive`, and
			`extract`. The very first thing to do is generate a master keypair
			using `keygen`.

			`$ enchive keygen`

			`By default, this will create two files in your home directory:`
			`.enchive.pub` (public key) and `.enchive.sec` (secret key).
			Distribute `.enchive.pub` to any machines where you plan to archive
			`files. It's sufficient to encrypt files, but not to decrypt them.`

			`To archive a file for storage:`

Tweak example in README. 2017-03-03 20:09:09 +01:00			`$ enchive archive file.tar.gz`
Add some docs. 2017-03-03 20:04:41 +01:00
Tweak example in README. 2017-03-03 20:09:09 +01:00			This will encrypt `file.tar.gz` as `file.tar.gz.enchive` (leaving the
			`original in place). You can safely archive this wherever.`
Add some docs. 2017-03-03 20:04:41 +01:00
			To extract the file later on a machine with `.encrypt.sec`:

Tweak example in README. 2017-03-03 20:09:09 +01:00			`$ enchive extract file.tar.gz.enchive`
Add some docs. 2017-03-03 20:04:41 +01:00
Tweak example in README. 2017-03-03 20:09:09 +01:00			This will reproduce `file.tar.gz`.
Add note to README. 2017-03-03 20:07:47 +01:00
Update README. 2017-03-04 01:36:32 +01:00			With no filenames, `archive` and `extract` operate on standard input
			`and output.`

Add note to README. 2017-03-03 20:07:47 +01:00			`## Notes`

Update README. 2017-03-04 01:36:32 +01:00			`There's no effort at error recovery. It bails out on early on the`
			`first error. It should clean up any incomplete files when it does so.`

			The `--derive` key generation option can be used to produce
			`deterministic keys which you can re-derive should your secret key`
			`lost. This key derivation function is run more aggressively (slowly)`
			`when generating a master key.`
Add format description. 2017-03-03 20:48:59 +01:00
			`## Format`

			`The process for encrypting a file:`

			`1. Generate an ephemeral 256-bit Curve25519 key pair.`
			`2. Perform a Curve25519 Diffie-Hellman key exchange with the master`
			`key to produce a shared secret.`
			`3. Generate a 64-bit IV for ChaCha20.`
			`5. Initialize ChaCha20 with the shared secret as the key.`
			`4. Write the 8-byte IV.`
			`5. Write the 32-byte ephemeral public key.`
			`6. Encrypt the file with ChaCha20 and write the ciphertext.`
Tweak MAC. 2017-03-03 22:15:09 +01:00			7. Write `sha256(key + sha256(plaintext))`.
Add format description. 2017-03-03 20:48:59 +01:00
			`The process for decrypting a file:`

			`1. Read the 8-byte ChaCha20 IV.`
			`2. Read the 32-byte ephemeral public key`
			`3. Perform a Curve25519 Diffie-Hellman key exchange with the ephemeral`
			`public key.`
			`4. Initialize ChaCha20 with the shared secret as the key.`
			`5. Decrypt the ciphertext using ChaCha20.`
Tweak MAC. 2017-03-03 22:15:09 +01:00			6. Verify `sha256(key + sha256(plaintext))`.