e5d202cdff | ||
---|---|---|
.gitignore | ||
Makefile | ||
README.md | ||
UNLICENSE | ||
chacha.c | ||
chacha.h | ||
curve25519-donna.c | ||
docs.h | ||
enchive.c | ||
machine.h | ||
optparse.h | ||
sha256.c | ||
sha256.h |
README.md
Enchive : encrypted personal archives
Enchive is a tool encrypts files to yourself for long-term archival. It's intended as a focused, simple alternative to more complex solutions such as GnuPG. This program has no external dependencies and is very easy to build for local use.
Files are secured with uses ChaCha20, Curve25519, and SHA-224.
Usage
There are only three commands to worry about: keygen
, archive
, and
extract
. The very first thing to do is generate a master keypair
using keygen
.
$ enchive keygen
By default, this will create two files in your home directory:
.enchive.pub
(public key) and .enchive.sec
(secret key).
Distribute .enchive.pub
to any machines where you plan to archive
files. It's sufficient to encrypt files, but not to decrypt them.
To archive a file for storage:
$ enchive archive file.tar.gz
This will encrypt file.tar.gz
as file.tar.gz.enchive
(leaving the
original in place). You can safely archive this wherever.
To extract the file later on a machine with .encrypt.sec
:
$ enchive extract file.tar.gz.enchive
This will reproduce file.tar.gz
.
Notes
There's no effort at error recovery. It bails out on the first error.
Format
The process for encrypting a file:
- Generate an ephemeral 256-bit Curve25519 key pair.
- Perform a Curve25519 Diffie-Hellman key exchange with the master key to produce a shared secret.
- Generate a 64-bit IV for ChaCha20.
- Initialize ChaCha20 with the shared secret as the key.
- Write the 8-byte IV.
- Write the 32-byte ephemeral public key.
- Encrypt the file with ChaCha20 and write the ciphertext.
- Write
sha256(key + sha256(plaintext))
.
The process for decrypting a file:
- Read the 8-byte ChaCha20 IV.
- Read the 32-byte ephemeral public key
- Perform a Curve25519 Diffie-Hellman key exchange with the ephemeral public key.
- Initialize ChaCha20 with the shared secret as the key.
- Decrypt the ciphertext using ChaCha20.
- Verify
sha256(key + sha256(plaintext))
.