A Fort-Knox level document encryption command-line tool with defense-in-depth security.
cargo install zerovault- Triple-layer encryption using AES-256-GCM, ChaCha20-Poly1305, and AES-256-CBC
- Digital signatures for tamper detection using Ed25519
- Maximum-security key derivation with Argon2id (1GB memory cost)
- Interactive and non-interactive modes for ease of use and scripting
- File and stream processing for versatile encryption workflows
- Metadata support including comments, timestamps, and versioning
- Validation and information commands to examine vault files without decryption
# Basic encryption (will prompt for inputs)
zerovault encrypt
# Basic decryption (will prompt for inputs)
zerovault decrypt# Encrypt a file with a password
zerovault encrypt --input document.pdf --output document.vault --password mypassword --non-interactive
# Decrypt a vault file
zerovault decrypt --input document.vault --output document.pdf --password mypassword --non-interactive# Add a comment to describe the encrypted content
zerovault encrypt --input file.txt --comment "Confidential data"
# Force overwrite of existing files
zerovault encrypt --input file.txt --output encrypted.vault --force# Basic decryption with output file specification
zerovault decrypt --input file.vault --output recovered.txt
# Force overwrite of existing files
zerovault decrypt --input file.vault --output recovered.txt --force# Validate a vault file structure without decrypting
zerovault validate --input file.vault
# Show information about a vault file
zerovault info --input file.vault
# Output information in JSON format
zerovault info --input file.vault --json# Encrypt data from stdin to stdout
cat file.txt | zerovault encrypt-stream --password mypassword > file.vault
# Decrypt data from stdin to stdout
cat file.vault | zerovault decrypt-stream --password mypassword > file_decrypted.txt# Run self-tests to verify encryption/decryption
zerovault test- Paranoid Security Level: All operations use maximum security parameters (1GB memory cost, 12 Argon2id iterations)
- Memory protection: Secure memory with guard pages and canaries
- Zero-knowledge architecture: Data never leaves your device
- Tamper-resistant: Cryptographic signatures detect any modification
- Defense-in-depth: Multiple security layers with independent algorithms
- Side-channel protection: Memory zeroing and timing attack mitigations
Process multiple files easily with scripts:
# Encrypt all text files in directory
for file in *.txt; do
zerovault encrypt --input "$file" --password batch_password --non-interactive
done
# Validate all vault files
for vault in *.vault; do
zerovault validate --input "$vault"
doneFor integration with other tools:
zerovault info --input file.vault --json
zerovault encrypt --input file.txt --json$ zerovault encrypt
Enter input file path: document.txt
Enter output file path [document.txt.vault]:
Enter encryption password: ********
Confirm password: ********
Enter comment (optional): My secure document
✓ File encrypted successfully
Input: document.txt
Output: document.txt.vault
Size: 1024 bytes
Comment: My secure document
You can encrypt already encrypted files for layered security:
# First layer of encryption
zerovault encrypt --input secret.txt --output layer1.vault --password inner_password
# Second layer of encryption
zerovault encrypt --input layer1.vault --output layer2.vault --password outer_passwordFor secure document sharing:
# 1. Sender encrypts file with comment
zerovault encrypt --input presentation.pptx --comment "For review - Confidential"
# 2. Share the vault file and password securely with recipient
# 3. Recipient verifies file metadata before decryption
zerovault info --input presentation.pptx.vault
# 4. Recipient decrypts file
zerovault decrypt --input presentation.pptx.vaultThis project is licensed under the MIT License. See the LICENSE file for details.
ZeroVault is built on the zero_vault_core library, which is also available on crates.io for use in other Rust projects.