v0.2.2

Verify your download

Cryptographic provenance (GitHub / Sigstore attestation)

Every artifact below is signed via GitHub Artifact
Attestations,
which uses Sigstore under the hood. The signature proves
the artifact was produced by this exact workflow run on
this exact commit SHA, no human had a chance to swap it
after the fact.

Verify with the GitHub CLI (one-liner):

# Install gh once if you don't have it:
#   sudo apt install gh   |   sudo dnf install gh   |   brew install gh
gh attestation verify <downloaded-file> --owner penthertz
# Prints "Loaded digest ..." then "PASS" with the
# workflow run + commit SHA the artifact came from.

Offline check (no gh needed)

Every artifact also has a SHA-256 in SHA256SUMS.txt
(attached to this release):

# Linux / macOS:
sha256sum -c SHA256SUMS.txt   # Linux
shasum -a 256 -c SHA256SUMS.txt   # macOS

# Windows (PowerShell):
Get-FileHash luksbox-*.msi -Algorithm SHA256
# then compare to the `*.msi` row in SHA256SUMS.txt

Trust chain summary

Artifacts on this release page are uploaded only by the
GitHub Actions release workflow that ran on this tagged
commit (.github/workflows/release.yml in the repo).
The commit itself is GPG-signed by the maintainer, the
upload uses GitHub's OIDC release token, and the
Sigstore attestation above pins the signature to that
workflow run. GPG-signed release tarballs
(SHA256SUMS.txt.asc) and full SLSA L3 provenance are
on the roadmap.

For at-a-glance SHA-256 checking against the published
values:

File	SHA-256
luksbox-0.2.2-1.aarch64.rpm	307aa9e0da1fc210139365d873cf8671c8f243615107fe718deab56b66931d3d
luksbox-0.2.2-1.x86_64.rpm	47dab8986305678619704112c4fa26b5a7329df86033992b2baa65fbd2412c09
luksbox-v0.2.2-aarch64-linux-trixie.tar.gz	0eec5fee6c7d8e67c0c12fb0a61a95fd35968cd61a61dc87c9bdefa348880bee
luksbox-v0.2.2-aarch64-macos-macfuse-portable.tar.gz	12ffecb053d81acb03bc4fa152c1466ce3d47d2a8bda0bad42934d014111986f
luksbox-v0.2.2-aarch64-macos-macfuse.dmg	9966fa9c78f46de8dc297b0795c9b412d5577111f5b089577605873543aefeff
luksbox-v0.2.2-x86_64-linux-jammy.tar.gz	d02ebc004d8dc7197bad3249e0d3197e9a0774adc2c3b84de7bc2dc014cfc72f
luksbox-v0.2.2-x86_64-windows-setup.exe	65e5263d1f1ccf5cb2a6981f158d3d0675685366b47df1c985120424b74a605d
luksbox-v0.2.2-x86_64-windows.msi	146a5308f537f6a8edab099da6d7374d7c87fafdf13ba56eb6030438bde25777
luksbox-v0.2.2-x86_64-windows.zip	c996bcca17ef620dbbf8bcc5a40b3dfb8a9a4af068ab7c99fa3611b10bc3d4a8
luksbox_0.2.2-1_jammy_amd64.deb	c6887488f1ce4181040616de053291010b4192f7b7b49b81918f33cb3ded26d3
luksbox_0.2.2-1_jammy_arm64.deb	34a2bbffb433d5ee5cf60d2f053eb8e790321762edeea616ad13bc738ee14e0b
luksbox_0.2.2-1_noble_amd64.deb	9dc5c02b110f9226a5a283fdf6a836062b267209ca6b643caa6d3007bcf1c332
luksbox_0.2.2-1_noble_arm64.deb	f8d5e64bab1f9cfdea5d87baa7c00aabb5d780d411fc100687d8ef9afba26437
luksbox_0.2.2-1_trixie_amd64.deb	174425629c9cc0fd321a8ed106851d3cde44f5fd44a0ea65210740f718c8e3f0
luksbox_0.2.2-1_trixie_arm64.deb	70a7f1a95efed2848b2b33f6a1d215ac3a4dd105c054107335fc67e1eea97d6f

Install

Linux (Ubuntu 22.04, Debian 11/12, Mint 21.x, .deb):
download luksbox_*_jammy_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_jammy_amd64.deb.
Pulls in libfido2-1, libfuse3-3, and libtss2-*
automatically. Registers a luksbox-gui desktop
launcher and a MIME type for .lbx files.

Linux (Ubuntu 24.04+, Debian 13+ trixie, .deb):
download luksbox_*_noble_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_noble_amd64.deb.
Same package layout as the jammy build, but with
t64-transitioned dependency names (libssl3t64,
libfido2-1t64, libtss2-mu-4.0.1-0t64, etc.). The
jammy and noble .deb files cannot be installed
interchangeably, the dependency names differ.

Linux (Fedora / RHEL / Rocky / Alma, .rpm): download
luksbox-*.x86_64.rpm (or aarch64.rpm) and install
with sudo dnf install ./luksbox-*.x86_64.rpm (or
sudo rpm -i). One .rpm covers every rpm-based
distro, RPM uses SONAMEs for shared-library
dependencies which are stable across releases.
Pulls in libfido2 and fuse3-libs automatically.

Linux (x86_64, generic tarball): tar xzf luksbox-v0.2.2-x86_64-linux-jammy.tar.gz && cd luksbox-v0.2.2-x86_64-linux-jammy && ./install.sh
For Arch / NixOS / Alpine / any non-deb non-rpm distro.
The jammy variant has the broadest glibc compatibility;
if you are on a very recent distro and prefer the noble
build, swap -jammy for -noble in the filename.
Installs to ~/.local/bin and registers a desktop launcher.
Use ./install.sh --system for system-wide install, or
./install.sh --uninstall to remove. Requires
libfido2-1 (and libfuse3-3 for mount):
sudo apt install libfido2-1 libfuse3-3 (Debian/Ubuntu)
or sudo dnf install libfido2 fuse3-libs (Fedora/RHEL).

Linux (aarch64): tar xzf luksbox-v0.2.2-aarch64-linux-jammy.tar.gz && cd luksbox-v0.2.2-aarch64-linux-jammy && ./install.sh
Same runtime deps and installer as x86_64. Built natively
on a GitHub ARM64 runner, no QEMU emulation. Same
jammy/noble distinction applies as for the .deb above.

macOS (Apple Silicon): two .dmg variants, one per
FUSE backend. Pick one based on which FUSE provider you
want to install. Both .dmgs are otherwise identical
(same crypto, same on-disk format, same UI); the
difference is what luksbox mount calls under the hood
and whether you need a kernel extension.

FUSE-T variant (recommended for personal laptops):

  download: luksbox-v0.2.2-aarch64-macos-fuset.dmg
  install FUSE-T first:
      brew tap macos-fuse-t/homebrew-cask
      brew install --cask fuse-t
  then drag LUKSbox.app onto Applications.

No kernel extension, no Privacy & Security prompt, no
Apple-Silicon Reduced-Security dance. The .app launches
cleanly even if FUSE-T isn't installed yet (you just
can't use mount until you install it). Uses an NFS-
over-loopback transport with NO authentication on the
loopback port - on a multi-user Mac, any other local
process can connect to the mount via NFSv4 and bypass
LUKSbox's permission model. Documented in
docs/MACOS_FUSE_T.md.
Fine for the common single-user-laptop case.

macFUSE variant (recommended for shared machines or
audit-required deployments):

  download: luksbox-v0.2.2-aarch64-macos-macfuse.dmg
  install macFUSE FIRST (REQUIRED, see warning below):
      brew install --cask macfuse
      # then approve the kext under System Settings
      # -> Privacy & Security and reboot. On Apple
      # Silicon also: Recovery Mode -> Startup Security
      # Utility -> Reduced Security.
  then drag LUKSbox.app onto Applications.

IMPORTANT: this variant transitively links macFUSE's
MFMount.framework. If macFUSE is NOT installed when you
try to launch LUKSbox.app, macOS kills the process
before it can show any UI (dyld: Library not loaded
error). Install macFUSE first, then the LUKSbox.app.
Uses macFUSE's /dev/macfuse* device-node permissions
for the kernel<->FS channel, which restricts access to
the mounting UID - the better local-attacker model.

Verify which backend a given .app uses:

  /Applications/LUKSbox.app/Contents/MacOS/luksbox --version
  # luksbox X.Y.Z
  # FUSE backend: fuse-t (...)   <- FUSE-T variant
  # FUSE backend: macfuse (...)  <- macFUSE variant

macOS (Apple Silicon), portable .tar.gz: also two
variants, -fuset-portable.tar.gz and -macfuse-portable.tar.gz,
same backend split as the .dmgs. Ships the bare CLI +
GUI binaries (bin/luksbox, bin/luksbox-gui) with
their dylib closure under Frameworks/. Run in place:
./bin/luksbox --help or ./bin/luksbox-gui &. No
.app, no Gatekeeper warning, no quarantine xattr to
clear (when extracted via Terminal). See
README-MACOS.txt inside for the full layout + caveats.

First launch: the .dmg is codesigned with the
Penthertz Apple Developer ID Application certificate
(team 456J2U7HQL) and Apple-notarised, with the
notarisation ticket stapled to the bundle. macOS shows
the standard "downloaded from internet, are you sure?"
prompt that every Mac shows for any downloaded app -
click Open and you're set. Subsequent launches are
silent. No Gatekeeper override and no
xattr -dr com.apple.quarantine workaround needed.

Verify the signature and notarisation locally:

# Signature: identity + chain trust
codesign --verify --deep --strict --verbose=2 \
    /Applications/LUKSbox.app

# Notarisation: ticket present + valid
spctl --assess --type execute --verbose \
    /Applications/LUKSbox.app
# expects: "accepted, source=Notarized Developer ID"

You can additionally verify the .dmg SHA-256 against
the table at the top of these release notes for an
independent integrity check that doesn't depend on
Apple's PKI.

macOS (Intel): not shipped, build from source with
cargo build --profile release-hardened on an Intel Mac
with brew install libfido2 (the release-hardened
profile matches the hardening flags used for the shipped
Apple-Silicon binary). The CI matrix entry for
x86_64-apple-darwin is commented out in
.github/workflows/release.yml, GitHub's macos-13
runner has been intermittently blocking releases.

Windows (x86_64), recommended: download
luksbox-v0.2.2-x86_64-windows-setup.exe,
double-click. The bootstrapper installs WinFsp 2.0.23075
(if not already pr...

v0.2.1

Verify your download

Cryptographic provenance (GitHub / Sigstore attestation)

Every artifact below is signed via GitHub Artifact
Attestations,
which uses Sigstore under the hood. The signature proves
the artifact was produced by this exact workflow run on
this exact commit SHA, no human had a chance to swap it
after the fact.

Verify with the GitHub CLI (one-liner):

# Install gh once if you don't have it:
#   sudo apt install gh   |   sudo dnf install gh   |   brew install gh
gh attestation verify <downloaded-file> --owner penthertz
# Prints "Loaded digest ..." then "PASS" with the
# workflow run + commit SHA the artifact came from.

Offline check (no gh needed)

Every artifact also has a SHA-256 in SHA256SUMS.txt
(attached to this release):

# Linux / macOS:
sha256sum -c SHA256SUMS.txt   # Linux
shasum -a 256 -c SHA256SUMS.txt   # macOS

# Windows (PowerShell):
Get-FileHash luksbox-*.msi -Algorithm SHA256
# then compare to the `*.msi` row in SHA256SUMS.txt

Trust chain summary

Artifacts on this release page are uploaded only by the
GitHub Actions release workflow that ran on this tagged
commit (.github/workflows/release.yml in the repo).
The commit itself is GPG-signed by the maintainer, the
upload uses GitHub's OIDC release token, and the
Sigstore attestation above pins the signature to that
workflow run. GPG-signed release tarballs
(SHA256SUMS.txt.asc) and full SLSA L3 provenance are
on the roadmap.

For at-a-glance SHA-256 checking against the published
values:

File	SHA-256
luksbox-0.2.1-1.aarch64.rpm	53a4ca5d60d3463fbcf0e05754a170e62aa24decc0aa36c988cb13737a02a0de
luksbox-0.2.1-1.x86_64.rpm	e58166ed4cf971015b7e5deb5b011c978bad1316da4f821180a90278af821e43
luksbox-v0.2.1-aarch64-linux-jammy.tar.gz	915493acddf078beb45889b187f0faa1a46501d8a3d3f21d057187d6ff14ed53
luksbox-v0.2.1-aarch64-macos-fuset-portable.tar.gz	6a35e1e7d7236869588177da20e76e1f3b885a95a9057e170f741fde04c7ecde
luksbox-v0.2.1-aarch64-macos-fuset.dmg	a925572b2e3498e5816aa87c111b4744b74e5db8289ecf464f54de6b705cdda6
luksbox-v0.2.1-x86_64-linux-jammy.tar.gz	2cca92eb8601954c70bdd44c8af52e7db6e546c4a17830e712a682505d39523b
luksbox-v0.2.1-x86_64-windows-setup.exe	a718a5131899e6e5d8f35fed7da1455e87f6008617a0d09cc79d23b6e8cea8c2
luksbox-v0.2.1-x86_64-windows.msi	78d3bfcddaae57393ccd028ae7633a73325904515d346661bfe08592da923c99
luksbox-v0.2.1-x86_64-windows.zip	45a6f625115a00b421d83dc2673ecd771dd8d6b0686d16db3a08563ddb49bffa
luksbox_0.2.1-1_jammy_amd64.deb	a1d4ddfc261abe43f3ebe50114e80594de7d32aa152ea8e8160d65ef91096117
luksbox_0.2.1-1_jammy_arm64.deb	0b48eb5807ae21ba7ea5ad2633081505b1bf4cce1aa8f2434bdeb1222486cc45
luksbox_0.2.1-1_noble_amd64.deb	33300f00c76651f7b560e5240cf172717964a64e66b6ea935f799d056d8805d8
luksbox_0.2.1-1_noble_arm64.deb	dc3510b4a68b338c744704d461145be6da5d5d9ad971370738dde878fbe10d85
luksbox_0.2.1-1_trixie_amd64.deb	5b32699964f4ac59448cd0346339b8c30a162d8f40618045722ef992e273f437
luksbox_0.2.1-1_trixie_arm64.deb	d0ffaeb32d5cd276a7b1b1da1f853a3c302a3cdf9b2f79ed988b88c352851e7e

Install

Linux (Ubuntu 22.04, Debian 11/12, Mint 21.x, .deb):
download luksbox_*_jammy_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_jammy_amd64.deb.
Pulls in libfido2-1, libfuse3-3, and libtss2-*
automatically. Registers a luksbox-gui desktop
launcher and a MIME type for .lbx files.

Linux (Ubuntu 24.04+, Debian 13+ trixie, .deb):
download luksbox_*_noble_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_noble_amd64.deb.
Same package layout as the jammy build, but with
t64-transitioned dependency names (libssl3t64,
libfido2-1t64, libtss2-mu-4.0.1-0t64, etc.). The
jammy and noble .deb files cannot be installed
interchangeably, the dependency names differ.

Linux (Fedora / RHEL / Rocky / Alma, .rpm): download
luksbox-*.x86_64.rpm (or aarch64.rpm) and install
with sudo dnf install ./luksbox-*.x86_64.rpm (or
sudo rpm -i). One .rpm covers every rpm-based
distro, RPM uses SONAMEs for shared-library
dependencies which are stable across releases.
Pulls in libfido2 and fuse3-libs automatically.

Linux (x86_64, generic tarball): tar xzf luksbox-v0.2.1-x86_64-linux-jammy.tar.gz && cd luksbox-v0.2.1-x86_64-linux-jammy && ./install.sh
For Arch / NixOS / Alpine / any non-deb non-rpm distro.
The jammy variant has the broadest glibc compatibility;
if you are on a very recent distro and prefer the noble
build, swap -jammy for -noble in the filename.
Installs to ~/.local/bin and registers a desktop launcher.
Use ./install.sh --system for system-wide install, or
./install.sh --uninstall to remove. Requires
libfido2-1 (and libfuse3-3 for mount):
sudo apt install libfido2-1 libfuse3-3 (Debian/Ubuntu)
or sudo dnf install libfido2 fuse3-libs (Fedora/RHEL).

Linux (aarch64): tar xzf luksbox-v0.2.1-aarch64-linux-jammy.tar.gz && cd luksbox-v0.2.1-aarch64-linux-jammy && ./install.sh
Same runtime deps and installer as x86_64. Built natively
on a GitHub ARM64 runner, no QEMU emulation. Same
jammy/noble distinction applies as for the .deb above.

macOS (Apple Silicon): two .dmg variants, one per
FUSE backend. Pick one based on which FUSE provider you
want to install. Both .dmgs are otherwise identical
(same crypto, same on-disk format, same UI); the
difference is what luksbox mount calls under the hood
and whether you need a kernel extension.

FUSE-T variant (recommended for personal laptops):

  download: luksbox-v0.2.1-aarch64-macos-fuset.dmg
  install FUSE-T first:
      brew tap macos-fuse-t/homebrew-cask
      brew install --cask fuse-t
  then drag LUKSbox.app onto Applications.

No kernel extension, no Privacy & Security prompt, no
Apple-Silicon Reduced-Security dance. The .app launches
cleanly even if FUSE-T isn't installed yet (you just
can't use mount until you install it). Uses an NFS-
over-loopback transport with NO authentication on the
loopback port - on a multi-user Mac, any other local
process can connect to the mount via NFSv4 and bypass
LUKSbox's permission model. Documented in
docs/MACOS_FUSE_T.md.
Fine for the common single-user-laptop case.

macFUSE variant (recommended for shared machines or
audit-required deployments):

  download: luksbox-v0.2.1-aarch64-macos-macfuse.dmg
  install macFUSE FIRST (REQUIRED, see warning below):
      brew install --cask macfuse
      # then approve the kext under System Settings
      # -> Privacy & Security and reboot. On Apple
      # Silicon also: Recovery Mode -> Startup Security
      # Utility -> Reduced Security.
  then drag LUKSbox.app onto Applications.

IMPORTANT: this variant transitively links macFUSE's
MFMount.framework. If macFUSE is NOT installed when you
try to launch LUKSbox.app, macOS kills the process
before it can show any UI (dyld: Library not loaded
error). Install macFUSE first, then the LUKSbox.app.
Uses macFUSE's /dev/macfuse* device-node permissions
for the kernel<->FS channel, which restricts access to
the mounting UID - the better local-attacker model.

Verify which backend a given .app uses:

  /Applications/LUKSbox.app/Contents/MacOS/luksbox --version
  # luksbox X.Y.Z
  # FUSE backend: fuse-t (...)   <- FUSE-T variant
  # FUSE backend: macfuse (...)  <- macFUSE variant

macOS (Apple Silicon), portable .tar.gz: also two
variants, -fuset-portable.tar.gz and -macfuse-portable.tar.gz,
same backend split as the .dmgs. Ships the bare CLI +
GUI binaries (bin/luksbox, bin/luksbox-gui) with
their dylib closure under Frameworks/. Run in place:
./bin/luksbox --help or ./bin/luksbox-gui &. No
.app, no Gatekeeper warning, no quarantine xattr to
clear (when extracted via Terminal). See
README-MACOS.txt inside for the full layout + caveats.

First launch: the .dmg is codesigned with the
Penthertz Apple Developer ID Application certificate
(team 456J2U7HQL) and Apple-notarised, with the
notarisation ticket stapled to the bundle. macOS shows
the standard "downloaded from internet, are you sure?"
prompt that every Mac shows for any downloaded app -
click Open and you're set. Subsequent launches are
silent. No Gatekeeper override and no
xattr -dr com.apple.quarantine workaround needed.

Verify the signature and notarisation locally:

# Signature: identity + chain trust
codesign --verify --deep --strict --verbose=2 \
    /Applications/LUKSbox.app

# Notarisation: ticket present + valid
spctl --assess --type execute --verbose \
    /Applications/LUKSbox.app
# expects: "accepted, source=Notarized Developer ID"

You can additionally verify the .dmg SHA-256 against
the table at the top of these release notes for an
independent integrity check that doesn't depend on
Apple's PKI.

macOS (Intel): not shipped, build from source with
cargo build --profile release-hardened on an Intel Mac
with brew install libfido2 (the release-hardened
profile matches the hardening flags used for the shipped
Apple-Silicon binary). The CI matrix entry for
x86_64-apple-darwin is commented out in
.github/workflows/release.yml, GitHub's macos-13
runner has been intermittently blocking releases.

Windows (x86_64), recommended: download
luksbox-v0.2.1-x86_64-windows-setup.exe,
double-click. The bootstrapper installs WinFsp 2.0.23075
(if not already present...

v0.2.0

Verify your download

Cryptographic provenance (GitHub / Sigstore attestation)

Every artifact below is signed via GitHub Artifact
Attestations,
which uses Sigstore under the hood. The signature proves
the artifact was produced by this exact workflow run on
this exact commit SHA, no human had a chance to swap it
after the fact.

Verify with the GitHub CLI (one-liner):

# Install gh once if you don't have it:
#   sudo apt install gh   |   sudo dnf install gh   |   brew install gh
gh attestation verify <downloaded-file> --owner penthertz
# Prints "Loaded digest ..." then "PASS" with the
# workflow run + commit SHA the artifact came from.

Offline check (no gh needed)

Every artifact also has a SHA-256 in SHA256SUMS.txt
(attached to this release):

# Linux / macOS:
sha256sum -c SHA256SUMS.txt   # Linux
shasum -a 256 -c SHA256SUMS.txt   # macOS

# Windows (PowerShell):
Get-FileHash luksbox-*.msi -Algorithm SHA256
# then compare to the `*.msi` row in SHA256SUMS.txt

Trust chain summary

Artifacts on this release page are uploaded only by the
GitHub Actions release workflow that ran on this tagged
commit (.github/workflows/release.yml in the repo).
The commit itself is GPG-signed by the maintainer, the
upload uses GitHub's OIDC release token, and the
Sigstore attestation above pins the signature to that
workflow run. GPG-signed release tarballs
(SHA256SUMS.txt.asc) and full SLSA L3 provenance are
on the roadmap.

For at-a-glance SHA-256 checking against the published
values:

File	SHA-256
luksbox-0.2.0-1.aarch64.rpm	73ca30df245a84b47be3f78fee996b13e1fd401b5dfc3808309e03d8fd458f6c
luksbox-0.2.0-1.x86_64.rpm	4a5334e550cd36d5c653027de0858fe564ef648505b0922c2c3ade7d300d419d
luksbox-v0.2.0-aarch64-linux-jammy.tar.gz	d067182bdc38179709de4e59a17d48c5260510765cb20849b865f0952d42475d
luksbox-v0.2.0-aarch64-macos-fuset-portable.tar.gz	17955aff62a7097639d866acd5c9cb528d3bc1fc4bab9aad73d524879ae7318e
luksbox-v0.2.0-aarch64-macos-fuset.dmg	8f0c30251a3a746da0b2d89cdcf8b674c4df56896f276922b4f753e2de378bf0
luksbox-v0.2.0-x86_64-linux-jammy.tar.gz	d051729656f9fa9801d9b3c17b028a6cef2b011551dc64cdf0c23497b26f1eb9
luksbox-v0.2.0-x86_64-windows-setup.exe	8f1254824e2df4cf74f36ed626c9359bc2418cc66358a57c141a065b16f66f58
luksbox-v0.2.0-x86_64-windows.msi	219499a282740332d5693cb5f2397653e21b94350c08208454fdb14d917954b4
luksbox-v0.2.0-x86_64-windows.zip	9b9b930bd92e28df5e730c005f9d37cb6122b8884c674f0000e7048e792eeb22
luksbox_0.2.0-1_jammy_amd64.deb	e5628eb16085bcb59d540609ab8092479e945d34842b8011e8366796165da73a
luksbox_0.2.0-1_jammy_arm64.deb	1b0eb9df4e1a360e2c3f127a43abc06a64c4fecdc93ba73c36c1b64178d37606
luksbox_0.2.0-1_noble_amd64.deb	787f406a459ffdfe4ef38b2982aa9908af7e8d1f26a5bf9fe0c4e54d867f12b8
luksbox_0.2.0-1_noble_arm64.deb	e8ba7504ca387a48e01b40223854f962538f0c30a07898542c02c245bee1a4ab

Install

Linux (Ubuntu 22.04, Debian 11/12, Mint 21.x, .deb):
download luksbox_*_jammy_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_jammy_amd64.deb.
Pulls in libfido2-1, libfuse3-3, and libtss2-*
automatically. Registers a luksbox-gui desktop
launcher and a MIME type for .lbx files.

Linux (Ubuntu 24.04+, Debian 13+ trixie, .deb):
download luksbox_*_noble_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_noble_amd64.deb.
Same package layout as the jammy build, but with
t64-transitioned dependency names (libssl3t64,
libfido2-1t64, libtss2-mu-4.0.1-0t64, etc.). The
jammy and noble .deb files cannot be installed
interchangeably, the dependency names differ.

Linux (Fedora / RHEL / Rocky / Alma, .rpm): download
luksbox-*.x86_64.rpm (or aarch64.rpm) and install
with sudo dnf install ./luksbox-*.x86_64.rpm (or
sudo rpm -i). One .rpm covers every rpm-based
distro, RPM uses SONAMEs for shared-library
dependencies which are stable across releases.
Pulls in libfido2 and fuse3-libs automatically.

Linux (x86_64, generic tarball): tar xzf luksbox-v0.2.0-x86_64-linux-jammy.tar.gz && cd luksbox-v0.2.0-x86_64-linux-jammy && ./install.sh
For Arch / NixOS / Alpine / any non-deb non-rpm distro.
The jammy variant has the broadest glibc compatibility;
if you are on a very recent distro and prefer the noble
build, swap -jammy for -noble in the filename.
Installs to ~/.local/bin and registers a desktop launcher.
Use ./install.sh --system for system-wide install, or
./install.sh --uninstall to remove. Requires
libfido2-1 (and libfuse3-3 for mount):
sudo apt install libfido2-1 libfuse3-3 (Debian/Ubuntu)
or sudo dnf install libfido2 fuse3-libs (Fedora/RHEL).

Linux (aarch64): tar xzf luksbox-v0.2.0-aarch64-linux-jammy.tar.gz && cd luksbox-v0.2.0-aarch64-linux-jammy && ./install.sh
Same runtime deps and installer as x86_64. Built natively
on a GitHub ARM64 runner, no QEMU emulation. Same
jammy/noble distinction applies as for the .deb above.

macOS (Apple Silicon): two .dmg variants, one per
FUSE backend. Pick one based on which FUSE provider you
want to install. Both .dmgs are otherwise identical
(same crypto, same on-disk format, same UI); the
difference is what luksbox mount calls under the hood
and whether you need a kernel extension.

FUSE-T variant (recommended for personal laptops):

  download: luksbox-v0.2.0-aarch64-macos-fuset.dmg
  install FUSE-T first:
      brew tap macos-fuse-t/homebrew-cask
      brew install --cask fuse-t
  then drag LUKSbox.app onto Applications.

No kernel extension, no Privacy & Security prompt, no
Apple-Silicon Reduced-Security dance. The .app launches
cleanly even if FUSE-T isn't installed yet (you just
can't use mount until you install it). Uses an NFS-
over-loopback transport with NO authentication on the
loopback port - on a multi-user Mac, any other local
process can connect to the mount via NFSv4 and bypass
LUKSbox's permission model. Documented in
docs/MACOS_FUSE_T.md.
Fine for the common single-user-laptop case.

macFUSE variant (recommended for shared machines or
audit-required deployments):

  download: luksbox-v0.2.0-aarch64-macos-macfuse.dmg
  install macFUSE FIRST (REQUIRED, see warning below):
      brew install --cask macfuse
      # then approve the kext under System Settings
      # -> Privacy & Security and reboot. On Apple
      # Silicon also: Recovery Mode -> Startup Security
      # Utility -> Reduced Security.
  then drag LUKSbox.app onto Applications.

IMPORTANT: this variant transitively links macFUSE's
MFMount.framework. If macFUSE is NOT installed when you
try to launch LUKSbox.app, macOS kills the process
before it can show any UI (dyld: Library not loaded
error). Install macFUSE first, then the LUKSbox.app.
Uses macFUSE's /dev/macfuse* device-node permissions
for the kernel<->FS channel, which restricts access to
the mounting UID - the better local-attacker model.

Verify which backend a given .app uses:

  /Applications/LUKSbox.app/Contents/MacOS/luksbox --version
  # luksbox X.Y.Z
  # FUSE backend: fuse-t (...)   <- FUSE-T variant
  # FUSE backend: macfuse (...)  <- macFUSE variant

macOS (Apple Silicon), portable .tar.gz: also two
variants, -fuset-portable.tar.gz and -macfuse-portable.tar.gz,
same backend split as the .dmgs. Ships the bare CLI +
GUI binaries (bin/luksbox, bin/luksbox-gui) with
their dylib closure under Frameworks/. Run in place:
./bin/luksbox --help or ./bin/luksbox-gui &. No
.app, no Gatekeeper warning, no quarantine xattr to
clear (when extracted via Terminal). See
README-MACOS.txt inside for the full layout + caveats.

First launch: the .dmg is codesigned with the
Penthertz Apple Developer ID Application certificate
(team 456J2U7HQL) and Apple-notarised, with the
notarisation ticket stapled to the bundle. macOS shows
the standard "downloaded from internet, are you sure?"
prompt that every Mac shows for any downloaded app -
click Open and you're set. Subsequent launches are
silent. No Gatekeeper override and no
xattr -dr com.apple.quarantine workaround needed.

Verify the signature and notarisation locally:

# Signature: identity + chain trust
codesign --verify --deep --strict --verbose=2 \
    /Applications/LUKSbox.app

# Notarisation: ticket present + valid
spctl --assess --type execute --verbose \
    /Applications/LUKSbox.app
# expects: "accepted, source=Notarized Developer ID"

You can additionally verify the .dmg SHA-256 against
the table at the top of these release notes for an
independent integrity check that doesn't depend on
Apple's PKI.

macOS (Intel): not shipped, build from source with
cargo build --profile release-hardened on an Intel Mac
with brew install libfido2 (the release-hardened
profile matches the hardening flags used for the shipped
Apple-Silicon binary). The CI matrix entry for
x86_64-apple-darwin is commented out in
.github/workflows/release.yml, GitHub's macos-13
runner has been intermittently blocking releases.

Windows (x86_64), recommended: download
luksbox-v0.2.0-x86_64-windows-setup.exe,
double-click. The bootstrapper installs WinFsp 2.0.23075
(if not already present...

v0.1.1

Verify your download

Cryptographic provenance (GitHub / Sigstore attestation)

Every artifact below is signed via GitHub Artifact
Attestations,
which uses Sigstore under the hood. The signature proves
the artifact was produced by this exact workflow run on
this exact commit SHA, no human had a chance to swap it
after the fact.

Verify with the GitHub CLI (one-liner):

# Install gh once if you don't have it:
#   sudo apt install gh   |   sudo dnf install gh   |   brew install gh
gh attestation verify <downloaded-file> --owner penthertz
# Prints "Loaded digest ..." then "PASS" with the
# workflow run + commit SHA the artifact came from.

Offline check (no gh needed)

Every artifact also has a SHA-256 in SHA256SUMS.txt
(attached to this release):

# Linux / macOS:
sha256sum -c SHA256SUMS.txt   # Linux
shasum -a 256 -c SHA256SUMS.txt   # macOS

# Windows (PowerShell):
Get-FileHash luksbox-*.msi -Algorithm SHA256
# then compare to the `*.msi` row in SHA256SUMS.txt

Trust chain summary

Artifacts on this release page are uploaded only by the
GitHub Actions release workflow that ran on this tagged
commit (.github/workflows/release.yml in the repo).
The commit itself is GPG-signed by the maintainer, the
upload uses GitHub's OIDC release token, and the
Sigstore attestation above pins the signature to that
workflow run. GPG-signed release tarballs
(SHA256SUMS.txt.asc) and full SLSA L3 provenance are
on the roadmap.

For at-a-glance SHA-256 checking against the published
values:

File	SHA-256
luksbox-0.1.1-1.aarch64.rpm	6e22209fc380441df341c7e0269ad4bbe62a4c2c986f81f0f68881bfb7418f29
luksbox-0.1.1-1.x86_64.rpm	6221c1754e5bf2116805b2d5db597730041e8f373721df3b251481d3a749bedc
luksbox-v0.1.1-aarch64-linux-jammy.tar.gz	1a4a2a62d60516b18b1e45fa75d4124d2f279af7325855a614a4493d0cdad7ff
luksbox-v0.1.1-aarch64-macos-portable.tar.gz	441ebb364603939dee01c409fbe2c2aecbd95be5b272c2f0cab78fd8f5cccb87
luksbox-v0.1.1-aarch64-macos.dmg	386f3015f3846c6d6a05eb0519f45033da897fdab6121491f1c976368c179d23
luksbox-v0.1.1-x86_64-linux-jammy.tar.gz	3db3db7dc13a4680f353c9efa3f02a278f0854b8cc270238ad4a58b3008e3b2f
luksbox-v0.1.1-x86_64-windows.msi	aa6a172b9937289c5a6b59fff86b93715a18661f8d364ca6c8cbfb45d83e1d97
luksbox-v0.1.1-x86_64-windows.zip	6f5029f0a149616bf369f5a1bbf9447c5671ff9d62fbf44fc3b27290f718cc95
luksbox_0.1.1-1_jammy_amd64.deb	3edea49b0497e5175c86a0af8cdbf0467e439d2c843f4ae4909c380464fbfbd8
luksbox_0.1.1-1_jammy_arm64.deb	61d9452db11a697fa0d9f24b995a449948c17661fe3bf574f9d32f7e0c7def78
luksbox_0.1.1-1_noble_amd64.deb	505923744a39f311a9568d6262eaf7d5935da787686ebcb41c50cc0a3698065d
luksbox_0.1.1-1_noble_arm64.deb	f9fb95b8e612b8ce598786248c9c6b3cad3f2840879c9b5ead80ccb6912bbfed

Install

Linux (Ubuntu 22.04, Debian 11/12, Mint 21.x, .deb):
download luksbox_*_jammy_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_jammy_amd64.deb.
Pulls in libfido2-1, libfuse3-3, and libtss2-*
automatically. Registers a luksbox-gui desktop
launcher and a MIME type for .lbx files.

Linux (Ubuntu 24.04+, Debian 13+ trixie, .deb):
download luksbox_*_noble_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_noble_amd64.deb.
Same package layout as the jammy build, but with
t64-transitioned dependency names (libssl3t64,
libfido2-1t64, libtss2-mu-4.0.1-0t64, etc.). The
jammy and noble .deb files cannot be installed
interchangeably, the dependency names differ.

Linux (Fedora / RHEL / Rocky / Alma, .rpm): download
luksbox-*.x86_64.rpm (or aarch64.rpm) and install
with sudo dnf install ./luksbox-*.x86_64.rpm (or
sudo rpm -i). One .rpm covers every rpm-based
distro, RPM uses SONAMEs for shared-library
dependencies which are stable across releases.
Pulls in libfido2 and fuse3-libs automatically.

Linux (x86_64, generic tarball): tar xzf luksbox-v0.1.1-x86_64-linux-jammy.tar.gz && cd luksbox-v0.1.1-x86_64-linux-jammy && ./install.sh
For Arch / NixOS / Alpine / any non-deb non-rpm distro.
The jammy variant has the broadest glibc compatibility;
if you are on a very recent distro and prefer the noble
build, swap -jammy for -noble in the filename.
Installs to ~/.local/bin and registers a desktop launcher.
Use ./install.sh --system for system-wide install, or
./install.sh --uninstall to remove. Requires
libfido2-1 (and libfuse3-3 for mount):
sudo apt install libfido2-1 libfuse3-3 (Debian/Ubuntu)
or sudo dnf install libfido2 fuse3-libs (Fedora/RHEL).

Linux (aarch64): tar xzf luksbox-v0.1.1-aarch64-linux-jammy.tar.gz && cd luksbox-v0.1.1-aarch64-linux-jammy && ./install.sh
Same runtime deps and installer as x86_64. Built natively
on a GitHub ARM64 runner, no QEMU emulation. Same
jammy/noble distinction applies as for the .deb above.

macOS (Apple Silicon), .dmg (recommended): download
luksbox-v0.1.1-aarch64-macos.dmg,
double-click, drag LUKSbox.app onto the Applications
link, eject. The .app is self-contained, libfido2 +
transitive dependencies are bundled inside, you do NOT
need brew install libfido2. Double-clicking a .lbx
file in Finder opens it directly in LUKSbox.

macOS (Apple Silicon), portable .tar.gz: download
luksbox-v0.1.1-aarch64-macos-portable.tar.gz,
extract from Terminal with
tar xzf luksbox-v0.1.1-aarch64-macos-portable.tar.gz.
Ships the bare CLI + GUI binaries (bin/luksbox,
bin/luksbox-gui) with their dylib closure under
Frameworks/. Run in place: ./bin/luksbox --help or
./bin/luksbox-gui &. No .app, no Gatekeeper warning,
no quarantine xattr to clear (when extracted via
Terminal). See README-MACOS.txt inside for the full
layout + caveats.

mount (both builds) requires macFUSE
(https://macfuse.io/). Install with:

  brew install --cask macfuse

macFUSE installs a kernel extension. macOS will block
it on first install — approve under System Settings
→ Privacy & Security, then reboot. On Apple Silicon
you may also need to lower the security policy via
Recovery Mode → Startup Security Utility → Reduced
Security before the kext can load. Both are one-time
per-machine setup. Once macFUSE is approved,
luksbox mount works directly.

(FUSE-T (https://www.fuse-t.org/) is a kext-free
alternative we'd love to support, but the underlying
fuser Rust crate hard-requires the macFUSE libfuse2
ABI on macOS. FUSE-T provides only libfuse3. Switching
would require swapping our FUSE wrapper crate.)

First launch: the .dmg is codesigned with the
Penthertz Apple Developer ID Application certificate
(team 456J2U7HQL) and Apple-notarised, with the
notarisation ticket stapled to the bundle. macOS shows
the standard "downloaded from internet, are you sure?"
prompt that every Mac shows for any downloaded app -
click Open and you're set. Subsequent launches are
silent. No Gatekeeper override and no
xattr -dr com.apple.quarantine workaround needed.

Verify the signature and notarisation locally:

# Signature: identity + chain trust
codesign --verify --deep --strict --verbose=2 \
    /Applications/LUKSbox.app

# Notarisation: ticket present + valid
spctl --assess --type execute --verbose \
    /Applications/LUKSbox.app
# expects: "accepted, source=Notarized Developer ID"

You can additionally verify the .dmg SHA-256 against
the table at the top of these release notes for an
independent integrity check that doesn't depend on
Apple's PKI.

macOS (Intel): not shipped, build from source with
cargo build --profile release-hardened on an Intel Mac
with brew install libfido2 (the release-hardened
profile matches the hardening flags used for the shipped
Apple-Silicon binary). The CI matrix entry for
x86_64-apple-darwin is commented out in
.github/workflows/release.yml, GitHub's macos-13
runner has been intermittently blocking releases.

Windows prerequisite (both flavors below): install
WinFsp 2.x first from https://winfsp.dev/rel/.
The LUKSbox binary statically links against
winfsp-x64.dll (provided by WinFsp), so without it the
binary fails to start with STATUS_DLL_NOT_FOUND. The
MSI refuses to install if WinFsp is missing and shows a
clear message; the portable .zip has no installer to
warn you, so install WinFsp first either way.

Windows (x86_64), recommended: download
luksbox-v0.1.1-x86_64-windows.msi,
double-click. The MSI installs LUKSbox to
C:\Program Files\LUKSbox\, prepends both
C:\Program Files\LUKSbox\ and <WinFspInstall>\bin
to the system PATH (so the loader resolves
winfsp-x64.dll and luksbox works in cmd /
PowerShell), drops a Start menu shortcut, and registers
the .lbx file extension (double-click any .lbx in
Explorer to open it). Uninstall via Apps & Features.

Windows (x86_64), portable: unzip
luksbox-v0.1.1-x86_64-windows.zip
and run the .exe in place. No installation, no Start
menu entry, no PATH change. Same binaries as the MSI.
Because nothing was added to PATH, you must either
(a) run from a shell where <WinFspInstall>\bin is on
PATH, or (b) drop a copy of winfsp-x64.dll next to
luksbox.exe in the unzipped folder.

libfido2 is statically linked into the .exe; no runtime
install needed for FIDO2.

See the Verify your download section at the top for
checksum verification commands.

Full Changelog: v0.1.0...v0.1.1

v0.1.0

Verify your download

Cryptographic provenance (GitHub / Sigstore attestation)

Every artifact below is signed via GitHub Artifact
Attestations,
which uses Sigstore under the hood. The signature proves
the artifact was produced by this exact workflow run on
this exact commit SHA, no human had a chance to swap it
after the fact.

Verify with the GitHub CLI (one-liner):

# Install gh once if you don't have it:
#   sudo apt install gh   |   sudo dnf install gh   |   brew install gh
gh attestation verify <downloaded-file> --owner penthertz
# Prints "Loaded digest ..." then "PASS" with the
# workflow run + commit SHA the artifact came from.

Offline check (no gh needed)

Every artifact also has a SHA-256 in SHA256SUMS.txt
(attached to this release):

# Linux / macOS:
sha256sum -c SHA256SUMS.txt   # Linux
shasum -a 256 -c SHA256SUMS.txt   # macOS

# Windows (PowerShell):
Get-FileHash luksbox-*.msi -Algorithm SHA256
# then compare to the `*.msi` row in SHA256SUMS.txt

Trust chain summary

Artifacts on this release page are uploaded only by the
GitHub Actions release workflow that ran on this tagged
commit (.github/workflows/release.yml in the repo).
The commit itself is GPG-signed by the maintainer, the
upload uses GitHub's OIDC release token, and the
Sigstore attestation above pins the signature to that
workflow run. GPG-signed release tarballs
(SHA256SUMS.txt.asc) and full SLSA L3 provenance are
on the roadmap.

For at-a-glance SHA-256 checking against the published
values:

File	SHA-256
luksbox-0.1.0-1.aarch64.rpm	903e9ebb3e12bea8fa17b17dfd3b93370664ef3e625c1e1431feae066ffbc2ca
luksbox-0.1.0-1.x86_64.rpm	f47082d7d8cfa97e43873dca87d1094206e3691b69bc459eb242b14d7dcc93e2
luksbox-v0.1.0-aarch64-linux-jammy.tar.gz	a26320117dab7d333dcc95ff2be6c76663d473124739177924cf9bc3d4ca0ef7
luksbox-v0.1.0-aarch64-macos-portable.tar.gz	36c9c70192d6d59551875e1742b74c6bd94f39e24e6845990a421107fe8983ca
luksbox-v0.1.0-aarch64-macos.dmg	68978046cfef646d457f3e707ac42124a5efc4e75ba69ac50ccaafc6185c45cb
luksbox-v0.1.0-x86_64-linux-noble.tar.gz	67e8984cfa93bf623c89b73cdc21159fb7842a071587212bea8fc17c39113002
luksbox-v0.1.0-x86_64-windows.msi	d1b712657f238791edaf51f2a058e67f7c9e90fcd5c3539d217e793e73b5de84
luksbox-v0.1.0-x86_64-windows.zip	ee1a3aabc3fc596d4233420f7928b5050c88ab9cc2e7863c0cc6b54f17e91e46
luksbox_0.1.0-1_jammy_amd64.deb	4c82f3d984a7fccee0770138254810c36eaff36a5df5d640b866d535d0dd09d0
luksbox_0.1.0-1_jammy_arm64.deb	9920fe669b99b18ea8d060331575e608d02b66bfe4fa0d0874a6e38ec9399592
luksbox_0.1.0-1_noble_amd64.deb	548d97b00d22d29d5c9a012d6c488e4d3c007dd7f65fe909409a595c095ae1a9
luksbox_0.1.0-1_noble_arm64.deb	97e070f0087acaaa015afeaf939ee10a4b69fc9693755b068e48befd2df04a92

Install

Linux (Ubuntu 22.04, Debian 11/12, Mint 21.x, .deb):
download luksbox_*_jammy_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_jammy_amd64.deb.
Pulls in libfido2-1, libfuse3-3, and libtss2-*
automatically. Registers a luksbox-gui desktop
launcher and a MIME type for .lbx files.

Linux (Ubuntu 24.04+, Debian 13+ trixie, .deb):
download luksbox_*_noble_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_noble_amd64.deb.
Same package layout as the jammy build, but with
t64-transitioned dependency names (libssl3t64,
libfido2-1t64, libtss2-mu-4.0.1-0t64, etc.). The
jammy and noble .deb files cannot be installed
interchangeably, the dependency names differ.

Linux (Fedora / RHEL / Rocky / Alma, .rpm): download
luksbox-*.x86_64.rpm (or aarch64.rpm) and install
with sudo dnf install ./luksbox-*.x86_64.rpm (or
sudo rpm -i). One .rpm covers every rpm-based
distro, RPM uses SONAMEs for shared-library
dependencies which are stable across releases.
Pulls in libfido2 and fuse3-libs automatically.

Linux (x86_64, generic tarball): tar xzf luksbox-v0.1.0-x86_64-linux-jammy.tar.gz && cd luksbox-v0.1.0-x86_64-linux-jammy && ./install.sh
For Arch / NixOS / Alpine / any non-deb non-rpm distro.
The jammy variant has the broadest glibc compatibility;
if you are on a very recent distro and prefer the noble
build, swap -jammy for -noble in the filename.
Installs to ~/.local/bin and registers a desktop launcher.
Use ./install.sh --system for system-wide install, or
./install.sh --uninstall to remove. Requires
libfido2-1 (and libfuse3-3 for mount):
sudo apt install libfido2-1 libfuse3-3 (Debian/Ubuntu)
or sudo dnf install libfido2 fuse3-libs (Fedora/RHEL).

Linux (aarch64): tar xzf luksbox-v0.1.0-aarch64-linux-jammy.tar.gz && cd luksbox-v0.1.0-aarch64-linux-jammy && ./install.sh
Same runtime deps and installer as x86_64. Built natively
on a GitHub ARM64 runner, no QEMU emulation. Same
jammy/noble distinction applies as for the .deb above.

macOS (Apple Silicon), .dmg (recommended): download
luksbox-v0.1.0-aarch64-macos.dmg,
double-click, drag LUKSbox.app onto the Applications
link, eject. The .app is self-contained, libfido2 +
transitive dependencies are bundled inside, you do NOT
need brew install libfido2. Double-clicking a .lbx
file in Finder opens it directly in LUKSbox.

macOS (Apple Silicon), portable .tar.gz: download
luksbox-v0.1.0-aarch64-macos-portable.tar.gz,
extract from Terminal with
tar xzf luksbox-v0.1.0-aarch64-macos-portable.tar.gz.
Ships the bare CLI + GUI binaries (bin/luksbox,
bin/luksbox-gui) with their dylib closure under
Frameworks/. Run in place: ./bin/luksbox --help or
./bin/luksbox-gui &. No .app, no Gatekeeper warning,
no quarantine xattr to clear (when extracted via
Terminal). See README-MACOS.txt inside for the full
layout + caveats.

mount (both builds) requires macFUSE
(https://macfuse.io/). Install with:

  brew install --cask macfuse

macFUSE installs a kernel extension. macOS will block
it on first install — approve under System Settings
→ Privacy & Security, then reboot. On Apple Silicon
you may also need to lower the security policy via
Recovery Mode → Startup Security Utility → Reduced
Security before the kext can load. Both are one-time
per-machine setup. Once macFUSE is approved,
luksbox mount works directly.

(FUSE-T (https://www.fuse-t.org/) is a kext-free
alternative we'd love to support, but the underlying
fuser Rust crate hard-requires the macFUSE libfuse2
ABI on macOS. FUSE-T provides only libfuse3. Switching
would require swapping our FUSE wrapper crate.)

macOS (Intel): not shipped, build from source with
cargo build --profile release-hardened on an Intel Mac
with brew install libfido2 (the release-hardened
profile matches the hardening flags used for the shipped
Apple-Silicon binary). The CI matrix entry for
x86_64-apple-darwin is commented out in
.github/workflows/release.yml, GitHub's macos-13
runner has been intermittently blocking releases.

Windows prerequisite (both flavors below): install
WinFsp 2.x first from https://winfsp.dev/rel/.
The LUKSbox binary statically links against
winfsp-x64.dll (provided by WinFsp), so without it the
binary fails to start with STATUS_DLL_NOT_FOUND. The
MSI refuses to install if WinFsp is missing and shows a
clear message; the portable .zip has no installer to
warn you, so install WinFsp first either way.

Windows (x86_64), recommended: download
luksbox-v0.1.0-x86_64-windows.msi,
double-click. The MSI installs LUKSbox to
C:\Program Files\LUKSbox\, prepends both
C:\Program Files\LUKSbox\ and <WinFspInstall>\bin
to the system PATH (so the loader resolves
winfsp-x64.dll and luksbox works in cmd /
PowerShell), drops a Start menu shortcut, and registers
the .lbx file extension (double-click any .lbx in
Explorer to open it). Uninstall via Apps & Features.

Windows (x86_64), portable: unzip
luksbox-v0.1.0-x86_64-windows.zip
and run the .exe in place. No installation, no Start
menu entry, no PATH change. Same binaries as the MSI.
Because nothing was added to PATH, you must either
(a) run from a shell where <WinFspInstall>\bin is on
PATH, or (b) drop a copy of winfsp-x64.dll next to
luksbox.exe in the unzipped folder.

libfido2 is statically linked into the .exe; no runtime
install needed for FIDO2.

See the Verify your download section at the top for
checksum verification commands.

Full Changelog: https://github.com/PentHertz/LUKSbox/commits/v0.1.0