KnoxCrypt (formerly TeaSafe): An encrypted filesystem
What is it?
- A tool for creating and browsing encrypted 'boxes' of data; similar to Truecrypt.
- Supports lots of ciphers including AES-256.
- Utilizes a million iterations of PBKDF2 for key derivation. Seems like a big number but probably overkill.
- Can create sparse containers.
- Sub-volume capability.
What's with the name?
The name has stuck for historical reasons: a very early version used the XTEA cipher for encryption. I think the project could do with a better name though. Let me know if you have any suggestions. I renamed the project to knoxcrypt.
KnoxCrypt is highly developmental and therefore probably buggy. I make no guarentees as to the integrity of stored data. Neither do I guarantee 100% data security. Having said that, if you're happy with the strength of AES-256 in CTR mode and with a key that has been derived using quite a few rounds of PBKDF2, then I think it should be fine. Take that as you will.
Note, only tested on Linux and Mac. With a bit of work, will probably build (sans fuse-bits) on windows too.
- some of the boost headers and libraries to build (see makefile).
- fuse for the main fuse layer binary (the binary 'knoxcrypt')
- crypto++ headers and libraries for building and linking
cryptostreampp, a small set of headers allowing straight forward implementation of encrypted file streams (see https://github.com/benhj/cryptostreampp).This is now a submodule and is automatically grabbed when cloning knoxcrypt recursively.
First grab the source by cloning recursively:
git clone --recursive https://github.com/benhj/knoxcrypt
If you don't have fuse installed, you'll probably want to only build the main knoxcrypt library (libknoxcrypt.a), the shell (teashell) and makeknoxcrypt, the binary used to make knoxcrypt containers. To build these, respectively:
make lib make shell make makeknoxcrypt
Note that building either of the binaries
makeknoxcrypt will automatically build
make all will compile everything, i.e., the following binaries:
test : unit tests various parts of the main api makeknoxcrypt : builds knoxcrypt containers knoxcrypt : fuse layer used for mounting knoxcrypt containers teashell : shell utility used for accessing and modifying knoxcrypt containers
To build a KnoxCrypt container that uses AES256, with 4096 * 128000 bytes, use the
./makeknoxcrypt ./test.bfs 128000
For alternative ciphers, use the
--cipher flag, e.g.:
./makeknoxcrypt ./test.bfs 128000 --cipher twofish
The available cipher options are
null. Update 30/5/15: There are quite a few more than that these days. Have a look at the cryptostream headers if you're so inclined.
null disables encryption and thus provides no security. The default is aes.
Sparse containers can also be created, growing in size as more data are written to them. Just use the
--sparse flag during creation, i.e.:
./makeknoxcrypt ./test.bfs 128000 --sparse 1
Now to mount it to
/testMount via fuse, use the
./knoxcrypt ./test.bfs /testMount
Runs the interactive shell on it using the
KnoxCrypt follows the BSD 3-Clause licence.