Lockit is a small, command line program to password protect your files with strong encryption.
$ cargo install lockitDisplay help.
$ lockit -h # Use --help for the long help message.Encrypt a file.
$ lockit -e secret.txtDecrypt a file.
$ lockit -d secret.txtIncrease the number of hashing iterations of the KDF's HMAC function. This increases the computational cost of cracking your password. The same iteration count needs to be passed to Lockit when decrypting the file.
$ lockit -e -i 1000000 secret.txtBy default, Lockit applies PBKDF2 with 200,000 iterations of HMAC-SHA512 to your password and a random 16-byte salt to generate a key, which it then uses to encrypt the file using AES-256 in Galois/Counter Mode (GCM). This mode of operation provides both confidentiality (i.e. the data cannot be read) and integrity (i.e. the data cannot be covertly tampered with).
This is the work of a Rust noob, which I am sharing here as a potential learning resource for others and to show off some of my newfound Rust skills.
I recently finished reading The Rust Programming Language and was looking for a project to help me get more comfortable writing software in Rust and making use of the available crates. I tried a few of the many Build Your Own X tutorials, but found that I was doing a lot of copy-pasting of the code samples without actually doing much thinking for myself. Therefore, I wasn't getting the benefit of figuring out how to design Rust software.
I eventually decided to take a break from these follow-along style tutorials and to try to implement something, myself, that I thought would be fun and interesting. Cryptography being one of my primary interests, I chose to write a file encryption/decryption utility!
If you are interested in trying this out for yourself, then here is my proposal for you: Do NOT read the source code in this repository. Implement your own version of this application, and, once you have a product that you are satisfied with, feel free to compare my code to what you wrote, keeping in mind that your solution may very well be better.
This is roughly the order in which I implemented the various components.
- Command line option/argument parsing
- Reading a password from the terminal
- Turning the password into a key
- Reading a file into memory
- Writing a file to disk
- Encrypting data
- Decrypting data
In my implementation (~300 LoC) I used the following crates, but I encourage you to search for alternatives.
| Crate | Description |
|---|---|
| anyhow | Improved error messages with optional context |
| clap | Command line argument parsing |
| ring | Cryptographic primitives |
| rpassword | Read passwords from the console |
| tempfile | Temporary files to help prevent data loss |
| thiserror | Easily create custom error types |
| zeroize | Securely clear secrets from memory |
Finding, evaluating, and comparing the libraries you have at your disposal in order to choose the one that is right for your use case is an important part of software development. And so is reading documentation, which I hope you will get lots of practice doing when figuring out how to use your chosen crates.