A Python script for password-protected tarballs
usage: EncrypTar.py [-h] [-p PASSPHRASE_FILE] [-a | -x | -l] [-r] [-n]
ARCHIVE [FILES [FILES ...]]
Python script that does encrypted archives of both files and directories.
positional arguments:
ARCHIVE Name of archive file to create/list/extract.
FILES The file/directory to archive/(extract to). Not
recursive by default. Defaults to current working
directory.
optional arguments:
-h, --help show this help message and exit
-p PASSPHRASE_FILE, --passphrase-file PASSPHRASE_FILE
Optional file containing passphrase to use for
encryption.
-a, --archive Run in archive mode, default mode.
-x, --extract Run in extract mode.
-l, --list Lists the contents of an archive.
-r, --recursive Encrypt directories recursively.
-n, --no-compression Do not use compression (lzma is default) when creating
the archive.
EncrypTar uses AES in Galois/Counter Mode (GCM) to encrypt compressed tarballs generated by Python's tarfile module. Using AES in this mode provides both confidentiality and integrity to the data. The key for encryption is derived from a user-specified password using PKCS#5 PBKDF2.
The file format EncrypTar uses is as simple as possible. The diagram below shows the layout of EncrypTar files.
+---------------------------------------------------------------------------+
| Magic Bytes | Key salt | Nonce | Tag | Encrypted Tarball |
| 0x25 0x24 | | | | |
| 2 bytes | 16 bytes | 16 bytes | 16 bytes | Variable length |
+---------------------------------------------------------------------------+
- Magic Bytes - Two bytes to identify EncrypTar files
- Key salt - A random value to produce more random looking keys from passwords
- Nonce - Used as an IV in AES-GCM to produce unique key-streams
- Tag - Allows password-checking and integrity-checking
- Encrypted Tarball - The ciphertext of the tarball of the user's files
There is a constant total of 50 bytes of overhead on the regular size of a tarball in this system.