ZeroVault

ZeroVault is a lightweight cryptographic vault designed for encrypting and verifying sensitive documents using modern, secure encryption primitives. Using 3-layer encrpytion technqiues with signatures, memory protection and serialization, your stays surrounded by a defence-in-depth security architeture. With a simple command like zerovault encrypt, your data is protected by multiple layers of strong encryption.

For detailed installation instructions, see INSTALL.md.

Purpose & Motivation

Digital file protection requires a blend of confidentiality, integrity, and ease of use. ZeroVault aims to:

• Provide strong encryption using modern ciphers and key derivation
• Offer digital signature verification to detect tampering
• Simplify encryption/decryption processes via a CLI-based toolchain
• Be usable for SPII and document workflows

ZeroVault is particularly useful for developers and professionals seeking a verifiable and deterministic mechanism for protecting sensitive files during transmission or at rest.

Quick Installation

ZeroVault features automatic self-installation:

# Windows
curl.exe -L -o zerovault.exe https://github.com/ParleSec/zerovault/releases/latest/download/zerovault-windows-amd64.exe
.\zerovault.exe --version

# Linux
curl -L -o zerovault https://github.com/ParleSec/zerovault/releases/latest/download/zerovault-linux-amd64
chmod +x zerovault
./zerovault --version

Key Features

🔐 Secure Encryption

• Triple-layer protection: Uses AES-256-GCM, ChaCha20-Poly1305, and AES-256-CBC
• Random nonces and salts per encryption
• Key derived from password using Argon2id with aggressive memory cost (1GB)
• High base security level for maximum security

🧾 Digital Signatures

• Signing of ciphertext with Ed25519 private key
• Signature verification using embedded public key
• Cryptographic proof of file integrity

🛡️ Memory Protection

• Memory locking to prevent sensitive data from being swapped to disk
• Guard pages for buffer overflow detection
• Canary values for memory tampering detection
• Multi-pass secure memory zeroization

📋 Metadata Support

• File comments for describing encrypted content
• Creation and modification timestamps
• Version tracking for backward compatibility
• Full JSON serialization of all metadata

🔁 Serialization

• All binary data (nonce, salt, signature, pubkey, ciphertext) encoded to Base64
• Structured vault format with separate data and metadata sections
• Backward compatibility with legacy vault formats

🖥️ Interactive CLI

• User-friendly interface with interactive prompts
• Smart defaults for file paths and options
• Secure password entry with confirmation
• Optional comments for encrypted files

Security Architecture

Triple-Layer Encryption

ZeroVault employs three independent encryption layers:

1. AES-256-GCM: Authenticated encryption providing confidentiality and integrity
2. ChaCha20-Poly1305: Stream cipher with integrated authentication
3. AES-256-CBC with HMAC-SHA512: Block cipher with separate message authentication

Each layer uses independent keys, nonces, and authentication mechanisms to ensure that a vulnerability in one algorithm doesn't compromise your data.

Key Derivation

• Argon2id: Memory-hard algorithm resistant to specialized hardware attacks
• Tunable Parameters:
  • Memory usage: 1GB
  • Iteration count: 12 passes for maximum security level
  • Parallelism: Automatically utilizes available CPU cores

Implementation Details

• Memory Safety: Built in Rust to eliminate common vulnerability classes
• Modular Design: Core cryptography isolated from interface code
• Comprehensive Testing: Unit tests, integration tests, property-based testing
• Self-Installing: Automatically configures itself on first run

Command Reference

| Command | Description | Example | |---------|-------------|---------| | encrypt | Encrypt a file | zerovault encrypt --input file.pdf | | decrypt | Decrypt a vault file | zerovault decrypt --input file.vault | | info | Display vault metadata | zerovault info --input file.vault | | validate | Verify vault integrity | zerovault validate --input file.vault | | encrypt-stream | Encrypt from stdin to stdout | cat file.txt \| zerovault encrypt-stream | | decrypt-stream | Decrypt from stdin to stdout | cat file.vault \| zerovault decrypt-stream | | test | Run self-tests | zerovault test |

For complete options, run zerovault --help or zerovault <command> --help.

Security Considerations

Strengths

• Multiple independent encryption layers
• Memory-hard key derivation resistant to brute-force attacks
• Written in Rust for memory safety
• Constant-time operations for cryptographic functions
• Unique cryptographic material for each file

Limitations

• Security depends significantly on password strength
• Higher security levels require substantial RAM (up to 1GB)
• Stronger security comes with performance trade-offs
• No current support for public key encryption
• Side-channel protection depends on hardware/OS capabilities

Best Practices

• Use strong, unique passwords
• Select appropriate security level for your needs
• Verify metadata before decryption
• Keep secure backups of encrypted files
• Consider offline storage for the most sensitive vault files

Comparison with Alternatives

| Feature | ZeroVault | GPG | VeraCrypt | Age | |---------|-----------|-----|-----------|-----| | Multiple Encryption Layers | ✅ (3 layers) | ❌ | ✅ (2 layers) | ❌ | | Memory-Hard KDF | ✅ (Argon2id) | ❌ | ✅ (PBKDF2) | ✅ (scrypt) | | Digital Signatures | ✅ | ✅ | ❌ | ❌ | | Memory Safety | ✅ (Rust) | ❌ (C) | ❌ (C/C++) | ✅ (Go) | | Self-Installing | ✅ | ❌ | ❌ | ❌ | | Stream Processing | ✅ | ✅ | ❌ | ✅ | | File Comments | ✅ | ✅ | ❌ | ❌ | | Volume Encryption | ❌ | ❌ | ✅ | ❌ |

Getting Started

Basic Usage

# Encrypt a file (interactive mode)
zerovault encrypt

# Decrypt a file (interactive mode)
zerovault decrypt

# View information about an encrypted file
zerovault info --input document.txt.vault

Example interactive session:

$ zerovault encrypt
Enter input file path: document.txt
Enter output file path [document.txt.vault]: 
Enter encryption password: ********
Confirm password: ********
Enter comment (optional): My secure document
✓ File encrypted successfully
  Input: document.txt
  Output: document.txt.vault
  Size: 1024 bytes
  Comment: My secure document

Command-Line Arguments

For scripting or automation:

# Encrypt a file
zerovault encrypt --input file.pdf --output file.vault --password mypassword --non-interactive

# Decrypt a file
zerovault decrypt --input file.vault --output file.pdf --password mypassword --non-interactive

# Force overwrite existing files
zerovault encrypt --input file.pdf --output file.vault --force

Stream Processing

Work with standard input/output:

# Encrypt from stdin to a file
cat document.txt | zerovault encrypt-stream --password "your-password" > document.vault

# Decrypt from a file to stdout
cat document.vault | zerovault decrypt-stream --password "your-password" > document.txt

Batch Processing

Process multiple files:

# Batch encrypt all text files in a directory
for file in *.txt; do
  zerovault encrypt --input "$file" --password batch_password --non-interactive
done

# Batch validate all vault files
for vault in *.vault; do
  zerovault validate --input "$vault"
done

Additional Options

# Verbose output
zerovault encrypt --input file.pdf --verbose

# JSON output for programmatic usage
zerovault info --input file.vault --json

Example JSON output:

{
  "encrypted_data_size": 423,
  "file_path": "file.vault",
  "file_size": 974,
  "metadata": {
    "comment": "Confidential document",
    "created_at": 1745333818,
    "version": "1.0.0"
  },
  "public_key": "YiN4WYqupD3vyefIFh0ESlRRRX2yvOMWGkXQZKW3HH0=",
  "success": true
}

Advanced Use Cases

Nested Encryption

You can encrypt already encrypted files for layered security:

# First layer of encryption
zerovault encrypt --input secret.txt --output layer1.vault --password inner_password

# Second layer of encryption
zerovault encrypt --input layer1.vault --output layer2.vault --password outer_password

Secure Workflows

For secure document sharing:

# 1. Sender encrypts file with comment
zerovault encrypt --input presentation.pptx --comment "For review - Confidential" 

# 2. Share the vault file and password securely with recipient

# 3. Recipient verifies file metadata before decryption
zerovault info --input presentation.pptx.vault

# 4. Recipient decrypts file
zerovault decrypt --input presentation.pptx.vault

Architecture

System Structure

• vault_core: Core cryptographic logic
• cli: Command-line interface for using the vault
  • types.rs: Custom serializable types including encryption metadata
  • utils.rs: Utility functions for CLI operations
  • commands.rs: Command implementations
  • main.rs: Entrypoint for CLI application
  • self_install.rs: Automatic installation logic

The modular design ensures separation of concerns, with the core crypto