Rufendec

Rufendec: A Fast File Encryption Command Line tool

[![crate][crate-image]][crate-link] ![MIT licensed][license-image] ![Rust Version][rustc-image] [![Downloads][downloads-image]][crate-link] ![Category][category-image]

Rufendec (Rust File Encryptor-Decryptor) is a lightweight CLI tool for AES-256 encryption and decryption, preserving file names and directory structure. With support for ECB/GCM modes, it simplifies securing and restoring files with ease, all powered by Rust.

Use Case

• <ins>Encrypt files while preserving directory structure</ins>: This allows you to upload encrypted files to cloud storage for backup. It's especially useful when your backup medium doesn’t support Full Disk Encryption (FDE). Additionally, it enables you to target specific files or folders for decryption from the backup, providing greater flexibility.

• <ins>File-level encryption vs. block-level encryption</ins>: Unlike Full Disk Encryption solutions like LUKS or BitLocker, which encrypt at the block level and can suffer from potential issues like sector header corruption, this tool performs file-level encryption. This minimizes the risk of file corruption and ensures that only the encrypted files are affected, not the entire disk.

• <ins>Use on embedded devices or mobile platforms</ins>: This tool is particularly useful for encrypting files on embedded devices or mobile platforms where Full Disk Encryption (FDE) may not be supported. These devices often have limited resources, or their operating systems may not support full disk encryption, making file-level encryption an ideal solution for securing sensitive data without requiring FDE.

Features

• Encrypt and decrypt multiple files when operating on the directory level using AES-256 GCM and ECB modes. GCM is chosen as the default mode.
• Encrypt and decrypt a single file.
• Suppress all terminal I/O while working on a single file.
• The program is multi-threaded, so the user can manually choose the number of threads.
• The password file with ".omk" extension can be maintained in /etc, /home, /root or even the current directory (".") if you are a linux user. For windows, the file can be placed either in the current directory or "C:/WINDOWS/SYSTEM32/config"
• Argon2ID and PBKDF2-HMAC-SHA256 can be used for the key derivation. Argon2 is used by default and the default iterations is 10
• Encrypted files can be observed with a ".enom" extension, so you can distinguish between encrypted and normal files.
• Program refuse to encrypt already encrypted source files (with ".enom extension") as a safe guard mechanism by preventing double encryption (But it won't work while encrypting a single file using rufendec file subcommand).
• Prevents accidentally encrypting directories such as /, /etc, /bin, /sbin etc. We have totally 23 illegal locations defined in the program.
• In-place file encryption and decryption is possible if the target directory is not specified as a Command line argument, but use in conjunction with "-d" option.
• Source files can be deleted by passing the "-d" option.
• Shred the source files instead of delete.
• Verbose output using "-v" option.
• Anonymize source file names using "-a" option.
• Dry run feature using "-r" option ("-d" will be automatically ignored while using this).

How to Use

Method 1: This is a rust binary crate, so treat it as an executable. If you already know what Cargo is, how to install and use it, then go ahead and install by running the command cargo install rufendec. However, if you do not wish to install this program on your system permanently, then CD (change directory) into the cloned git repo and run cargo run -- --help.

Method 2: If you download the executable/binary file taken from the release files in the github repo (which is the easiest method), then try running the program using the command ./rufendec --help in the folder where the executable is located.

Either way, the result of executing Rufendec will be something similar to the below.

Rufendec is a lightweight CLI tool for AES-256 encryption and decryption, preserving file names and directory structure. With support for ECB/GCM modes, it simplifies securing and restoring files with ease, all powered by Rust.

Usage: rufendec <COMMAND>

Commands:
  dir   Targets on the directory/folder level
  file  Targets on the file level
  help  Print this message or the help of the given subcommand(s)

Options:
  -h, --help     Print help
  -V, --version  Print version

As the Commands imply, dir is used when you want to encrypt or decrypt files which are under a specified directory. file is used when you want to operate on individual files.

for more info try rufendec dir --help and rufendec file --help

The result would be as follows.

For rufendec dir --help

Targets on the directory/folder level

Usage: rufendec dir [OPTIONS] --operation <OPERATION> <SOURCE_DIR> [TARGET_DIR] [COMMAND]

Commands:
  shred  Shreds the source files
  help   Print this message or the help of the given subcommand(s)

Arguments:
  <SOURCE_DIR>  Specify the Source Directory here
  [TARGET_DIR]  Specify the Target Directory here. But if you do not provide this, the target files will be placed in the Source Directory

Options:
  -f, --password-file <PASSWORD_FILE>  Specify the password file with an extension ".omk". The first line in the file must have the password, and the second line must have the salt
  -k, --skip-passwd-file-search        Skip the password_file search on the machine in case you decided to not provide the password_file in the CLI options
  -o, --operation <OPERATION>          Specify the Operation you want to perform on the Source Directory [possible values: encrypt, decrypt]
  -m, --mode <MODE>                    Provide the mode of Encryption here [default: gcm] [possible values: ecb, gcm]
  -d, --delete-src                     Pass this option to delete the source files in the Source Directory
  -t, --threads <THREADS>              Threads to speed up the execution [default: 8]
  -x, --hash-with <HASH_WITH>          Generate the secure key with the specified hashing function algorithm [default: argon2] [possible values: argon2, pbkdf2]
  -i, --iterations <ITERATIONS>        Iterations for the choosen hashing function [default: 10]
  -v, --verbose                        Print verbose output
  -r, --dry-run                        Skip all file creation and deletion
  -a, --anon                           Anonymize source file names
  -h, --help                           Print help

For rufendec file --help

Targets on the file level

Usage: rufendec file [OPTIONS] --operation <OPERATION> <SOURCE_FILE> [TARGET_DIR] [COMMAND]

Commands:
  shred  Shreds the source files
  help   Print this message or the help of the given subcommand(s)

Arguments:
  <SOURCE_FILE>  Specify the Source file here (This is the file you want to either Encrypt or Decrypt)
  [TARGET_DIR]   Specify the Target directory here. But if you do not provide this, the target file will be placed in the source file's Directory

Options:
  -f, --password-file <PASSWORD_FILE>  Specify the password file with an extension ".omk". The first line in the file must have the password, and the second line must have the salt
  -k, --skip-passwd-file-search        Skip the password_file search on the machine in case you decided to not provide the `password_file` in the CLI options
  -p, --passwd <PASSWD>                Specify the password (in case `password_file` is not provided and `suppress_terminal` is set to true)
  -s, --salt <SALT>                    Specify the salt (in case `password_file` is not provided and `suppress_terminal` is set to true)
  -o, --operation <OPERATION>          Specify the Operation you want to perform on the Source file [possible values: encrypt, decrypt]
  -m, --mode <MODE>                    Provide the mode of Encryption here [default: gcm] [possible values: ecb, gcm]
  -d, --delete-src                     Pass this option to delete the source file
  -x, --hash-with <HASH_WITH>          Generate the secure key with the specified hashing function algorithm [default: argon2] [possible values: argon2, pbkdf2]
  -i, --iterations <ITERATIONS>        Iterations for the choosen hashing function [default: 10]
  -z, --suppress-terminal              Suppress all CLI output
  -v, --verbose                        Print verbose output
  -r, --dry-run                        Skip all file creation and deletion
  -a, --anon                           Anonymize source file name
  -h, --help                           Print help

How to Encrypt (Directory level)

To illustrate how to use this, say you want to encrypt all the files in the directory ./source-dir using a password and salt. An example password would be like Thisi/MyKeyT0Encryp and salt SOmthing#$2 in the second line, which is maintained in a password file. Now you want all the files in this "./source-dir" encrypted and have them placed in a target directory say ./target-dir by retaining the complete file names and sub-directory structure of the source inside. Then you can run the command like this

cargo run -- dir ../source-dir ../target-dir --password-file=../passwordfile --operation=encrypt --mode=ecb

or

rufendec dir ./source-dir ./target-dir --password-file=./passwordfile --operation=encrypt --mode=ecb

Here are some variations in the command

rufendec dir ./source-dir ./target-dir --password-file ./passwordfile --operation encrypt --mode ecb

OR

rufendec dir ./source-dir ./target-dir -f ./passwordfile -o encrypt -m gcm -t 12 -i 100000 -m pbkdf2

OR

rufendec dir ./source-dir ./target-dir -o encrypt

OR

rufendec dir ./source-dir -o encrypt

The mode, threads and iterations have default values, so you do not need to pass them.

Also, if you maintain the password file (with ".omk" extension) in /etc, /home, /root, ".", "..", "../../",