GitFeed
Back to feed

PentHertz/LUKSbox

PentHertz/LUKSbox
369
+14/day
29
RustInfrastructure

Store sensitive files in the cloud, or on shared media without trusting the host. LUKSbox is a Rust-based encrypted-container tool with passphrase, FIDO2 (YubiKey, Titan, Nitrokey, Windows Hello), TPM 2.0, and hybrid post-quantum (ML-KEM-768 / 1024) keyslots. Mounts as a real drive on Linux, macOS, and Windows.

From the README

LUKSbox

Encrypted vaults that survive the next decade. Open-source, FIDO2 + TPM 2.0 native, post-quantum-ready. Store sensitive files in the cloud or on shared media without trusting the host.

Built by

Website · Docs · Security · Fuzzing · Compare

What it solves

You probably already store sensitive files where you don't fully control the storage: cloud sync (iCloud, Drive, Dropbox, OneDrive, S3, Backblaze), NAS units, USB sticks that travel, backup tapes that end up at a recycler. The provider promises encryption-at-rest "with their keys." LUKSbox encrypts the file before it ever leaves your machine, under your keys, in a single container that is opaque to the provider and tamper-evident on the way back.

A LUKSbox vault is one file (.lbx), optionally with a separate header (.hdr) and post-quantum sidecar (.kyber) that you keep on different storage. Drop it on any cloud or shared medium. The provider sees one indistinguishable-from-random blob and cannot decrypt it even under legal compulsion. Mount it locally as a real drive when you need to use it.

| Concern | Plain cloud upload | Cloud + provider encryption | LUKSbox vault on cloud | |---|---|---|---| | Provider can read your files | Yes | Yes (they hold the key) | No | | Government request to provider exposes data | Yes | Yes | No | | Silent file tamper detected | No | Sometimes (TLS in transit only) | Yes (per-chunk AEAD) | | Whole-vault rollback detected | No | No | Yes (anchor sidecar) | | "Harvest now, decrypt later" (post-quantum) | Vulnerable | Vulnerable | ML-KEM-768/1024 hybrid slot | | Hardware-key requirement to open | N/A | Provider-specific | FIDO2 / TPM / Windows Hello | | Vault file looks like random data | No | No | Yes (with detached header) | | Source you can audit | No | No | Yes (Apache-2.0) |

The full per-tool comparison (vs LUKS2 / VeraCrypt / age / gocryptfs / Cryptomator / BitLocker / FileVault) lives at .

A LUKSbox vault is a travelling copy, not a master copy. Use it for the cloud, a USB stick, a vault you share with a colleague or client, anywhere you would not put plaintext. Like every encrypted container it is a single point of failure: if the .lbx file is corrupted or every keyslot becomes inaccessible, the data is gone. The forensic toolkit (header-backup, check, extract --tolerate-errors) helps in many damage scenarios but cannot recover bytes that are no longer on disk or no longer AEAD-tagged. Always keep an unencrypted copy somewhere you trust for any file you cannot afford to lose.

Status

This is a pre-1.0 release. The on-disk format is locked, the cryptographic primitives are NIST/RFC standards bui

View on GitHub