Local MVP for secure encryption with XOR shares. All shares are required to reconstruct the master key.
- XChaCha20‑Poly1305 (AEAD)
- HKDF‑SHA256 for key derivation
- XOR split for shares (no threshold)
- Chunked streaming for large files
- Server simulation for share storage
- CLI: encrypt / decrypt / rotate
- Rust + Cargo (https://www.rust-lang.org/tools/install)
Writes the encrypted file and generates shares in a folder.
cargo run -- encrypt --input .\plain.txt --output .\sealed.bin --shares-dir .\shares --shares 15
With custom chunk size (bytes):
cargo run -- encrypt --input .\plain.txt --output .\sealed.bin --shares-dir .\shares --shares 15 --chunk-size 1048576
Reconstructs the master key from all shares and decrypts the file.
cargo run -- decrypt --input .\sealed.bin --output .\plain.out.txt --shares-dir .\shares
Re-encrypts the data with a new master key and writes new shares.
cargo run -- rotate --input .\sealed.bin --output .\sealed.new.bin --old-shares-dir .\shares --new-shares-dir .\shares_new --shares 15
Instead of a single shares directory, you can distribute shares across multiple local “server” folders under a root path.
cargo run -- encrypt --input .\plain.txt --output .\sealed.bin --servers-root .\servers --servers 5 --shares 15
This creates folders like servers\server_00, servers\server_01, etc.
cargo run -- decrypt --input .\sealed.bin --output .\plain.out.txt --servers-root .\servers
cargo run -- rotate --input .\sealed.bin --output .\sealed.new.bin --old-servers-root .\servers --new-servers-root .\servers_new --servers 5 --shares 15
cargo test
- Without all shares, decryption is impossible.
- Shares are sensitive, store them securely. :P
- This repo is an MVP for file/blob encryption.
- The MVP uses chunked streaming to avoid loading full files into memory.