lock
[root] / lock.1
.Dd 2024-01-01 .Dt LOCK 1 .Os .Sh NAME .Nm lock .Nd encrypt and decrypt files using libsodium .Sh SYNOPSIS .Nm .Ar encrypt .Ar file .Nm .Ar decrypt .Ar file.locked .Sh DESCRIPTION .Nm encrypts and decrypts files using XChaCha20-Poly1305 AEAD with Argon2id key derivation. .Pp All secret data (passphrases, derived keys) is stored in locked memory using .Xr sodium_mlock 3 and zeroed before deallocation. .Pp The encrypted file format is: .Bl -tag -width Ds .It Sy version 1 byte (currently 0x01) .It Sy salt 16 bytes (used for key derivation) .It Sy nonce 24 bytes (used for XChaCha20) .It Sy ciphertext encrypted data with appended Poly1305 tag (16 bytes) .El .Pp The encrypted file is base64-encoded and saved with a .Pa .locked extension. .Sh REQUIREMENTS .Nm requires libsodium-dev (or equivalent) to be installed. .Pp Example for Debian/Ubuntu: .Pp .Dl apt-get install libsodium-dev .Sh EXAMPLES Encrypt a file: .Pp .Dl $ lock encrypt secret.txt .Pp This creates .Pa secret.txt.locked . .Pp Decrypt a file: .Pp .Dl $ lock decrypt secret.txt.locked .Pp This recreates .Pa secret.txt . .Pp On decryption, the .Pa .locked suffix is stripped from the output filename. .Sh SECURITY NOTES .Bl -bullet .It Passphrases are read directly from .Pa /dev/tty , not stdin, to prevent piping or redirection. .It Passphrases are not echoed and are verified on encrypt. .It All secret data lives in locked, zeroed memory. .It Argon2id parameters: opslimit=moderate, memlimit=64 MiB. .It On any error, the program terminates without attempting recovery. .El .Sh EXIT STATUS .Ex -std .Sh SEE ALSO .Xr libsodium 3 , .Xr sodium_mlock 3 , .Xr sodium_memzero 3 , .Xr crypto_pwhash 3 , .Xr crypto_aead_xchacha20poly1305_ietf 3 .Sh AUTHORS Sebastian Michalk