pit

readme.md

# pit - create and manage encrypted containers

Need a simple way to keep your data private? `pit` is a minimalist encrypted container manager written in C.
Create encrypted containers, toss your files in, and lock them up. It's like `tomb` but way more minimal - about ~1000 lines of C code.

## Why would you want this?

Ever needed to:

- Store your private keys and passwords securely?
- Have a secure place for your none of your business stuff?
- Just want a simple, trustworthy way to encrypt files?

`pit` gives you encrypted containers without the complexity. No fancy features, no bloat, no Qt and the like - just secure storage that you can actually understand and audit. If you're the kind of person who appreciates simple, well-written tools and cares about security without going full paranoid, this might be for you.

Think of it as a minimal, no-nonsense approach to file encryption. It won't protect you from three-letter agencies, as that might require hw locked keys etc. but it'll keep your sensitive files secure from most threats while being simple enough that you can read and understand the entire code.

## Overview

- Written in C (~ 1000 LOC)
- Simple, auditable codebase
- Inspired by tomb, but a more minimal approach
- No shell scripts
- An attempt was made to not suck

## Features

- Single file containers with LUKS encryption
- Password protected key files using libsodium
- Protected memory handling
- Random data container creation
- Emergency panic close feature
- Root escalation handling (sudo/doas)

## Security

### What pit is:
- A simple and auditable encrypted container manager
- Secure storage for sensitive files
- Based on proven cryptographic standards (LUKS, AES-XTS, libsodium)
- Protected against memory attacks

### What pit is not:
- Military grade encryption solution
- Plausible deniability storage
- Multi-user security system
- Steganography tool

### Security Features
- LUKS containers with AES-XTS-PLAIN64 cipher
- Password-based key derivation using Argon2 (via libsodium)
- Secure memory handling (locked pages, memory wiping)
- Hidden password input
- Random data container creation
- Emergency container closing ```pit panic``` (panic mode)

### Security Limitations
- No swap space verification
- No hardware security module support
- No key backup mechanism
- No filesystem integrity verification

## Usage

```bash
# Create a new 100MB container and key
pit dig container.pit 100
pit key container.key

# Open container with key (requires root)
pit open container.pit container.key

# Close container
pit close container.pit

# Emergency close all containers
pit panic
```

## Requirements
- libsodium
- libcryptsetup
- sudo or doas

#### Debian/Ubuntu
```sudo apt update && sudo apt install libsodium-dev libcryptsetup-dev```

#### Red Hat/CentOS/Fedora
```sudo dnf install libsodium-devel cryptsetup-devel```

#### Arch Linux
```sudo pacman -S libsodium cryptsetup```

#### Gentoo
```sudo emerge libsodium cryptsetup```

#### Alpine Linux
```sudo apk add libsodium-dev cryptsetup-dev```

## Security Considerations

1. your system should have:
   - Encrypted swap or no swap
   - Full disk encryption
   - Protected boot process

2. pit doesn't protect against:
   - Physical memory attacks
   - Evil maid attacks
   - Hardware keyloggers

3. key files are protected but:
   - Eventually need secure storage
   - No backup mechanism
   - No recovery option if lost

## Comparison to other tools
- Pure C implementation vs shell scripts
- More minimal (~1000 LOC vs ~4000 or more, no GUI dependencies)
- Fewer features but more auditable
- No steganography or advanced features
- Focus on core container operations

## Installation
```bash
make
sudo make install
```

## To do
- Make pit for the truly paranoid 
- Add swap space verification
- Perhaps add backing up keys
- Fs integrity checks

## License
MIT