ZeroVault is a lightweight cryptographic vault designed for encrypting and verifying sensitive documents using modern, secure encryption primitives. Using 3-layer encrpytion technqiues with signatures, memory protection and serialization, your stays surrounded by a defence-in-depth security architeture.
With a simple command like zerovault encrypt, your data is protected by multiple layers of strong encryption.
For detailed installation instructions, see INSTALL.md.
Digital file protection requires a blend of confidentiality, integrity, and ease of use. ZeroVault aims to:
- Provide strong encryption using modern ciphers and key derivation
- Offer digital signature verification to detect tampering
- Simplify encryption/decryption processes via a CLI-based toolchain
- Be usable for SPII and document workflows
ZeroVault is particularly useful for developers and professionals seeking a verifiable and deterministic mechanism for protecting sensitive files during transmission or at rest.
ZeroVault features automatic self-installation:
# Windows
curl.exe -L -o zerovault.exe https://github.com/ParleSec/zerovault/releases/latest/download/zerovault-windows-amd64.exe
.\zerovault.exe --version
# Linux
curl -L -o zerovault https://github.com/ParleSec/zerovault/releases/latest/download/zerovault-linux-amd64
chmod +x zerovault
./zerovault --version- Triple-layer protection: Uses AES-256-GCM, ChaCha20-Poly1305, and AES-256-CBC
- Random nonces and salts per encryption
- Key derived from password using Argon2id with aggressive memory cost (1GB)
- High base security level for maximum security
- Signing of ciphertext with Ed25519 private key
- Signature verification using embedded public key
- Cryptographic proof of file integrity
- Memory locking to prevent sensitive data from being swapped to disk
- Guard pages for buffer overflow detection
- Canary values for memory tampering detection
- Multi-pass secure memory zeroization
- File comments for describing encrypted content
- Creation and modification timestamps
- Version tracking for backward compatibility
- Full JSON serialization of all metadata
- All binary data (nonce, salt, signature, pubkey, ciphertext) encoded to Base64
- Structured vault format with separate data and metadata sections
- Backward compatibility with legacy vault formats
- User-friendly interface with interactive prompts
- Smart defaults for file paths and options
- Secure password entry with confirmation
- Optional comments for encrypted files
ZeroVault employs three independent encryption layers:
- AES-256-GCM: Authenticated encryption providing confidentiality and integrity
- ChaCha20-Poly1305: Stream cipher with integrated authentication
- AES-256-CBC with HMAC-SHA512: Block cipher with separate message authentication
Each layer uses independent keys, nonces, and authentication mechanisms to ensure that a vulnerability in one algorithm doesn't compromise your data.
- Argon2id: Memory-hard algorithm resistant to specialized hardware attacks
- Tunable Parameters:
- Memory usage: 1GB
- Iteration count: 12 passes for maximum security level
- Parallelism: Automatically utilizes available CPU cores
- Memory Safety: Built in Rust to eliminate common vulnerability classes
- Modular Design: Core cryptography isolated from interface code
- Comprehensive Testing: Unit tests, integration tests, property-based testing
- Self-Installing: Automatically configures itself on first run
| Command | Description | Example |
|---|---|---|
encrypt |
Encrypt a file | zerovault encrypt --input file.pdf |
decrypt |
Decrypt a vault file | zerovault decrypt --input file.vault |
info |
Display vault metadata | zerovault info --input file.vault |
validate |
Verify vault integrity | zerovault validate --input file.vault |
encrypt-stream |
Encrypt from stdin to stdout | cat file.txt | zerovault encrypt-stream |
decrypt-stream |
Decrypt from stdin to stdout | cat file.vault | zerovault decrypt-stream |
test |
Run self-tests | zerovault test |
For complete options, run zerovault --help or zerovault <command> --help.
- Multiple independent encryption layers
- Memory-hard key derivation resistant to brute-force attacks
- Written in Rust for memory safety
- Constant-time operations for cryptographic functions
- Unique cryptographic material for each file
- Security depends significantly on password strength
- Higher security levels require substantial RAM (up to 1GB)
- Stronger security comes with performance trade-offs
- No current support for public key encryption
- Side-channel protection depends on hardware/OS capabilities
- Use strong, unique passwords
- Select appropriate security level for your needs
- Verify metadata before decryption
- Keep secure backups of encrypted files
- Consider offline storage for the most sensitive vault files
| Feature | ZeroVault | GPG | VeraCrypt | Age |
|---|---|---|---|---|
| Multiple Encryption Layers | ✅ (3 layers) | ❌ | ✅ (2 layers) | ❌ |
| Memory-Hard KDF | ✅ (Argon2id) | ❌ | ✅ (PBKDF2) | ✅ (scrypt) |
| Digital Signatures | ✅ | ✅ | ❌ | ❌ |
| Memory Safety | ✅ (Rust) | ❌ (C) | ❌ (C/C++) | ✅ (Go) |
| Self-Installing | ✅ | ❌ | ❌ | ❌ |
| Stream Processing | ✅ | ✅ | ❌ | ✅ |
| File Comments | ✅ | ✅ | ❌ | ❌ |
| Volume Encryption | ❌ | ❌ | ✅ | ❌ |
# Encrypt a file (interactive mode)
zerovault encrypt
# Decrypt a file (interactive mode)
zerovault decrypt
# View information about an encrypted file
zerovault info --input document.txt.vaultExample interactive session:
$ zerovault encrypt
Enter input file path: document.txt
Enter output file path [document.txt.vault]:
Enter encryption password: ********
Confirm password: ********
Enter comment (optional): My secure document
✓ File encrypted successfully
Input: document.txt
Output: document.txt.vault
Size: 1024 bytes
Comment: My secure document
For scripting or automation:
# Encrypt a file
zerovault encrypt --input file.pdf --output file.vault --password mypassword --non-interactive
# Decrypt a file
zerovault decrypt --input file.vault --output file.pdf --password mypassword --non-interactive
# Force overwrite existing files
zerovault encrypt --input file.pdf --output file.vault --forceWork with standard input/output:
# Encrypt from stdin to a file
cat document.txt | zerovault encrypt-stream --password "your-password" > document.vault
# Decrypt from a file to stdout
cat document.vault | zerovault decrypt-stream --password "your-password" > document.txtProcess multiple files:
# Batch encrypt all text files in a directory
for file in *.txt; do
zerovault encrypt --input "$file" --password batch_password --non-interactive
done
# Batch validate all vault files
for vault in *.vault; do
zerovault validate --input "$vault"
done# Verbose output
zerovault encrypt --input file.pdf --verbose
# JSON output for programmatic usage
zerovault info --input file.vault --jsonExample JSON output:
{
"encrypted_data_size": 423,
"file_path": "file.vault",
"file_size": 974,
"metadata": {
"comment": "Confidential document",
"created_at": 1745333818,
"version": "1.0.0"
},
"public_key": "YiN4WYqupD3vyefIFh0ESlRRRX2yvOMWGkXQZKW3HH0=",
"success": true
}You can encrypt already encrypted files for layered security:
# First layer of encryption
zerovault encrypt --input secret.txt --output layer1.vault --password inner_password
# Second layer of encryption
zerovault encrypt --input layer1.vault --output layer2.vault --password outer_passwordFor secure document sharing:
# 1. Sender encrypts file with comment
zerovault encrypt --input presentation.pptx --comment "For review - Confidential"
# 2. Share the vault file and password securely with recipient
# 3. Recipient verifies file metadata before decryption
zerovault info --input presentation.pptx.vault
# 4. Recipient decrypts file
zerovault decrypt --input presentation.pptx.vaultvault_core: Core cryptographic logiccli: Command-line interface for using the vaulttypes.rs: Custom serializable types including encryption metadatautils.rs: Utility functions for CLI operationscommands.rs: Command implementationsmain.rs: Entrypoint for CLI applicationself_install.rs: Automatic installation logic
The modular design ensures separation of concerns, with the core cryptographic functionality isolated from the command-line interface. This makes the code more maintainable and allows for easy extension of features.
aes-gcm- AES-256-GCM authenticated encryptionchacha20poly1305- ChaCha20-Poly1305 authenticated encryptionaes/cbc- AES-256-CBC block cipherargon2- Secure key derivation (Argon2id)ed25519-dalek- Key generation & signature schemerand/getrandom- CSPRNG (OsRng)blake3/sha2/sha3- Cryptographic hash functionshmac/hkdf- HMAC and key derivationzeroize/secrecy- Secure memory handlingserde/serde_json/bincode- Serializationbase64- Encoding for serialized outputsclap- Command line argument parsingrpassword- Secure password inputchrono- Date and time formatting
- 📜 Public key export/import support
- 🏷️ Tagging and categorization for vault files
- 🔍 Search functionality for vault metadata
- 📤 Secure upload & retrieval workflows (REST API)
- 🗄️ Multi-file archive support
- 💼 Integration into secure document management systems
This project is licensed under the MIT License. See LICENSE for more details.
ZeroVault: Defense-in-depth file encryption, simplified.