Initial commit: rustcube multi-password encryption tool

Author: JoshuaWink

Cargo.lock

@@ -0,0 +1,19 @@
+[package]
+name = "rustcube"
+version = "0.1.1"
+edition = "2021"
+description = "Multi-password, order-dependent, streaming encryption/decryption tool with secure memory handling."
+authors = ["Joshua Wink <Joshua@orchestrate.solutions>"]
+license = "MIT"
+
+
+[dependencies]
+libaes = "0.7"
+pbkdf2 = "0.12"
+rand = "0.8"
+zeroize = "1.6"
+clap = { version = "4.5", features = ["derive"] }
+tar = "0.4"
+hex = "0.4"
+sha2 = "0.10"
+rpassword = "7.3"

Cargo.toml

@@ -0,0 +1,103 @@
+# rustcube
+
+Multi-password, order-dependent, streaming encryption/decryption tool with secure memory handling.
+
+## Features
+- **Multi-password, order-dependent**: Any number of passwords, order matters, case sensitive. Only the correct sequence unlocks the data everything else returns non-sensical output.
+- **Streaming encryption/decryption**: Handles large files/folders efficiently.
+- **Salted key derivation**: Each encryption is unique, even with the same passwords.
+- **No error on wrong password**: Decryption always produces output; wrong passwords yield unusable (garbled) data.
+- **Secure memory handling**: Uses the `zeroize` crate to clear sensitive data from memory.
+- **Tar-based archiving**: Folders are packed/unpacked using tar for cross-platform compatibility.
+- **CLI interface**: Easy to use, scriptable, and ready for automation.
+
+## Usage
+
+
+### Install from crates.io
+
+```
+cargo install rustcube
+```
+
+### Build from source
+
+```
+cargo build --release
+```
+
+### Encrypt a Folder
+
+```
+cargo run --release -- encrypt --folder <FOLDER_TO_ENCRYPT> --output <OUTPUT_FILE>
+```
+- You will be prompted for passwords (one per line, empty line to finish).
+- The output file will contain the salt, IV, and encrypted data.
+
+### Decrypt a File
+
+```
+cargo run --release -- decrypt --input <ENCRYPTED_FILE> --output <OUTPUT_FOLDER>
+```
+- You will be prompted for passwords (one per line, empty line to finish).
+- If the passwords and order are correct, the folder will be restored.
+- If not, the output will be garbled (no error is shown).
+
+## How It Works
+
+## Multi-Password Usability Advantage
+
+Instead of relying on a single massive password, rustcube lets you use several smaller, memorable passwords in a strict order. This makes it easier to remember and type, while still providing extremely strong security. The number of possible combinations grows rapidly with each additional password and the order in which they are entered, making brute-force attacks much harder.
+
+For example, 4 passwords of 6 characters each (with order sensitivity) can be as strong or stronger than a single 24-character password, depending on the entropy of each password and the total number of possible combinations.
+
+**Tip:** Use unique, non-trivial passwords and avoid common words or sequences for best results.
+
+## Planned Feature: Brute-Force Calculator
+
+In a future version, rustcube will include a brute-force calculator. When you set your passwords, it will estimate how long it would take to brute-force your chosen combination using:
+
+- A high-spec modern machine or cluster (e.g., billions of guesses per second)
+- A hypothetical quantum computer (using Grover's algorithm, which can halve the effective keyspace)
+
+This feedback will help you choose a password sequence that balances usability and security for your needs.
+
+- **Key Derivation**: Each password is used to mutate the key state (like turning a Rubik's cube). The final key is used for AES-256 encryption/decryption.
+- **Salt**: A random salt is generated for each encryption and stored with the ciphertext. This ensures uniqueness and prevents rainbow table attacks.
+- **IV**: A random IV is generated for each encryption and stored with the ciphertext.
+- **Memory Security**: All sensitive data (passwords, keys, intermediate states) are zeroed from memory after use.
+- **No Feedback on Failure**: Decryption always produces output. If the key is wrong, the output is just random data.
+
+## Security Notes
+- Passwords and their order are never stored.
+- The salt and IV are not secrets; they are stored with the encrypted file.
+- For maximum security, use strong, unique passwords and keep them safe.
+- The tool is designed for local, user-controlled encryption and decryption. You can use it in the cloud if you wish, but its primary intent is to let a user keep private, secured data alongside public data (such as in a repo), so you can pull your repo from anywhere and always access your own secure data—while keeping it inaccessible to others. You control if, when, and how you share your secrets. For cloud or multi-user scenarios, review your threat model and use at your own discretion.
+
+## Dependencies
+- [aes](https://crates.io/crates/aes)
+- [block-modes](https://crates.io/crates/block-modes)
+- [block-padding](https://crates.io/crates/block-padding)
+- [pbkdf2](https://crates.io/crates/pbkdf2)
+- [rand](https://crates.io/crates/rand)
+- [zeroize](https://crates.io/crates/zeroize)
+- [clap](https://crates.io/crates/clap)
+- [tar](https://crates.io/crates/tar)
+- [hex](https://crates.io/crates/hex)
+
+## Example
+
+```
+# Encrypt
+cargo run --release -- encrypt --folder secrets --output secrets.enc
+
+# Decrypt
+cargo run --release -- decrypt --input secrets.enc --output secrets_restored
+```
+
+## License
+MIT
+
+---
+
+God willing, this tool will help you keep your secrets safe and your workflow efficient.

README.md

@@ -0,0 +1,84 @@
+use std::io::{self, Write};
+
+fn get_charset_size(pw: &str) -> usize {
+    let mut has_lower = false;
+    let mut has_upper = false;
+    let mut has_digit = false;
+    let mut has_symbol = false;
+    for c in pw.chars() {
+        if c.is_ascii_lowercase() { has_lower = true; }
+        else if c.is_ascii_uppercase() { has_upper = true; }
+        else if c.is_ascii_digit() { has_digit = true; }
+        else { has_symbol = true; }
+    }
+    let mut size = 0;
+    if has_lower { size += 26; }
+    if has_upper { size += 26; }
+    if has_digit { size += 10; }
+    if has_symbol { size += 33; }
+    size
+}
+
+fn estimate_entropy(pw: &str, is_dict: bool) -> f64 {
+    if is_dict {
+        // Penalize dictionary words: assume 10 bits
+        10.0
+    } else {
+        let charset = get_charset_size(pw);
+        (pw.len() as f64) * (charset as f64).log2()
+    }
+}
+
+pub fn estimate_passwords() {
+    println!("Enter passwords (one per line, empty line to finish):");
+    let mut passwords = Vec::new();
+    let mut entropies = Vec::new();
+    loop {
+        print!("Password: "); io::stdout().flush().unwrap();
+        let mut pw = String::new();
+        io::stdin().read_line(&mut pw).unwrap();
+        let pw = pw.trim().to_string();
+        if pw.is_empty() { break; }
+        print!("Is this a dictionary word? (y/N): "); io::stdout().flush().unwrap();
+        let mut dict = String::new();
+        io::stdin().read_line(&mut dict).unwrap();
+        let is_dict = dict.trim().to_lowercase() == "y";
+        let entropy = estimate_entropy(&pw, is_dict);
+        passwords.push(pw);
+        entropies.push(entropy);
+    }
+    if passwords.is_empty() {
+        println!("No passwords entered.");
+        return;
+    }
+    let total_entropy: f64 = entropies.iter().sum();
+    let total_keyspace = 2f64.powf(total_entropy);
+    let guesses_per_sec = 1e11; // 100 billion/sec
+    let classical_seconds = total_keyspace / guesses_per_sec;
+    let quantum_seconds = total_keyspace.sqrt() / guesses_per_sec;
+    fn human_time(secs: f64) -> String {
+        if secs < 60.0 {
+            format!("{:.2} seconds", secs)
+        } else if secs < 3600.0 {
+            format!("{:.2} minutes", secs/60.0)
+        } else if secs < 86400.0 {
+            format!("{:.2} hours", secs/3600.0)
+        } else if secs < 31_536_000.0 {
+            format!("{:.2} days", secs/86400.0)
+        } else {
+            format!("{:.2} years", secs/31_536_000.0)
+        }
+    }
+    println!("\n--- Brute-Force Estimate ---");
+    println!("Total entropy: {:.2} bits", total_entropy);
+    println!("Total keyspace: ~{:.2e}", total_keyspace);
+    println!("Classical brute-force: {}", human_time(classical_seconds));
+    println!("Quantum brute-force: {}", human_time(quantum_seconds));
+    if total_entropy < 60.0 {
+        println!("Warning: Your passwords are weak. Consider using longer or more complex passwords.");
+    } else if total_entropy < 80.0 {
+        println!("Caution: Your passwords are moderate. For strong security, aim for 80+ bits of entropy.");
+    } else {
+        println!("Good: Your passwords are strong.");
+    }
+}

src/estimate.rs

@@ -0,0 +1,150 @@
+//! rustcube: Multi-password, order-dependent, streaming encryption/decryption tool
+//! - Each password mutates the key state (like a Rubik's cube)
+//! - Salt is stored with ciphertext
+//! - No error on wrong password: just garbled output
+//! - Secure memory zeroing with zeroize
+
+use libaes::Cipher;
+use pbkdf2::pbkdf2_hmac;
+use rand::RngCore;
+use rand::rngs::OsRng;
+use sha2::Sha256;
+use zeroize::Zeroize;
+use clap::{Parser, Subcommand};
+mod estimate;
+use std::fs::{File};
+use std::io::{Read, Write};
+use tar::{Builder, Archive};
+
+const SALT_LEN: usize = 16;
+const IV_LEN: usize = 16;
+const PBKDF2_ITER: u32 = 100_000;
+
+// No longer needed: type Aes256Cbc = Cbc<Aes256, Pkcs7>;
+
+#[derive(Parser)]
+#[command(author, version, about)]
+struct Cli {
+    #[command(subcommand)]
+    command: Commands,
+}
+
+#[derive(Subcommand)]
+enum Commands {
+    Encrypt {
+        #[arg(short, long)]
+        folder: String,
+        #[arg(short, long)]
+        output: String,
+    },
+    Estimate,
+    Decrypt {
+        #[arg(short, long)]
+        input: String,
+        #[arg(short, long)]
+        output: String,
+    },
+}
+
+fn derive_key(passwords: &[String], salt: &[u8]) -> [u8; 32] {
+    let mut key = [0u8; 32];
+    let mut state = Vec::new();
+    for pw in passwords {
+        let mut k = [0u8; 32];
+        pbkdf2_hmac::<Sha256>(pw.as_bytes(), salt, PBKDF2_ITER, &mut k);
+        if state.is_empty() {
+            state.extend_from_slice(&k);
+        } else {
+            let state_len = state.len();
+            for (i, b) in k.iter().enumerate() {
+                let idx = i % state_len;
+                state[idx] ^= b;
+            }
+        }
+        k.zeroize();
+    }
+    key.copy_from_slice(&state[..32]);
+    state.zeroize();
+    key
+}
+
+fn encrypt_folder(folder: &str, output: &str, passwords: &[String]) -> std::io::Result<()> {
+    let mut salt = [0u8; SALT_LEN];
+    OsRng.fill_bytes(&mut salt);
+    let mut iv = [0u8; IV_LEN];
+    OsRng.fill_bytes(&mut iv);
+    let key = derive_key(passwords, &salt);
+    let tar_path = format!("{}.tar", output);
+    {
+        let tar_gz = File::create(&tar_path)?;
+        let mut builder = Builder::new(tar_gz);
+        builder.append_dir_all(".", folder)?;
+    }
+    let mut tar_data = Vec::new();
+    {
+        let mut f = File::open(&tar_path)?;
+        f.read_to_end(&mut tar_data)?;
+    }
+    let cipher = Cipher::new_256(&key);
+    let ciphertext = cipher.cbc_encrypt(&iv, &tar_data);
+    let mut out = File::create(output)?;
+    out.write_all(&salt)?;
+    out.write_all(&iv)?;
+    out.write_all(&ciphertext)?;
+    std::fs::remove_file(&tar_path)?;
+    Ok(())
+}
+
+fn decrypt_folder(input: &str, output: &str, passwords: &[String]) -> std::io::Result<()> {
+    let mut f = File::open(input)?;
+    let mut salt = [0u8; SALT_LEN];
+    let mut iv = [0u8; IV_LEN];
+    f.read_exact(&mut salt)?;
+    f.read_exact(&mut iv)?;
+    let mut ciphertext = Vec::new();
+    f.read_to_end(&mut ciphertext)?;
+    let key = derive_key(passwords, &salt);
+    let cipher = Cipher::new_256(&key);
+    let decrypted = cipher.cbc_decrypt(&iv, &ciphertext);
+    let tar_path = format!("{}.tar", input);
+    {
+        let mut tar_file = File::create(&tar_path)?;
+        tar_file.write_all(&decrypted)?;
+    }
+    let tar_gz = File::open(&tar_path)?;
+    let mut archive = Archive::new(tar_gz);
+    archive.unpack(output)?;
+    std::fs::remove_file(&tar_path)?;
+    Ok(())
+}
+
+fn main() {
+    let cli = Cli::parse();
+    match cli.command {
+        Commands::Encrypt { folder, output } => {
+            println!("Enter passwords (one per line, empty line to finish):");
+            let mut passwords = Vec::new();
+            loop {
+                let pw = rpassword::prompt_password("Password: ").unwrap();
+                if pw.is_empty() { break; }
+                passwords.push(pw);
+            }
+            encrypt_folder(&folder, &output, &passwords).expect("Encryption failed");
+            println!("Encrypted to {}", output);
+        }
+        Commands::Decrypt { input, output } => {
+            println!("Enter passwords (one per line, empty line to finish):");
+            let mut passwords = Vec::new();
+            loop {
+                let pw = rpassword::prompt_password("Password: ").unwrap();
+                if pw.is_empty() { break; }
+                passwords.push(pw);
+            }
+            decrypt_folder(&input, &output, &passwords).expect("Decryption failed");
+            println!("Decryption attempted. If passwords were wrong, output will be garbled.");
+        }
+        Commands::Estimate => {
+            estimate::estimate_passwords();
+        }
+    }
+}

src/main.rs

@@ -0,0 +1 @@
+{"rustc_fingerprint":16784359761484475572,"outputs":{"17747080675513052775":{"success":true,"status":"","code":0,"stdout":"rustc 1.88.0 (6b00bc388 2025-06-23) (Homebrew)\nbinary: rustc\ncommit-hash: 6b00bc3880198600130e1cf62b8f8a93494488cc\ncommit-date: 2025-06-23\nhost: aarch64-apple-darwin\nrelease: 1.88.0\nLLVM version: 20.1.7\n","stderr":""},"7971740275564407648":{"success":true,"status":"","code":0,"stdout":"___\nlib___.rlib\nlib___.dylib\nlib___.dylib\nlib___.a\nlib___.dylib\n/opt/homebrew/Cellar/rust/1.88.0\noff\npacked\nunpacked\n___\ndebug_assertions\npanic=\"unwind\"\nproc_macro\ntarget_abi=\"\"\ntarget_arch=\"aarch64\"\ntarget_endian=\"little\"\ntarget_env=\"\"\ntarget_family=\"unix\"\ntarget_feature=\"aes\"\ntarget_feature=\"crc\"\ntarget_feature=\"dit\"\ntarget_feature=\"dotprod\"\ntarget_feature=\"dpb\"\ntarget_feature=\"dpb2\"\ntarget_feature=\"fcma\"\ntarget_feature=\"fhm\"\ntarget_feature=\"flagm\"\ntarget_feature=\"fp16\"\ntarget_feature=\"frintts\"\ntarget_feature=\"jsconv\"\ntarget_feature=\"lor\"\ntarget_feature=\"lse\"\ntarget_feature=\"neon\"\ntarget_feature=\"paca\"\ntarget_feature=\"pacg\"\ntarget_feature=\"pan\"\ntarget_feature=\"pmuv3\"\ntarget_feature=\"ras\"\ntarget_feature=\"rcpc\"\ntarget_feature=\"rcpc2\"\ntarget_feature=\"rdm\"\ntarget_feature=\"sb\"\ntarget_feature=\"sha2\"\ntarget_feature=\"sha3\"\ntarget_feature=\"ssbs\"\ntarget_feature=\"vh\"\ntarget_has_atomic=\"128\"\ntarget_has_atomic=\"16\"\ntarget_has_atomic=\"32\"\ntarget_has_atomic=\"64\"\ntarget_has_atomic=\"8\"\ntarget_has_atomic=\"ptr\"\ntarget_os=\"macos\"\ntarget_pointer_width=\"64\"\ntarget_vendor=\"apple\"\nunix\n","stderr":""}},"successes":{}}

target/.rustc_info.json

@@ -0,0 +1,3 @@
+Signature: 8a477f597d28d172789f06886806bc55
+# This file is a cache directory tag created by cargo.
+# For information about cache directory tags see https://bford.info/cachedir/

target/CACHEDIR.TAG

@@ -0,0 +1,6 @@
+{
+  "git": {
+    "sha1": "b28dbfc201bdda98c339d809bc861aa67f2d1ff1"
+  },
+  "path_in_vcs": ".secure/rustcube"
+}