StegoSecretS
StegoSecretS combines AES-256 encryption, Shamir's Secret Sharing (SSS) and steganography!
It helps you share a secret among other trusted peers, keeping a minimum threshold of keys to recover the original one.
The partial keys will also be hidden inside images, adding an additional layer of "security".
Note: the project is under active development. The APIs are subject to change!
Quickstart
Installation
You can install the stego
CLI with brew
brew install enrichman/tap/stegosecrets
or getting the latest release, or building it from source.
Encrypt / Decrypt
TLDR: go to the usage section for more details
stego encrypt --file mysecret.txt --parts 5 --threshold 3
stego decrypt --file mysecret.txt.enc --img 001.jpg --key 002.key --img 003.jpg
How does it work?
Alice wants to protect her new "patent pending nuclear blender project" from EvilCompany.
They want it, so she asks her friends Bob, Charlie and Dave to keep it safe.
She trusts them, but to add an additional layer of security she emails them an encrypted file and an image of a cat containing a special key. 🐈
With this special key Bob alone is not able to decrypt the secret, so even if someone from EvilCompany gets the hands on his secret it will be useless. They will still need to get Charlie's and Dave's keys.
Ok, but.. how does it work?
An input file (or message) will be encrypted using AES-256 with a crypto secure random 32 bit key. This key will be then split in p
parts with Shamir's Secret Sharing algorithm (SSS).
A t
threshold of partial keys is needed to recover the original one and decrypt the secret.
For example, encrypting the file having 5 parts
with a threshold
of 3 will split the master-key
into 5 pieces. These pieces will be also hidden into 5 images. To reconstruct the original master key at least 3 partial keys and/or images are needed.
Usage
encrypt
To encrypt a file you can explicit the filename:
stego encrypt --file mysecret.txt -p 5 -t 3
or you can write the message:
-> % stego encrypt -p 5 -t 3
Enter text: my secret message
This will generate (a lot) of files:
# out
mysecret.txt.checksum
mysecret.txt.enc
mysecret.txt.enc.checksum
mysecret.txt.key
001.jpg
001.jpg.checksum
001.key
002.jpg
002.jpg.checksum
002.key
...
005.jpg
005.jpg.checksum
005.key
Main files:
mysecret.txt.checksum
is the sha256 checksum of the mysecret.txt
file (used to check a successful decryption)
mysecret.txt.enc
is the encrypted file
mysecret.txt.enc.checksum
is the sha256 checksum of the mysecret.txt
mysecret.txt.key
is the master key used to encrypt/decrypt the secret
Partial files:
n.key
the n
partial key
n.jpg
the n
image where the n
partial key is hidden
n.jpg.checksum
is the sha256 checksum of the n.jpg
image
Note: If no parts are specified the master-key
will not be split. Keep it safely stored or delete it.
Checksums can be used to check the integrity of the files:
-> % sha256sum --check mysecret.txt.enc.checksum
mysecret.txt.enc: OK
decrypt
To decrypt a file just use enough keys and/or images:
stego decrypt --file mysecret.txt.enc --key 001.key --key 002.key --img 003.jpg
also the master key alone can be used to decrypt the file:
stego decrypt --file mysecret.txt.enc --master-key mysecret.txt.key
images
To hide the partial keys with steganography you will need a folder with some images.
To get some random images from https://picsum.photos/ the images
command can be used. They will be stored in the images
folder.
stego images