Skip to content
/ shadow-vault Public

Code for researching deniable encryption. Create a vault with multiple encrypted slots, some containing encrypted data, some containing random data, with no provable difference.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

gbowerman/shadow-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
code
code
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

shadow-vault

Code for researching deniable encryption. Create a vault with multiple encrypted slots, some containing encrypted data, some containing random data, with no provable difference.

Overview

Shadow Vault creates encrypted vaults that can contain two independent datasets, each encrypted with a different password. When decrypted with one password, it reveals one dataset; when decrypted with the other password, it reveals a different dataset. If you only provide one dataset during encryption, the tool automatically generates fake ciphertext for the second slot, making it indistinguishable from a real encrypted dataset.

Features

  • Dual-dataset encryption: Store two independent datasets in a single file
  • Plausible deniability: The existence of a second dataset is cryptographically hidden
  • Strong encryption: Uses AES-256 in CTR mode with Scrypt key derivation
  • Flexible input: Encrypt text strings or file contents
  • Block interleaving: Datasets are interleaved at the block level for security

Requirements

pip install cryptography
cd code

Examples

Example 1: Create a vault with two sets of data:

python shadow.py --encrypt \
  --datastring "Grocery list: milk, eggs, bread" \
  --password "pass phrase 1" \
  --datastring2 "Bank account: 123456789, PIN: 4321" \
  --password2 "pass phrase 2" \
  --out personal.vault

# Decrypt the first data set
python shadow.py --decrypt --password "pass phrase 1" --in personal.vault

# Decrypt the second data set
python shadow.py --decrypt --password "pass phrase 2" --in personal.vault --block 2

Example 2: Encrypt two different files:

# Encrypt
python shadow.py --encrypt \
  --datafile endymion.txt \
  --password "pass phrase 1" \
  --datafile2 hyperion.txt \
  --password2 "pass phrase 2" \
  --out poems.vault

# Decrypt first file
python shadow.py --decrypt --password "pass phrase 1" --in poems.vault > endymion.txt

# Decrypt second file
python shadow.py --decrypt --password "pass phrase 2" --in poems.vault --block 2 > hyperion.txt

Example 3: Single dataset interleaved with random text

# Encrypt one dataset (random data automatically generated for second slot)
python shadow.py --encrypt \
  --datastring "My secret message" \
  --password "my pass phrase" \
  --out shadow.vault

# Decrypt
python shadow.py --decrypt --password "my pass phrase" --in shadow.vault

Notes

This app provides a minimal level of plausible deniability, though a version with more than 2 layers of data would provide more. Keep in mind:

  • Use strong, unique passwords for each dataset
  • Ensure the fake dataset scenario is plausible
  • Understand that cryptanalysis may reveal patterns with sufficient access
  • This is a prototype - use at your own risk for sensitive data

About

Code for researching deniable encryption. Create a vault with multiple encrypted slots, some containing encrypted data, some containing random data, with no provable difference.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages