- Description
- Key Features
- Security Features
- Installation
- Core Components
- Token Types
- Integrity Verification
- Compression
- Security Best Practices
- Contributing
- License
- Contact
TVault Core is an advanced open-source cryptographic system designed to provide reliable protection for confidential data using modern encryption algorithms. This platform offers a comprehensive toolkit for securing files and directories, managing cryptographic keys, and ensuring data integrity. Developed with principles of modularity and flexibility in mind, TVault Core offers both a command-line interface for simple use and a programming API for deep integration into custom applications. The system supports multiple mechanisms for storing and distributing encryption keys, including advanced secret sharing methods.
- Robust Data Protection: Using the AES-256 standard for encryption
- Directory Structure Preservation: Complete preservation of file hierarchy during encryption
- Built-in Compression: Reduction of encrypted container size
- Container Metadata: Storage of creation time, update information, and user comments
- Access Tokens: Creation and management of tokens for secure key distribution
- Shamir's Secret Sharing Scheme: Division of the master key into multiple parts requiring a specified threshold for recovery
- Multi-level Protection: Support for additional passwords to enhance security
- Flexible Configuration: Customizable parameters for any usage scenario
- HMAC Verification: Prevention of tampering or modification of encrypted data
- Independent Integrity Providers: Separate mechanisms for data authenticity verification
- Digital Signature Support: Extensibility for using digital signature algorithms
- Command Line: Full-featured CLI for all operations
- Programming API: Integration into applications via Go API
- Flexible Output Formats: Support for plaintext and JSON formats for all operations
- Advanced Error Handling: Detailed error information for simplified debugging
- AES-256 Encryption: Industry-standard encryption algorithm
- PBKDF2 Key Derivation: Secure password-based key generation
- HMAC Integrity Verification: Prevents tampering with encrypted data
- Distributed Key Management: Split keys using Shamir's Secret Sharing
- Multiple Token Formats: Support for different token storage methods
go get github.com/namelesscorp/tvault-coregit clone https://github.com/namelesscorp/tvault-core.git
cd tvault-core
make buildThe seal module is responsible for encrypting directories, creating secure containers, and generating access tokens.
It supports various compression algorithms, key management methods, and integrity assurance mechanisms.
The sealing process includes:
- Compressing the specified directory
- Generating a cryptographically strong key
- Encrypting the compressed data
- Creating and saving access tokens
- Forming container metadata
tvault seal \
container \
-name="container-name" \
-new-path="/path/to/output.tvlt" \
-folder-path="/path/to/folder" \
-passphrase="your-secure-passphrase" \
-comment="your-comment" \
-tags="your-tag-1,your-tag-2,your-tag-3" \
compression \
-type="zip" \
token \
-type="share" \
token-writer \
-type="file" \
-format="json" \
-path="/path/to/token/file" \
integrity-provider \
-type="hmac" \
-new-passphrase="your-integrity-password" \
shamir \
-is-enabled=true \
-shares=5 \
-threshold=3 \
log-writer \
-type="stdout" \
-format="json"The unseal module performs the reverse process, decrypting containers using the appropriate tokens or passwords.
It verifies data integrity, decrypts the content, and restores the original directory structure.
The unsealing process includes:
- Reading and verifying container metadata
- Restoring the master key from tokens or password
- Verifying data integrity
- Decrypting the container
- Unpacking and restoring the original files and directories
tvault unseal \
container \
-current-path="/path/to/container.tvlt" \
-folder-path="/path/to/output" \
-passphrase="your-passphrase" \
token-reader \
-type="file" \
-format="json" \
-path="/path/to/token/file" \
integrity-provider \
-current-passphrase="your-integrity-password" \
log-writer \
-type="stdout" \
-format="json"The reseal module allows updating the content of an existing container without changing its token structure and keys.
This is particularly useful for regularly updating encrypted data without the need to distribute new tokens.
The resealing process includes:
- Decrypting the existing container
- Compressing new data
- Encrypting the updated content using the same key
- Updating container metadata
- Generating new tokens with the same cryptographic key
tvault reseal \
container \
-name="new-container-name" \
-current-path="/path/to/original.tvlt" \
-new-path="/path/to/updated.tvlt" \
-folder-path="/path/to/new/content" \
-comment="your-current-comment, new-comment or empty" \
-tags="your-current-tag-1,your-current-tag-2,your-current-tag-3, new-tag-1, new-tag-2" \
token-reader \
-type="file" \
-format="json" \
-path="/path/to/token/file" \
token-writer \
-type="file" \
-format="json" \
-path="/path/to/updated/token/file" \
integrity-provider \
-current-passphrase="your-integrity-password" \
log-writer \
-type="stdout" \
-format="json"The container module provides a unified format for securely storing encrypted data with comprehensive metadata.
It serves as the central data structure in the TVault Core system, encapsulating all encrypted content and related information.
The container consists of several key components:
- Header — Contains essential technical information including:
- Encryption method and parameters
- Integrity provider type
- Token type
- Shamir's secret sharing configuration
- Cryptographic salt values
- Metadata — User-visible information about the container:
- Creation and update timestamps
- User comments and descriptions
- Custom tags for organization and filtering
- Container versioning information
- Encrypted Payload — The actual encrypted content
The container module also provides functionality to inspect and retrieve detailed information about existing containers without decrypting their contents. This is useful for managing multiple containers, verifying their configuration, or retrieving metadata without accessing the protected information. The container information retrieval process:
- Opens the container file
- Reads the header and metadata sections
- Extracts and formats information about the container configuration
- Outputs the information in the specified format (plaintext or JSON)
Container info can be retrieved using the CLI:
tvault container \
info
-path="/path/to/original.tvlt" \
info-writer \
-type="file" \
-format="json" \
-path="/path/to/container/info/file" \
log-writer \
-type="stdout" \
-format="json"TVault Core supports multiple token types:
Encryption using only a password, without creating a separate token. This method is simple to use but requires secure storage and transmission of the password.
A single token containing the master key, encrypted using a password. This approach provides an additional layer of security by separating the key and password.
Multiple tokens using Shamir's Secret Sharing scheme. This method allows distributing access among multiple participants, requiring a certain number of tokens to decrypt the data.
tvault seal \
token \
-type="shamir" \
# other command parametersTVault Core includes multiple integrity providers:
Basic mode without integrity verification. Suitable for non-critical data or cases where integrity is ensured by external means.
Using cryptographic hash functions to ensure data integrity and authenticity. Requires an additional password to enhance protection.
A promising mechanism based on the Ed25519 digital signature algorithm, providing a high level of protection against data forgery.
tvault seal \
integrity-provider \
-type="hmac" \
-new-passphrase="new-passphrase" \
# other command parametersThe compression package is an essential component of the TVault Core system, providing efficient data compression before encryption.
This improves security, reduces the size of encrypted containers, and optimizes storage usage.
The compression system is tightly integrated with other TVault Core components:
- Seal: Compression is performed at the initial stage of the sealing process
- Unseal: Decompression is performed at the final stage of the unsealing process
- Reseal: Recompression is performed when updating container content
- Container: Information about the compression type is stored in container metadata
Compression Process:
- Algorithm Selection: Based on the parameter, the appropriate compression method is selected
-type - Directory Analysis: The specified directory structure is scanned
- File Compression: All files are compressed while preserving paths and metadata
- Archive Creation: A single archive containing all compressed data is created
- Result Passing: The compressed data is passed for subsequent encryption
Decompression Process:
- Data Extraction: After container decryption, the compressed data is extracted
- Compression Type Identification: Based on container metadata, the compression method used is determined
- File Unpacking: All files are extracted with restoration of the original structure
- Integrity Verification: The integrity of the extracted data is verified
- Access Restoration: Original access rights to files and directories are restored
The no-compression mode is included in the system architecture but is not currently implemented. In future versions, it may be added for scenarios where compression is not required or might be detrimental (such as for already compressed data).
The Zip compression algorithm is the primary compression method in TVault Core. It provides a good balance between compression ratio and processing speed.
Key Features:
- High Compatibility: Uses the standard ZIP format compatible with most archiving tools
- File Structure Preservation: Fully maintains directory and file hierarchy
- Efficient Compression: Offers a good balance between compressed data size and processing speed
- Built-in Integrity Checking: Includes basic data integrity verification mechanisms
tvault seal \
compression \
-type="zip" \
# other command parameters- Separate Storage: Store tokens separately from encrypted containers
- Strong Passwords: Use complex, unique passwords for containers and integrity verification
- Token Backups: Regularly create backups of tokens — without them, data recovery is impossible
- Distributed Access: For critical data, use the Shamir scheme with a reasonable threshold
- Periodic Updates: Regularly update containers using the reseal function
- Secure Channels: Transmit tokens only through secure communication channels
- Integrity Verification: Always use integrity verification mechanisms for critical data
We welcome contributions to the project. Detailed information about the development process, commit formatting, and creating merge requests can be found in CONTRIBUTING.md.
TVault Core is proprietary software. Use of this code is governed by the license agreement.
If you have questions or issues, please create an Issue in the repository or contact the development team.
© 2025 Trust Vault. All rights reserved.