tird
(an acronym for "this is random data") is a tool for encrypting files and hiding encrypted data.
With tird
, you can:
- Create files filled with random data to use as containers or keyfiles.
- Overwrite the contents of block devices and regular files with random data. This can be used to prepare containers and to destroy residual data.
- Encrypt file contents and comments with modern cryptographic primitives. The encrypted file format (cryptoblob) is a padded uniform random blob (PURB): it looks like random data and has a randomized size. This reduces metadata leakage from file format and length, and also allows cryptoblobs to be hidden among random data. You can use keyfiles and passphrases at your choice to enhance security.
- Create steganographic (hidden, undetectable) user-driven file systems inside container files and block devices. Unlike VeraCrypt and Shufflecake containers,
tird
containers do not contain headers at all; the user specifies the location of the data in the container and is responsible for ensuring that this location is separated from the container. - Resist coercive attacks (keywords: key disclosure law, rubber-hose cryptanalysis, xkcd 538).
tird
provides some forms of plausible deniability out of the box, even if you encrypt files without hiding them in containers.
- File Protection: Ensuring protection for individual files, including:
- Symmetric encryption and authentication.
- Minimizing metadata leakage.
- Preventing access to data in cases of user coercion.
- Plausible deniability of payload existence.
- Hiding encrypted data.
- Stable Format: Ensuring a stable encryption format with no cryptographic agility for long-term data storage.
- Simplicity: Ensuring simplicity and avoiding feature creep: refusal to implement features that are not directly related to primary security goals.
The following cryptographic primitives are utilized by tird
:
ChaCha20
cipher (RFC 7539) for data encryption.BLAKE2
(RFC 7693) for hashing and authentication.Argon2
memory-hard function (RFC 9106) for key stretching and key derivation.
For more details, refer to the specification.
+ββββββββββββββββββββββββββββββββββββββββ+βββββββββ+
| Salt for key stretching (Argon2): 16 B | |
+ββββββββββββββββββββββββββββββββββββββββ+ Random |
| Randomized padding: 0-20% of the | data |
| unpadded cryptoblob size by default | |
+ββββββββββββββββββββββββββββββββββββββββ+βββββββββ+
| Ciphertext (ChaCha20): 512+ B, | |
| consists of: | |
| - Encrypted padded/truncated | Random- |
| comments, always 512 B | looking |
| - Encrypted payload file | data |
| contents, 0+ B | |
+ββββββββββββββββββββββββββββββββββββββββ+ |
| Optional MAC tag (BLAKE2/random): 64 B | |
+ββββββββββββββββββββββββββββββββββββββββ+βββββββββ+
| Randomized padding: 0-20% of the | |
| unpadded cryptoblob size by default | Random |
+ββββββββββββββββββββββββββββββββββββββββ+ data |
| Salt for prehashing (BLAKE2): 16 B | |
+ββββββββββββββββββββββββββββββββββββββββ+βββββββββ+
Files encrypted with tird
cannot be distinguished from random data without knowledge of the keys and have no identifiable headers. tird
produces cryptoblobs that contain bilateral randomized padding with uniform random data (PURBs). This minimizes metadata leaks from the file format and makes it possible to hide cryptoblobs among other random data.
Hidden User-Driven File System and Container Format
You can encrypt files and embed cryptoblobs into containers starting at arbitrary positions. After writing the cryptoblob, you will need to remember its location in the container (the starting and ending positions), which will be used later to extract the cryptoblobs. In this way, you can create a hidden, headerless, user-driven file system inside a container:
- It is hidden because it is impossible to distinguish between random container data and cryptoblob data, as well as to determine the location of written cryptoblobs without knowing the positions and keys.
- It is headerless because containers do not contain any headers; all data about cryptoblob locations must be stored separately by the user.
- The starting position of the cryptoblob in the container is user-defined, and the user must store both the starting and ending positions separately from the container. This is why it is called a user-driven file system.
Any file, disk, or partition larger than the minimum cryptonlob size (608 B) can be a valid container. Cryptoblobs can be embedded into any area.
Examples of valid containers include:
- Specially generated files with random data.
- Disk areas containing random data. For example, you can overwrite a disk with random data, format it in FAT32 or exFAT, and use a large portion of the disk, leaving a few dozen MB from the beginning. The disk will appear empty unless you add some files to it.
tird
cryptoblobs, as they contain unauthenticated padding of random data by default, which can be used to embed smaller cryptoblobs.- VeraCrypt containers, even those that already contain hidden volumes.
Example of Container Structure:
+βββββββββ+βββββββββββββ+β Position 0
| | |
| | Random data |
| | |
| +βββββββββββββ+β Cryptoblob1 start position
| Header- | |
| less | Cryptoblob1 |
| | |
| Layer +βββββββββββββ+β Cryptoblob1 end position
| | Random data |
| Cake +βββββββββββββ+β Cryptoblob2 start position
| | |
| | Cryptoblob2 |
| | |
| +βββββββββββββ+β Cryptoblob2 end position
| | Random data |
+βββββββββ+βββββββββββββ+
You don't need to memorize command-line options to use tird
. This tool features a prompt-based CLI: simply start it, select a menu option, and answer the questions that will follow.
$ tird
MENU
βββββββββββββββββββββββββββββββββββββββββββ
0. Exit 1. Info & Warnings
2. Encrypt 3. Decrypt
4. Embed 5. Extract
6. Encrypt & Embed 7. Extract & Decrypt
8. Create w/ random 9. Overwrite w/ random
βββββββββββββββββββββββββββββββββββββββββββ
[01] Select an option [0-9]:
tird
has the following input options:
[01] Select an option
[02] Use custom settings?
[03] Argon2 time cost
[04] Max rand padding size
[05] Set fake MAC tag?
[06] Input file path
[07] Output file path
[08] Output file size
[09] Start position
[10] End position
[11] Comments
[12] Keyfile path
[13] Passphrase
[14] Proceed?
A detailed description of these options with examples can be found here.
Start tird
with the --debug
option to look under the hood while the program is running:
$ tird --debug
Enabling debug messages additionally shows:
- File operations:
- Opening and closing of file descriptors.
- Real paths to opened files.
- Movement of file pointers.
- Byte strings related to cryptographic operations: salts, passphrases, digests, keys, nonces, and tags.
- Some other information, including various sizes.
tird
does not support:- Public-key cryptography.
- File compression.
- ASCII armored output.
- ReedβSolomon error correction.
- Splitting the output into chunks.
- The use of standard streams for processing files.
- Low-level block device reading and writing on MS Windows. As a result, these devices cannot be used as keyfiles, cannot be overwritten, and cannot be encrypted or embedded.
tird
does not provide:- A graphical user interface.
- A password generator.
tird
cannot handle (encrypt/embed) more than one file in one pass. Encryption of directories and multiple files is not supported.tird
does not fake file access, modification, and creation timestamps (atime, mtime, ctime).tird
's encryption speed is not very high (up to 180 MiB/s in my tests).
β οΈ The author does not have a background in cryptography.β οΈ The code has 0% test coverage.β οΈ tird
has not been independently audited.β οΈ tird
is ineffective in a compromised environment; executing it in such cases may cause disastrous data leaks.β οΈ tird
is unlikely to be effective when used with short and predictable keys.β οΈ Sensitive data may leak into swap space.β οΈ tird
does not erase its sensitive data from memory after use.β οΈ tird
always releases unverified plaintext, violating The Cryptographic Doom Principle.β οΈ tird
doesn't sort digests of keyfiles and passphrases in constant-time.β οΈ Padding sizes depend on secret values.β οΈ Padding contents are never authenticated; authentication only applies to the ciphertext, salts, and certain sizes.β οΈ Overwriting file contents does not guarantee secure destruction of data on the media.β οΈ You cannot prove to an adversary that your random data does not contain encrypted information.β οΈ tird
protects data, not the user; it cannot prevent torture if you are under suspicion.β οΈ Development is not complete, and there may be backward compatibility issues.
- Python >= 3.9
- PyCryptodomex >= 3.6.2 (provides
ChaCha20
) - PyNaCl >= 1.2.0 (provides
Argon2
andBLAKE2
)
Install python3
and python3-pip
(or python-pip
), then run
$ pip install tird
It's easy to build a deb package for Debian and Ubuntu-based distros with the latest git snapshot.
- Install the build dependencies:
$ sudo apt install make fakeroot
- Clone the repository (if
git
is already installed) and enter the directory:
$ git clone https://github.com/hakavlad/tird.git && cd tird
- Build the package:
$ make build-deb
- Install or reinstall the package:
$ sudo make install-deb
Standalone executables (made with PyInstaller) are also available (see Releases) for Windows and Linux (amd64). Please use at your own risk.
How to verify signatures
Use Minisign to verify signatures. You can find my public key here.
For example:
$ minisign -Vm tird-v0.17.0-linux-amd64.zip -P RWQLYkPbRQ8b56zEe8QdbjLFqC9UrjOaYxW5JxwsWV7v0ct/F/XfJlel
This requires the signature tird-v0.17.0-linux-amd64.zip.minisig
to be present in the same directory.
Write or improve the documentation:
- Features
- User Guide
- Specification
- Design Rationale
Please feel free to ask questions, leave feedback, or provide critiques in the Discussions section.