{"id":50309474,"url":"https://github.com/penthertz/luksbox","last_synced_at":"2026-06-04T10:00:30.709Z","repository":{"id":356279948,"uuid":"1231342524","full_name":"PentHertz/LUKSbox","owner":"PentHertz","description":"Store sensitive files in the cloud, or on shared media without trusting the host. LUKSbox is a Rust-based encrypted-container tool with passphrase, FIDO2 (YubiKey, Titan, Nitrokey, Windows Hello), TPM 2.0, and hybrid post-quantum (ML-KEM-768 / 1024) keyslots. Mounts as a real drive on Linux, macOS, and Windows.","archived":false,"fork":false,"pushed_at":"2026-05-25T07:45:17.000Z","size":4406,"stargazers_count":551,"open_issues_count":4,"forks_count":46,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-05-28T19:38:36.234Z","etag":null,"topics":["encryption","file","secure","sensitive-data","vault"],"latest_commit_sha":null,"homepage":"https://luksbox.penthertz.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PentHertz.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":"audit.toml","citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-06T21:47:11.000Z","updated_at":"2026-05-28T16:25:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/PentHertz/LUKSbox","commit_stats":null,"previous_names":["penthertz/luksbox"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/PentHertz/LUKSbox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PentHertz%2FLUKSbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PentHertz%2FLUKSbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PentHertz%2FLUKSbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PentHertz%2FLUKSbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PentHertz","download_url":"https://codeload.github.com/PentHertz/LUKSbox/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PentHertz%2FLUKSbox/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33899697,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-04T02:00:06.755Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encryption","file","secure","sensitive-data","vault"],"created_at":"2026-05-28T19:30:42.895Z","updated_at":"2026-06-04T10:00:30.700Z","avatar_url":"https://github.com/PentHertz.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- markdownlint-disable MD041 --\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://luksbox.penthertz.com/\"\u003e\n    \u003cimg src=\"assets/luksbox-logo.png\" alt=\"LUKSbox\" width=\"180\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eLUKSbox\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eEncrypted vaults that survive the next decade.\u003c/strong\u003e\u003cbr\u003e\n  Open-source, FIDO2 + TPM 2.0 native, post-quantum-ready.\u003cbr\u003e\n  \u003cem\u003eStore sensitive files in the cloud or on shared media without trusting the host.\u003c/em\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://penthertz.com\" title=\"By Penthertz\"\u003e\n    Built by\n    \u003cimg src=\"assets/penthertz-logo.png\" alt=\"Penthertz\" height=\"22\" valign=\"middle\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://luksbox.penthertz.com/\"\u003e\u003cstrong\u003eWebsite\u003c/strong\u003e\u003c/a\u003e |\n  \u003ca href=\"https://luksbox.penthertz.com/docs/\"\u003e\u003cstrong\u003eDocs\u003c/strong\u003e\u003c/a\u003e |\n  \u003ca href=\"https://luksbox.penthertz.com/docs/security/architecture/\"\u003e\u003cstrong\u003eSecurity\u003c/strong\u003e\u003c/a\u003e |\n  \u003ca href=\"https://luksbox.penthertz.com/docs/security/tests/\"\u003e\u003cstrong\u003eFuzzing\u003c/strong\u003e\u003c/a\u003e |\n  \u003ca href=\"https://luksbox.penthertz.com/compare/\"\u003e\u003cstrong\u003eCompare\u003c/strong\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg alt=\"License: Apache-2.0\" src=\"https://img.shields.io/badge/license-Apache--2.0-blue.svg\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.rust-lang.org/\"\u003e\u003cimg alt=\"Made with Rust\" src=\"https://img.shields.io/badge/made%20with-Rust-orange.svg\"\u003e\u003c/a\u003e\n  \u003cimg alt=\"Status: pre-1.0\" src=\"https://img.shields.io/badge/status-pre--1.0-yellow.svg\"\u003e\n\u003c/p\u003e\n\n---\n\n## What it solves\n\nYou probably already store sensitive files where you don't fully\ncontrol the storage: cloud sync (iCloud, Drive, Dropbox, OneDrive,\nS3, Backblaze), NAS units, USB sticks that travel, backup tapes that\nend up at a recycler. The provider promises encryption-at-rest \"with\ntheir keys.\" LUKSbox encrypts the file before it ever leaves your\nmachine, under **your** keys, in a single container that is opaque to\nthe provider and tamper-evident on the way back.\n\nA LUKSbox vault is one file (`.lbx`), optionally with a separate\nheader (`.hdr`) and post-quantum sidecar (`.kyber`) that you keep on\ndifferent storage. Drop it on any cloud or shared medium. The\nprovider sees one indistinguishable-from-random blob and cannot\ndecrypt it even under legal compulsion. Mount it locally as a real\ndrive when you need to use it.\n\n| Concern | Plain cloud upload | Cloud + provider encryption | LUKSbox vault on cloud |\n|---|---|---|---|\n| Provider can read your files | Yes | Yes (they hold the key) | **No** |\n| Government request to provider exposes data | Yes | Yes | **No** |\n| Silent file tamper detected | No | Sometimes (TLS in transit only) | **Yes** (per-chunk AEAD) |\n| Whole-vault rollback detected | No | No | **Yes** (anchor sidecar) |\n| \"Harvest now, decrypt later\" (post-quantum) | Vulnerable | Vulnerable | **ML-KEM-768/1024 hybrid slot** |\n| Hardware-key requirement to open | N/A | Provider-specific | **FIDO2 / TPM / Windows Hello** |\n| Vault file looks like random data | No | No | **Yes** (with detached header) |\n| Source you can audit | No | No | **Yes** (Apache-2.0) |\n\nThe full per-tool comparison (vs LUKS2 / VeraCrypt / age / gocryptfs /\nCryptomator / BitLocker / FileVault) lives at\n\u003chttps://luksbox.penthertz.com/compare/\u003e.\n\n\u003e **A LUKSbox vault is a *travelling* copy, not a *master* copy.**\n\u003e Use it for the cloud, a USB stick, a vault you share with a\n\u003e colleague or client, anywhere you would not put plaintext. Like\n\u003e every encrypted container it is a single point of failure: if the\n\u003e `.lbx` file is corrupted or every keyslot becomes inaccessible,\n\u003e the data is gone. The forensic toolkit (`header-backup`, `check`,\n\u003e `extract --tolerate-errors`) helps in many damage scenarios but\n\u003e cannot recover bytes that are no longer on disk or no longer\n\u003e AEAD-tagged. Always keep an unencrypted copy somewhere you trust\n\u003e for any file you cannot afford to lose.\n\n---\n\n## Status\n\nThis is a **pre-1.0** release. The on-disk format is locked, the\ncryptographic primitives are NIST/RFC standards built on RustCrypto,\nand 9 internal audit rounds have shipped. External paid audit and\nbroader real-world deployment are the next milestones. The\ncloud-storage threat model, provider can't read your data even under\nsubpoena, is what LUKSbox is built for and what it does today.\n\n| Surface | State |\n|---|---|\n| `cargo test --workspace` | 200+ passing, 0 failing, 0 ignored |\n| `cargo audit` (Linux/macOS) | 0 vulns / 0 unsound / 0 unmaintained |\n| `cargo audit` (Windows) | 1 unmaintained (`registry`, transitive via WinFsp) |\n| Internal audit rounds | 9 documented at \u003chttps://luksbox.penthertz.com/docs/security/audit/\u003e (per-round details kept internal) |\n| Third-party audit | not yet performed; engagement scope package available on request to `security@penthertz.com` |\n| Fuzz iterations across 10 libFuzzer harnesses | 30M+ |\n\n---\n\n## How a vault is opened\n\n```mermaid\nflowchart LR\n    User[User knowledge\u003cbr/\u003epassphrase or PIN] --\u003e Unlock[Unlock material]\n    FIDO[FIDO2 authenticator\u003cbr/\u003ehmac-secret] --\u003e Unlock\n    TPM[TPM 2.0\u003cbr/\u003esealed KEK] --\u003e Unlock\n    PQ[ML-KEM seed file\u003cbr/\u003eseparate storage] --\u003e Unlock\n\n    Unlock --\u003e KEK[Key encryption key]\n    KEK --\u003e MVK[Master volume key]\n    MVK --\u003e HeaderMac[Header HMAC key]\n    MVK --\u003e MetadataKey[Metadata AEAD key]\n    MVK --\u003e FileKeys[Per-file HKDF keys]\n    MVK --\u003e AnchorKey[Anchor HMAC key]\n\n    HeaderMac --\u003e Header[Authenticated header]\n    MetadataKey --\u003e Metadata[Encrypted metadata tree]\n    FileKeys --\u003e Chunks[Encrypted file chunks]\n    AnchorKey --\u003e Anchor[Rollback anchor]\n```\n\nThe Master Volume Key (MVK) is the root secret. Keyslots do not\nencrypt files directly; they wrap the MVK. Once a valid keyslot\nunwraps the MVK, every other key in the vault is derived from it via\nHKDF-SHA256 with a per-purpose `info` string. Lose the keyslot\nmaterial, lose the MVK; revoke a slot and that material is\npermanently unable to recover the MVK from this vault.\n\nFor the full architecture map (on-disk graph, unlock sequence,\nconcurrency / crash-safety pipeline, on-disk footprint), see\n\u003chttps://luksbox.penthertz.com/docs/security/architecture/\u003e.\n\n---\n\n## Security mechanisms\n\n| Mechanism | What it does | Where it lives |\n|---|---|---|\n| AES-256-GCM-SIV (default) / AES-256-GCM / ChaCha20-Poly1305 | AEAD on every file chunk and on the metadata blob | `crates/luksbox-core/src/aead.rs` |\n| HMAC-SHA256 over the entire 8 KiB header | Detects header tampering once a keyslot unwraps the MVK | `crates/luksbox-core/src/header.rs` |\n| HKDF-SHA256 with per-purpose `info` strings | Derives every subkey from the MVK; uniqueness verified by regression test | `crates/luksbox-core/src/key.rs` |\n| Argon2id (default 256 MiB / 3 / 4) | Stretches passphrases; cost params bounded by parser to reject DoS attempts | `crates/luksbox-core/src/kdf.rs` |\n| FIDO2 hmac-secret (CTAP2 sec.6.5) | Hardware-backed unlock, wrap mode or direct mode | `crates/luksbox-fido2/` |\n| TPM 2.0 sealed KEK (Linux) | Bind a vault to the local chip; optional PIN; fused TPM+FIDO2 mode | `crates/luksbox-tpm/` |\n| ML-KEM-768 / ML-KEM-1024 (FIPS 203) | Post-quantum half of every hybrid keyslot; classical+PQ mixed via HKDF | `crates/luksbox-pq/` |\n| Per-chunk AAD (`file_id || chunk_index || generation`) | Detects chunk substitution, position swap, and replay of older chunks at the same position | `crates/luksbox-vfs/src/chunk.rs` |\n| Detached header sidecar (`.hdr`) | Vault file alone is opaque random, no magic, no version, no keyslots | `crates/luksbox-format/src/container.rs` |\n| Anchor sidecar (`.anchor`) | External rollback detection via MVK-keyed HMAC over a generation counter | `crates/luksbox-format/src/anchor.rs` |\n| Lock-before-read open | Concurrent enrolls / revokes can't race on the keyslot table | `crates/luksbox-format/src/container.rs::open` |\n| Post-lock path-inode re-stat | Catches narrow open-then-rename TOCTOU swaps with `Error::PathSubstituted` | `crates/luksbox-format/src/container.rs::verify_path_inode` |\n| Atomic temp + rename + parent-dir fsync | All sidecar writes survive power loss; works on POSIX (`fsync` on dir handle) and Windows (`FILE_FLAG_BACKUP_SEMANTICS` + `FlushFileBuffers`) | `crates/luksbox-core/src/file_util.rs` |\n| `O_NOFOLLOW` on plaintext extraction | `luksbox get` refuses pre-existing symlink destinations to defeat attacker-staged symlink-target overwrites | `crates/luksbox-core/src/file_util.rs::secure_create_or_truncate` |\n| `memfd_secret(2)` for the unlocked MVK on Linux 5.14+ | Excludes the MVK from coredumps and hibernate images; `mlock` + `Zeroize` fallback elsewhere | `crates/luksbox-core/src/secret_box.rs` |\n| Workspace-wide `Zeroizing` audit on every secret-bearing intermediate | AEAD plaintext, HKDF I/O, ML-KEM shared, CLI/GUI PIN copies all scrub on drop | covered across `luksbox-core`, `luksbox-pq`, `luksbox-tpm`, `luksbox-cli` |\n\nThe full attack matrix (defended vs not defended) is at\n\u003chttps://luksbox.penthertz.com/docs/security/threat-model/\u003e.\n\n---\n\n## Quick start\n\n```bash\n# Create a vault (defaults: AES-256-GCM-SIV, Argon2id interactive)\nluksbox create my-vault.lbx\n\n# Mount it on a drive letter / mountpoint\nluksbox mount my-vault.lbx /mnt/v       # Linux/macOS\nluksbox mount my-vault.lbx Z:           # Windows\n\n# Add a FIDO2 hardware factor\nluksbox enroll my-vault.lbx --kind fido2\n\n# Add a TPM 2.0 keyslot bound to this machine (Linux)\nluksbox enroll my-vault.lbx --kind tpm2\n\n# Hybrid post-quantum: needs a separate `.kyber` seed file\nluksbox create my-vault.lbx --kind hybrid-pq \\\n    --pq-hybrid /media/usb/my.kyber\n\n# v3 format: no per-vault size ceiling (default v2 caps around 10 GiB).\n# Old LUKSbox binaries refuse v3 vaults -- opt in only when you need\n# bigger vaults than the v2 default can hold.\nluksbox create my-vault.lbx --format v3\n\n# Migrate an existing v2 vault to v3 (source untouched)\nluksbox migrate-to-v3 old-v2.lbx --dst new-v3.lbx\n\n# Interactive walkthrough, no flags to remember\nluksbox wizard\n```\n\nThree interfaces, one on-disk format: the `luksbox` CLI for scripts,\nthe `luksbox wizard` interactive TUI, and the `luksbox-gui` desktop\napplication. See \u003chttps://luksbox.penthertz.com/docs/\u003e for per-flow\nwalkthroughs.\n\n---\n\n## Install\n\n| Platform | Method |\n|---|---|\n| Debian / Ubuntu / Mint | `.deb` from [Releases](https://github.com/penthertz/LUKSbox/releases), `sudo apt install ./luksbox_*_amd64.deb` |\n| Fedora / RHEL / Rocky | `.rpm` from Releases, `sudo dnf install ./luksbox-*.x86_64.rpm` |\n| macOS | `.dmg` from Releases, drag to /Applications, install macFUSE on first run |\n| Windows | `LUKSboxSetup.exe` from Releases (bundles WinFsp); IT admins can use the bare `.msi` and install WinFsp separately |\n| From source | `cargo build --release -p luksbox-cli -p luksbox-gui` after the deps in [`BUILDING.md`](BUILDING.md) |\n\nThe `.deb` and `.rpm` packages now Recommend `tpm-udev` + `tpm2-tools`\n(Debian / Ubuntu) and `tpm2-tss` + `tpm2-tools` (Fedora / RHEL /\nopenSUSE), so installing them via `apt` / `dnf` brings the\n`/dev/tpm*` udev rules and the `tss` system group along for the ride.\nAfter install you still need to add yourself to the group once and\nlog back in, that is the Debian / Fedora convention for any package\nthat grants new device access:\n\n```bash\nsudo usermod -aG tss \"$USER\"\n# log out + log back in, then verify:\nid | tr , '\\n' | grep tss\n```\n\nThe Linux release tarball's `dist/install.sh --tpm-setup` does the\nsame thing for users who installed via tarball instead of `apt` /\n`dnf` and don't have `tpm-udev` / `tpm2-tss` already.\n\n---\n\n## Help find bugs\n\nLUKSbox is a young codebase. The cryptography rests on standardised\nprimitives and well-audited Rust libraries (RustCrypto, libfido2,\ntss-esapi), but the integration layer and the on-disk format are\nours. We **want** external eyes on this.\n\n### Run the fuzzers\n\nEvery parser that touches attacker-controlled bytes has a libFuzzer\nharness in [`fuzz/`](fuzz/) and an AFL++ harness in\n[`fuzz-afl/`](fuzz-afl/). PR CI runs each libFuzzer target for 5\nminutes on the persistent corpus; a dedicated server runs the AFL++\ncampaigns for hours per release.\n\n```bash\ncargo install cargo-fuzz\ncd fuzz\ncargo +nightly fuzz run header_parse -- -max_total_time=300\n```\n\nThe current target list (`header_parse`, `keyslot_parse`,\n`metadata_parse`, `hybrid_sidecar_parse`, `seed_file_parse`,\n`auth_then_process`, `header_roundtrip`, `winfsp_path_parse`,\n`webauthn_device_path`, `vfs_ops`) plus per-target invariants is in\n[`FUZZING.md`](FUZZING.md).\n\n### Add corpus seeds\n\nThe fastest way to push fuzzing further is dropping a real-world input\nfile into [`fuzz/corpus/\u003ctarget_name\u003e/`](fuzz/corpus/) and opening a\nPR. Examples that would help today:\n\n- Real headers from old vault layouts (V1 / V2) for `header_parse`\n- Authenticator-specific cred IDs (Google Titan, SoloKey stateless,\n  Trezor) for `keyslot_parse`\n- Edge-case Windows paths (UNC, network share, long path with\n  device-namespace prefix) for `winfsp_path_parse`\n- Truncated / extended `.hybrid` sidecars for `hybrid_sidecar_parse`\n\n### Add a new fuzz target\n\nIf a parser doesn't have a harness yet and you can imagine an attacker\nshaping its input, please add one. See the harness template in\n[`FUZZING.md`](FUZZING.md).\n\n### Suggest a regression test\n\nIf you spot a code path where invariants aren't tested but feel like\nthey should be, file a regular GitHub issue (label\n`security-regression`) with the invariant in plain English. We write\nthe test and credit the suggestion in the changelog.\n\n### Run the AFL++ campaign\n\n[`scripts/fuzz_server.sh`](scripts/fuzz_server.sh) runs an AFL++\ncampaign indefinitely against any target. If you have spare cycles\nand want to find something the libFuzzer 5-minute PR run misses, this\nis the lever.\n\n---\n\n## Reporting issues\n\n| Category | Channel | Priority |\n|---|---|---|\n| **Suspected vulnerability** (key recovery, plaintext disclosure, authentication bypass, FUSE/WinFsp escape, integer / memory unsafety reachable via a crafted vault file) | Email `security@penthertz.com` (PGP key in [`SECURITY.md`](SECURITY.md)). 72-hour acknowledgement SLA. **Do not** open a public issue. | **P0**, fix + advisory + coordinated disclosure |\n| **Crash on a malformed input** that you can reproduce | GitHub issue with the input file attached and the crashing target name. Use the `fuzz-crash` label. | **P1**, reproducer + regression test in next release |\n| **Functional bug** (CLI/GUI/wizard misbehaviour, mount problem, recovery-flow gap, on-disk format edge case) | GitHub issue with reproduction steps. Use the `bug` label. | **P2**, triaged within a week |\n| **Documentation issue** (wrong claim, missing instruction, broken link, unclear wording) | GitHub issue or PR. Use the `docs` label. | **P3**, fixed in the next docs pass |\n| **Feature request** | GitHub issue. Use the `feature` label. State your threat model so we can decide whether it fits the project's scope. | **P3**, discussed; may end up on the [roadmap](docs/TPM_FUTURE_IMPROVEMENTS.md) or declined with reason |\n| **Audit assignment** (you want a scoped mandate to review a specific surface) | Email `security@penthertz.com`. We hand you a focused scope (e.g. unsafe Rust in the FIDO2 FFI, CLI argument parser, FUSE adapter) plus a write-up template. | scheduled |\n\nSuspected vulnerabilities take priority over everything else. We\nrespond within 72 hours and credit reporters in the public changelog\n+ in any advisory we publish.\n\n---\n\n## Repository layout\n\n```mermaid\nflowchart LR\n    Root[\"luksbox/\"]\n    Root --\u003e Crates[\"crates/\u003cbr/\u003e(Rust workspace)\"]\n    Root --\u003e Fuzz[\"fuzz/\u003cbr/\u003ecargo-fuzz (libFuzzer)\"]\n    Root --\u003e FuzzAfl[\"fuzz-afl/\u003cbr/\u003ecargo-afl (AFL++)\"]\n    Root --\u003e Assets[\"assets/\u003cbr/\u003erepo branding\"]\n    Root --\u003e Dist[\"dist/\u003cbr/\u003epackaging + install.sh\"]\n    Root --\u003e Scripts[\"scripts/\u003cbr/\u003erelease, fuzz, audit\"]\n    Root --\u003e Docs[\"docs/\u003cbr/\u003espec, architecture, side-channels\"]\n    Root --\u003e Top[\"top-level .md files\"]\n\n    Crates --\u003e Core[\"luksbox-core\u003cbr/\u003ecrypto primitives + on-disk header\"]\n    Crates --\u003e Format[\"luksbox-format\u003cbr/\u003econtainer I/O, anchor, hybrid sidecar\"]\n    Crates --\u003e Vfs[\"luksbox-vfs\u003cbr/\u003edirectory tree atop a Container\"]\n    Crates --\u003e Fido2[\"luksbox-fido2\u003cbr/\u003elibfido2 + webauthn FFI\"]\n    Crates --\u003e Tpm[\"luksbox-tpm\u003cbr/\u003eLinux TPM 2.0 wrap/unwrap\"]\n    Crates --\u003e Pq[\"luksbox-pq\u003cbr/\u003eML-KEM-768/1024 + .kyber\"]\n    Crates --\u003e Mount[\"luksbox-mount\u003cbr/\u003eFUSE3, FUSE-T, WinFsp\"]\n    Crates --\u003e Cli[\"luksbox-cli\u003cbr/\u003eluksbox binary + wizard TUI\"]\n    Crates --\u003e Gui[\"luksbox-gui\u003cbr/\u003eluksbox-gui egui desktop app\"]\n\n    Top --\u003e Building[\"BUILDING.md\"]\n    Top --\u003e Devel[\"DEVELOPMENT.md\"]\n    Top --\u003e Fuzzing[\"FUZZING.md\"]\n    Top --\u003e Testing[\"TESTING.md\"]\n    Top --\u003e Security[\"SECURITY.md\"]\n    Top --\u003e Trademark[\"TRADEMARK.md\"]\n    Top --\u003e License[\"LICENSE / NOTICE\"]\n```\n\n---\n\n## Documentation\n\nThe full documentation lives at \u003chttps://luksbox.penthertz.com/\u003e:\n\n| Section | Contents |\n|---|---|\n| [Documentation hub](https://luksbox.penthertz.com/docs/) | Install + per-flow walkthroughs (CLI / TUI / GUI) |\n| [Keyslots](https://luksbox.penthertz.com/docs/keyslots/) | Passphrase, FIDO2, TPM 2.0, hybrid post-quantum |\n| [Security](https://luksbox.penthertz.com/docs/security/) | Architecture (with diagrams), threat model, cryptography, tests, audit, disclosure |\n| [Compare](https://luksbox.penthertz.com/compare/) | LUKSbox vs LUKS2 / VeraCrypt / age / gocryptfs / Cryptomator / BitLocker / FileVault |\n| [FAQ](https://luksbox.penthertz.com/docs/faq/) | Cloud use, maturity, licensing, hardware support, recovery |\n\nIn-repo references for contributors:\n\n- [`SECURITY.md`](SECURITY.md), disclosure policy + threat model summary\n- [`BUILDING.md`](BUILDING.md), per-platform build instructions\n- [`TESTING.md`](TESTING.md), test taxonomy + how to run each tier\n- [`FUZZING.md`](FUZZING.md), fuzz harness setup + target list\n- [`DEVELOPMENT.md`](DEVELOPMENT.md), maintainer dev workflow + release process\n- [`docs/CRYPTO_SPEC.md`](docs/CRYPTO_SPEC.md), per-operation cryptographic walkthrough\n- [`docs/SECURITY_ARCHITECTURE.md`](docs/SECURITY_ARCHITECTURE.md), security architecture map (mirrors the website page)\n- [`docs/HARDWARE_SIDE_CHANNEL_NOTES.md`](docs/HARDWARE_SIDE_CHANNEL_NOTES.md), published side-channel attacks against FIDO2 silicon\n- [`docs/TPM_LINUX_PERMISSIONS.md`](docs/TPM_LINUX_PERMISSIONS.md), end-user playbook for `/dev/tpmrm0` access\n- [`docs/PROJECT_OVERVIEW.md`](docs/PROJECT_OVERVIEW.md), project overview + comparison vs LUKS2 / VeraCrypt\n- [`docs/TPM_FUTURE_IMPROVEMENTS.md`](docs/TPM_FUTURE_IMPROVEMENTS.md), TPM roadmap (Windows TBS, PCR sealing)\n\n---\n\n## License\n\nSource code is licensed under the\n[Apache License, Version 2.0](LICENSE). LUKSbox is **OSI-approved\nopen source**: read the source, audit the cryptography, build it\nyourself, modify it, redistribute it, and use it in any product\nincluding commercial offerings that compete with LUKSbox. The Apache\n2.0 grant includes an explicit patent license from every contributor,\nwhich matters for a cryptography project.\n\nWhat's explicitly NOT granted by the copyright license is the right\nto use the LUKSbox or Penthertz **trademarks** in your derived work;\nsee [TRADEMARK.md](TRADEMARK.md). You can fork the code and ship it;\nyou cannot call your fork \"LUKSbox\" or imply endorsement by Penthertz.\n\nThe [NOTICE](NOTICE) file contains the attribution that downstream\nredistributors must propagate (per the license's Notices section).\n\nThe [DISCLAIMER](DISCLAIMER.md) restates the no-warranty / no-liability\nclauses (LICENSE sections 7 and 8), the data-loss reality of any\nencrypted container, and the export-control responsibility, in plain\nEnglish. Read it once before relying on LUKSbox to protect material\ninformation.\n\n---\n\n## Author\n\nMaintained by **Sébastien Dudek**, Penthertz\n([penthertz.com](https://penthertz.com),\n[@PentHertz](https://x.com/PentHertz),\n`security@penthertz.com`).\nSee [`SECURITY.md`](SECURITY.md) sec.1 for the responsible-disclosure flow.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpenthertz%2Fluksbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpenthertz%2Fluksbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpenthertz%2Fluksbox/lists"}