Utility to help with secure data erasure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
kev 7f71f68907 Clarify readme 3 months ago
.vscode initial commit 2 years ago
rinseoff switch to dotnet 5.0 2 years ago
rinseoffcli option to read from stdin when loading data 2 years ago
tests switch to dotnet 5.0 2 years ago
.gitignore initial commit 2 years ago
LICENSE.txt added license and readme 2 years ago
README.md Clarify readme 3 months ago



RinseOff is a simple CLI utility written in C# to store data to a file and encrypt it using a keyfile.

The name doesn't make a lot of sense, but it means you can "rinse" your data off by just overwriting a 32 byte key file instead of the normal "scrub" process of 1 or more passes over many files.

It is mainly intended for scripts/apps to use. In the future I may make a FUSE wrapper so users can drop files into it.

Internally it uses libsodium's secretbox and stores a unique nonce alongside the 32 byte key. The key is meant to be stored on a volatile or rotational disk.


Build a standalone binary (change runtime based on system):

$ dotnet publish -p:PublishSingleFile=true --self-contained --runtime linux-x64

The binary will be somewhere like bin/Debug/[dotnet version]/[runtime version]/publish/rinseoffcli

You can make a smaller binary by not bundling the runtime.

Or you can just "run" the project file: $ dotnet run --project rinseoffcli


Generate your key file

$ rinseoffcli keygen /path/to/key

Store your key somewhere it can be securely erased (not flash storage if you can help it) security.stackexchange.com/a/62591

Be sure to make it accessible only to your user.

Encrypt your data

$ rinseoffcli store /path/to/output /path/to/key

Then input the data to store through stdin.

Load your data

$ rinseoffcli load /path/to/stored/data /path/to/key

If the key is valid, the plaintext will be outputted through stdout. if data path is "stdin" it will be read from pipe according

Securely erase data

$ shred /path/to/key $ rm /path/to/datafile


The point of this utility is to help with defense in depth and to be better than nothing.

This does not hold up to serious data recovery experts who could quite possibly recover your key file

If the OS pages or swaps your plaintext or duplicates your key, you are probably doomed.