Utility to help with secure data erasure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Kevin Froman 369b23811b option to read from stdin when loading data 10 months ago
.vscode initial commit 10 months ago
rinseoff switch to dotnet 5.0 10 months ago
rinseoffcli option to read from stdin when loading data 10 months ago
tests switch to dotnet 5.0 10 months ago
.gitignore initial commit 10 months ago
LICENSE.txt added license and readme 10 months ago
README.md option to read from stdin when loading data 10 months ago

README.md

RinseOff

RinseOff is a simple CLI utility written in C# to store data to a file and encrypt it using a keyfile.

The name doesn't make a lot of sense, but it means you can "rinse" your data off by just overwriting a 32 byte key file instead of the normal "scrub" process of 1 or more passes over many files.

It is mainly intended for scripts/apps to use. In the future I may make a FUSE wrapper so users can drop files into it.

Internally it uses libsodium's secretbox and stores a unique nonce alongside the 32 byte key.

Build

Build a standalone binary (change runtime based on system):

$ dotnet publish -p:PublishSingleFile=true --self-contained --runtime linux-x64

The binary will be somewhere like bin/Debug/[dotnet version]/[runtime version]/publish/rinseoffcli

You can make a smaller binary by not bundling the runtime.

Or you can just "run" the project file: $ dotnet run --project rinseoffcli

Usage

Generate your key file

$ rinseoffcli keygen /path/to/key

Store your key somewhere it can be securely erased (not flash storage if you can help it) security.stackexchange.com/a/62591

Be sure to make it accessible only to your user.

Encrypt your data

$ rinseoffcli store /path/to/output /path/to/key

Then input the data to store through stdin.

Load your data

$ rinseoffcli load /path/to/stored/data /path/to/key

If the key is valid, the plaintext will be outputted through stdout. if data path is "stdin" it will be read from pipe according

Securely erase data

$ shred /path/to/key $ rm /path/to/datafile

Warnings:

The point of this utility is to help with defense in depth and to be better than nothing.

This does not hold up to serious data recovery experts who could quite possibly recover your key file

If the OS pages or swaps your plaintext or duplicates your key, you are probably doomed.