Utility to help with secure data erasure
Go to file
2022-08-24 18:50:02 +00:00
.vscode initial commit 2020-12-19 00:25:49 -06:00
rinseoff switch to dotnet 5.0 2020-12-29 08:42:35 +00:00
rinseoffcli option to read from stdin when loading data 2020-12-30 07:15:33 +00:00
tests switch to dotnet 5.0 2020-12-29 08:42:35 +00:00
.gitignore initial commit 2020-12-19 00:25:49 -06:00
LICENSE.txt added license and readme 2020-12-21 08:14:27 +00:00
README.md Clarify readme 2022-08-24 18:50:02 +00:00

RinseOff

RinseOff is a simple CLI utility written in C# to store data to a file and encrypt it using a keyfile.

The name doesn't make a lot of sense, but it means you can "rinse" your data off by just overwriting a 32 byte key file instead of the normal "scrub" process of 1 or more passes over many files.

It is mainly intended for scripts/apps to use. In the future I may make a FUSE wrapper so users can drop files into it.

Internally it uses libsodium's secretbox and stores a unique nonce alongside the 32 byte key. The key is meant to be stored on a volatile or rotational disk.

Build

Build a standalone binary (change runtime based on system):

$ dotnet publish -p:PublishSingleFile=true --self-contained --runtime linux-x64

The binary will be somewhere like bin/Debug/[dotnet version]/[runtime version]/publish/rinseoffcli

You can make a smaller binary by not bundling the runtime.

Or you can just "run" the project file: $ dotnet run --project rinseoffcli

Usage

Generate your key file

$ rinseoffcli keygen /path/to/key

Store your key somewhere it can be securely erased (not flash storage if you can help it) security.stackexchange.com/a/62591

Be sure to make it accessible only to your user.

Encrypt your data

$ rinseoffcli store /path/to/output /path/to/key

Then input the data to store through stdin.

Load your data

$ rinseoffcli load /path/to/stored/data /path/to/key

If the key is valid, the plaintext will be outputted through stdout. if data path is "stdin" it will be read from pipe according

Securely erase data

$ shred /path/to/key $ rm /path/to/datafile

Warnings:

The point of this utility is to help with defense in depth and to be better than nothing.

This does not hold up to serious data recovery experts who could quite possibly recover your key file

If the OS pages or swaps your plaintext or duplicates your key, you are probably doomed.