hakavlad/tird

GitHub: hakavlad/tird

一款通过 PURB 格式与隐写文件系统隐藏加密数据的轻量级加密工具,聚焦最小元数据与抗胁迫。

Stars: 20 | Forks: 2

🏠 首页    📑 规范    📜 手册页    📄 输入选项    📖 教程    ❓ 常见问题    📥 安装

![Logo: random data visualization](https://static.pigsec.cn/wp-content/uploads/repos/2026/04/bbfec5f114105136.png) # `tird` & `tirdFS` [![Releases](https://img.shields.io/github/v/release/hakavlad/tird?color=blue&label=Release)](https://github.com/hakavlad/tird/releases) [![PyPI](https://img.shields.io/pypi/v/tird?color=blue&label=PyPI)](https://pypi.org/project/tird/) `tird` /tɪrd/ *(an acronym for "this is random data")* is a file encryption tool that minimizes metadata and hides encrypted data. With `tird`, you can: 1. Create files filled with random data to use as containers or keyfiles. 2. Overwrite the contents of block devices and regular files with random data to prepare containers or destroy residual data. 3. Encrypt file contents and comments with keyfiles and passphrases. The encrypted data format (cryptoblob) is a [padded uniform random blob (PURB)](https://en.wikipedia.org/wiki/PURB_(cryptography)): it looks like random data and has a randomized size. This reduces metadata leakage from file format and length and allows cryptoblobs to be hidden among random data. 4. Create [steganographic](https://en.wikipedia.org/wiki/Steganography) (hidden, undetectable) user-driven filesystems (`tirdFS`) inside container files and block devices. Unlike [VeraCrypt](https://veracrypt.fr) and [Shufflecake](https://shufflecake.net/), `tirdFS` containers do not contain headers; the user specifies the data locations inside the container and is responsible for keeping those locations separate. Any random-looking region of a file or block device may be used as a container. 5. Prevent fast access to decrypted data using time-lock encryption. `tird` offers built-in [plausible deniability](https://en.wikipedia.org/wiki/Plausible_deniability), even when encrypted files are stored outside containers. It also helps resist [coercive](https://en.wikipedia.org/wiki/Coercion) [key-disclosure](https://en.wikipedia.org/wiki/Key_disclosure_law) attacks ([rubber-hose cryptanalysis](https://en.wikipedia.org/wiki/Deniable_encryption), [xkcd 538](https://xkcd.com/538/)). 🔜 Format stabilization and a formal specification are planned for v1.0.0. ## 目标 - 🛡️ **File protection:** Ensure protection of individual files, including: - Authenticated symmetric encryption. - Minimizing metadata leakage. - Resisting coercive attacks. - ⚓ **Stable format:** Ensure a stable encrypted-data format with no [cryptographic agility](https://en.wikipedia.org/wiki/Cryptographic_agility) for long-term storage. - ⚪ **Simplicity:** Ensure simplicity and avoid [feature creep](https://en.wikipedia.org/wiki/Feature_creep); refuse to implement features not directly related to the primary security goals. ## 特性 - [x] **PURB-format encrypted blobs:** randomized size and uniformly random contents; metadata-limited (only total size leaks — no headers, types, or plaintext hints). - [x] **Padded and encrypted comments:** no plaintext hints about content. - [x] **Hidden data embedding (optional):** conceal cryptoblobs inside random/encrypted containers for plausible deniability. - [x] **Time-lock encryption (optional):** slow offline PoW-based key derivation to delay decryption (anti-coercion). - [x] **Robust authenticated encryption**: fully committing, quantum-safe ChaCha20-BLAKE2b AEAD. - [x] **Strong key stretching:** Argon2id (libsodium "sensitive" profile) — 1 GiB memory, 1 lane, 4 passes (default and minimum). - [x] **Arbitrary key material:** derive keys from passphrases, files, block devices, or directories — order does not matter. - [x] **Prompt-based CLI:** intuitive and interactive, no flags to memorize. - [ ] \[TODO] **Stable, documented format:** planned for long-term archival and interoperability. ## 用法 You don't need to memorize command-line options to use `tird`. This tool features a prompt-based CLI: simply start it, select a menu option, and answer the questions that will follow. ``` $ tird MENU ——————————————————————————————————————————— 0. Exit 1. Info & Warnings 2. Encrypt 3. Decrypt 4. Embed 5. Extract 6. Encrypt & Embed 7. Extract & Decrypt 8. Create w/ Random 9. Overwrite w/ Random ——————————————————————————————————————————— A0. SELECT AN OPTION [0-9]: ``` ## 输入选项 There are 4 groups of input options: A (Action), D (Data), K (Keys), P (Proceed). They are numbered for ease of description. ``` +——————————————————————+————————————————————————+ | A0. SELECT AN OPTION | A. Select an action | +——————————————————————+————————————————————————+ | D1. INPUT FILE PATH | | | D2. COMMENTS | D. Enter data, | | D3. OUTPUT FILE PATH | data location, | | D4. OUTPUT FILE SIZE | data size | | D5. START POSITION | | | D6. END POSITION | | +——————————————————————+————————————————————————+ | K1. KEYFILE PATH | K. Enter values | | K2. PASSPHRASE | related to | | K3. TIME COST | key derivation | +——————————————————————+————————————————————————+ | P0. PROCEED? | P. Confirm to continue | +——————————————————————+————————————————————————+ ``` A detailed description of these options with examples can be found [here](https://github.com/hakavlad/tird/blob/main/docs/input_options/README.md). ## 有效载荷 The payload that will be encrypted during cryptoblob creation consists of: - **Contents of one file (optional):** A regular file or a block device (entire disk/partition). If omitted, an empty file payload is encrypted. - **Comments (optional):** Arbitrary UTF‑8 string, up to 1 KiB. By default, the input file name is used. Decrypted comments are shown upon decryption. Specifying the payload in the UI looks as follows: ``` D1. FILE TO ENCRYPT (OPT): files.zip I: path: 'files.zip'; size: 2,824,230,648 B (2.6 GiB) D2. COMMENTS (DEFAULT='files.zip'): The X-Files, zip (секретные материалы) I: comments will be shown as ['The X-Files, zip (секретные материалы)'] ``` ## 输入密钥材料 `tird` provides the option to use the contents of keyfiles and a passphrase to derive one-time keys. - **Keyfiles (optional):** Zero, one, or multiple keyfile paths; order of inputs does not matter. A keyfile path may be: - A regular file. The contents of the keyfile will be hashed, and its digest will be used for further key stretching and key derivation. - A block device. Handled the same as a regular keyfile: contents will be hashed. - A directory. All files within the directory will be hashed and used as keyfiles. - **Passphrase (optional):** Up to 2048 bytes after Unicode [normalization](https://www.unicode.org/reports/tr15/) (form C); may be omitted. Specifying IKM in the UI looks as follows: ``` K1. KEYFILE PATH (OPT): key I: path: 'key'; size: 32 B I: reading and hashing contents of 'key' I: keyfile accepted K1. KEYFILE PATH (OPT): K2. PASSPHRASE (OPT): K2. CONFIRM PASSPHRASE: I: passphrase accepted ``` ## 加密数据格式 - **PURB format**: - Data that looks random and contains no identifiable headers; it cannot be distinguished from random data without the corresponding keys. This property allows cryptoblobs to be hidden among other random data. - [Randomized size](https://en.wikipedia.org/wiki/Padding_(cryptography)#Randomized_padding): padding length is chosen uniformly between 0% and 25% of the unpadded cryptoblob size (equivalently, up to 20% of the final cryptoblob size). - **Comments** are padded (or truncated) to a fixed size of 1 KiB before encryption, fully concealing their original length. - **Bilaterally applied salts**: overwriting the beginning or the end of the cryptoblob (or storing an incomplete cryptoblob) makes successful decryption impossible.
 Show cryptoblob scheme ``` +————————————————————————————————————————————————————————+ | CSPRNG output: | | Salt for key stretching used with Argon2 (16 B) | +————————————————————————————————————————————————————————+ | ChaCha20 output: | | Encrypted pad_ikm (8 B) | +————————————————————————————————————————————————————————+ | CSPRNG/BLAKE2 output: | | Randomized padding (0-25% of the unpadded size) | | + MAC tag (32 B) | +————————————————————————————————————————————————————————+ | ChaCha20/BLAKE2 output: | | Encrypted payload file contents + MAC tags (0+ B) | +————————————————————————————————————————————————————————+ | ChaCha20/BLAKE2 output: | | Encrypted padded comments (1 KiB) + MAC tag (32 B) | +————————————————————————————————————————————————————————+ | CSPRNG output: | | Salt for pre‑hashing IKM used with BLAKE2 (16 B) | +————————————————————————————————————————————————————————+ ```
For more details, refer to the [specification](https://github.com/hakavlad/tird/blob/main/docs/SPECIFICATION.md). ## 低可观察性与最小化元数据 Loup Vaillant Michael Hayden |![](https://i.imgur.com/Oa3y3qg.jpeg)
Vs.
![](https://i.imgur.com/ArRAis1.jpeg)| |-| - PURB format: - Encrypted files look like random data. - Encrypted files have a randomized size: do not reveal the payload size. - Comments are constant-padded, do not reveal their size or existence. - Does not prove that the entered keys are incorrect. - Prompt-based CLI: no leakage of used options through shell history. - The output file path is user-defined and is not related to the input file path by default. - Optional: hiding encrypted data in containers. ## `tirdFS` — 用户驱动的隐写文件系统 `tird` employs a technique that is [described](https://en.wikipedia.org/wiki/List_of_steganography_techniques#Digital) as follows: You can encrypt files and embed cryptoblobs into containers starting at arbitrary positions. After writing the cryptoblob, you will need to remember its location in the container (the starting and ending positions), which will be used later to extract the cryptoblobs. In this way, you can create `tirdFS` — **hidden, headerless, user-driven file system** inside a container: - It is **hidden** because it is impossible to distinguish between random container data and cryptoblob data, as well as to determine the location of written cryptoblobs without knowing the positions and keys. - It is **headerless** because containers do not contain any headers; all data about cryptoblob locations must be stored separately by the user. - The starting position of the cryptoblob in the container is **user-defined**, and the **user must** store both the starting and ending positions separately from the container. This is why it is called a **user-driven file system**. `tirdFS` is not a *mounted* filesystem with internal metadata structures. It is a *user-managed* hidden storage model built from independently placed cryptoblobs. Any file, disk, or partition larger than the minimum cryptoblob size (1160 B) can be a valid container. Cryptoblobs can be embedded into any area. **Examples of Valid Containers include:** 1. Specially generated files with random data. 2. Disk areas containing random data. For example, you can overwrite a disk with random data, format it in FAT32 or exFAT, and use a large portion of the disk, leaving a few dozen MB from the beginning. The disk will appear empty unless you add some files to it. 3. [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) encrypted volumes. 4. VeraCrypt containers, even those that already contain hidden volumes. **Example of Container Structure:** ``` +—————————+—————————————+ <— Position 0 of the container | | | | | Random data | | | | | +—————————————+ <— Cryptoblob1 start position | Header- | | | less | Cryptoblob1 | | | | | Layer +—————————————+ <— Cryptoblob1 end position | | Random data | | Cake +—————————————+ <— Cryptoblob2 start position | | | | | Cryptoblob2 | | | | | +—————————————+ <— Cryptoblob2 end position | | Random data | +—————————+—————————————+ ``` **User-managed Header** Separate user-managed `tirdFS` text header might look like the following: ``` [100000000:100345765] secret_video.mp4 [100345765:234765345] various_secrets.zip [12654876456:14765345098] Epstein_files_part1.zip ``` That is, it should typically contain the location of each cryptoblob in the container plus a brief comment. However, the user is free to determine how to store positions and what to include in such a header. #### 嵌入可视化 The next image visualizes how hard it is to distinguish one random data entry from another and the process of embedding cryptoblobs in a container.
 Show Images
*Empty container with random data:* Container *One cryptoblob embedded in the container:* Embedded1 *Two cryptoblobs embedded in the container:* Embedded2 *Three cryptoblobs embedded in the container:* Embedded3 *Animation: visualization of embedding:* GIF: visualization of embedding
## 存储与传输隐藏加密数据 Kyle Rittenhouse Please look at the following screenshot. Screenshot It looks like this 16 GB volume contains only one 8.7 MiB file. Is it really true? Maybe yes, maybe no. The file system tells us that there is only one file here. But is there really only one file on the volume? We cannot determine this using the file system. In fact, data may be located outside the file system and be undetectable by file system tools. The 15.2 GiB of space marked as free may be occupied by a hidden file system. This "free" space may be taken up by hidden encrypted data. Can we disprove the existence of this data? Yes, for example, by examining the entropy level of this free space using `binwalk`. Low entropy indicates a likely absence of hidden data. High entropy *does not*, *by itself*, prove the presence of encrypted hidden data. Areas with high entropy can be either just residual data or hidden encrypted data. If you are interested in hiding data outside the visible file system, then `tird` is at your service to provide an Invisibility Cloak for your files. ## 时间锁加密 TLE image Time-lock encryption (TLE) can be used to prevent an adversary from quickly accessing plaintexts in the event of an IKM compromise (in case of user coercion, for example). In our implementation, it is actually a PoW-based time-lock key derivation. The "Time cost" input option specifies the number of Argon2 passes. If you specify a sufficiently high number of passes, it will take a significant amount of time to perform them. However, an attacker will require the same amount of time when using similar hardware. The execution of Argon2 cannot be accelerated through parallelization, so it is expected that the time spent by an attacker will be approximately the same as that spent by the defender. This TLE implementation works offline, unlike [tlock](https://github.com/drand/tlock). Set the desired `TIME COST` value: ``` K3. TIME COST (DEFAULT=4): 1000000 I: time cost: 1,000,000 W: decryption will require the same "TIME COST" value! ``` **Plausible TLE:** The adversary does not know the actual value of the time cost, so you can plausibly misrepresent the number of passes. The adversary cannot refute your claim until they attempt to decrypt the cryptoblob using the specified time cost value. ## 命令行选项 `tird` requires no command-line options for normal use. ``` $ tird --help tird v0.30.0 A tool for encrypting files and hiding encrypted data. Homepage: https://github.com/hakavlad/tird Usage: tird [--unsafe-debug] [--unsafe-decrypt] Start without options for normal usage. Options: --help print this help message and exit --unsafe-debug enable unsafe debug mode --unsafe-decrypt release plaintext even if MAC verification failed (dangerous) Examples: $ tird $ tird --unsafe-debug ``` ## 不安全调试模式 Start `tird` with the `--unsafe-debug` option to look under the hood while the program is running. Enabling debug mode additionally shows: - File operations: - Opening and closing of file descriptors. - Real paths to opened files. - Movement of file pointers. - Byte strings related to cryptographic operations: salts, passphrases, digests, keys, nonces, and tags. - Some other information, including various sizes. ## 不安全解密模式 In unsafe decrypt mode `tird` will release plaintext even if authentication fails. Use only if you prioritize availability over integrity, when you cannot successfully decrypt a cryptoblob in normal mode. ## 权衡与限制 - `tird` does not support: - [Public-key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography). - File compression. - ASCII armored output. - [Reed–Solomon error correction](https://en.wikipedia.org/wiki/Reed%E2%80%93Solomon_error_correction). - Splitting the output into chunks. - Use of [standard streams](https://en.wikipedia.org/wiki/Standard_streams) for processing files (not intended for automated scripts). --level block device reading and writing on MS Windows. As a result, these devices cannot be used as keyfiles, cannot be overwritten, and cannot be encrypted or embedded. - `tird` does not provide: - A graphical user interface. - A password generator. - `tird` cannot handle (encrypt/embed) more than one file in one pass. Encryption of directories and multiple files is not supported. - `tird` does not sanitize filesystem metadata (atime, mtime, ctime). - `tird`'s encryption speed is not very high (up to 730 MiB/s in my tests on modern hardware). ## 要求 - Python >= 3.9.2 - [cryptography](https://pypi.org/project/cryptography/) >= 2.1 (provides `HKDF` and a fast `ChaCha20` implementation) - [PyNaCl](https://pypi.org/project/PyNaCl/) >= 1.2.0 (provides fast implementations of `Argon2` and `BLAKE2`) - [colorama](https://pypi.org/project/colorama/) >= 0.4.6 (Windows-specific) ## 文档 - 📜 `tird`(1) man page - 📑 Specification - 📄 Input Options - 📖 Tutorial/Demo - ❓ FAQ/Rationale - 📥 Installation ## 待办事项 Improve the documentation. ## 反馈 Please feel free to ask questions, leave feedback, or provide critiques in the [Discussions](https://github.com/hakavlad/tird/discussions) section.
标签:PURB, tird, tirdFS, 元数据最小化, 加密容器, 加密工具, 加密格式混淆, 块设备覆盖, 安全存储, 安全软件, 密钥文件, 开源加密, 操作系统检测, 数据销毁, 数据隐藏, 文件加密, 网络安全, 逆向工具, 随机数据, 隐写术, 隐私保护