silicoflare/confidant
1
0
Fork 0
mirror of https://github.com/silicoflare/confidant.git synced 2026-05-26 20:48:01 +05:30
Code Issues Packages Projects Releases Wiki Activity

feat: modify init script and README

Browse Source
This commit is contained in:
Suraj B M
2024-09-30 23:05:18 +05:30
parent 5ea1746380
commit 6c896ef108
2 changed files with 76 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
README.md
View File

@@ -1,31 +1,53 @@
# Confidant # Confidant
## Table of Contents ## Table of Contents
1. [Introduction](#introduction) 1. [Introduction](#introduction)
2. [Installation](#installation) 2. [Security](#security)
3. [Installation](#installation)
a. [Linux](#linux) a. [Linux](#linux)
b. [Windows](#windows) b. [Windows](#windows)
c. [MacOS](#macos) c. [MacOS](#macos)
3. [Usage](#usage) 4. [Usage](#usage)
4. [Build from source](#build-from-source) 5. [Build from source](#build-from-source)
6. [Disclaimer](#disclaimer)
--- ---
## Introduction ## Introduction
Confidant is a CLI tool used to create a triple-layer protected vault, written in TypeScript. It makes use of a combination of ECDH, AES256 and HMAC-SHA256 to create the vault, which can be acessible only if 3 particular files, namely `data.con`, `key.fid` and `vault.ant` (and a `config.toml`), are present. It also requires a password to start the decryption process. In case the password is lost, the vault can be recovered using the recovery phrase, which is a 12-word phrase that is generated during the vault creation process.
Confidant is a CLI tool used to create a triple-layer protected vault, written in TypeScript. It makes use of a combination of ECDH, AES256, PBKDF2 and HMAC-SHA256 to create the vault, which can be acessible only if 2 particular files, namely `dirname.vault` and `dirname.key`, are present. It also requires a password to start the decryption process. In case the password is lost, the vault can be recovered using the recovery phrase, which is a 12-word phrase that is generated during the vault creation process.
---
## Security
The vault has several layers of security to ensure that the contents are safe. The following are the security measures taken:
1. **ECDH**: The vault is encrypted using the ECDH algorithm, which is a key exchange algorithm. The key is generated using the `secp256k1` curve.
2. **AES256**: The vault is encrypted using the AES256 algorithm, which is a symmetric encryption algorithm. The key is generated using the ECDH algorithm.
3. **PBKDF2**: The password is hashed using the PBKDF2 algorithm, which is a key derivation function. This ensures that the password is not stored in plain text.
4. **HMAC-SHA256**: The keys are encrypted using the HMAC-SHA256 algorithm, which is a hash-based message authentication code. This ensures that the keys are unique and cannot be tampered with.
---
## Installation ## Installation
### Linux ### Linux
1. Download the latest release from the releases page. 1. Download the latest release from the releases page.
2. Give it executable permissions by running `chmod +x confidant`. 2. Give it executable permissions by running `chmod +x confidant`.
3. Move it to a directory in your PATH, like `/usr/local/bin`. 3. Move it to a directory in your PATH, like `/usr/local/bin`.
4. Run `confidant --help` to verify the installation. 4. Run `confidant --help` to verify the installation.
### Windows ### Windows
1. Download the latest release from the releases page. 1. Download the latest release from the releases page.
2. Move it to a directory in your PATH. 2. Move it to a directory in your PATH.
3. Run `confidant --help` to verify the installation. 3. Run `confidant --help` to verify the installation.
### MacOS ### MacOS
1. Download the latest release from the releases page. 1. Download the latest release from the releases page.
2. Give it executable permissions by running `chmod +x confidant`. 2. Give it executable permissions by running `chmod +x confidant`.
3. Move it to a directory in your PATH, like `/usr/local/bin`. 3. Move it to a directory in your PATH, like `/usr/local/bin`.
@@ -34,29 +56,67 @@ Confidant is a CLI tool used to create a triple-layer protected vault, written i
--- ---
## Usage ## Usage
### Create a new vault ### Create a new vault
To create a new vault, run the following command: To create a new vault, run the following command:
```bash ```bash
confidant init confidant init
``` ```
This will show a list of directories in your current directory. Select the directory where you want to create the vault. Also specify a password to encrypt the vault. The recovery phrase will be shown after the vault is created. Save it in a safe place. The following files will be created:
- `data.con`: Primary key This will show a list of directories in your current directory. Select the directory where you want to create the vault. Also specify a password to encrypt the vault. The recovery phrase will be shown after the vault is created. Save it in a safe place. Assuming the selected directory is `dirname`, the following files will be created:
- `key.fid`: Secondary key
- `vault.ant`: Encrypted vault - `dirname.vault`: Vault file
- `config.toml`: Configuration file - `dirname.key`: Key file
- `.gitignore`: To ignore the vault files - `dirname_recovery.txt`: Recovery phrase
After this, you can push the vault files to a remote repository. The `.gitignore` file will make sure the key files are not pushed to the repository. Make sure to never store the key files in the same place as the vault files. - `.gitignore`: To ignore the key files
After this, you can push the vault files to a remote repository. The `.gitignore` file will make sure the key files are not pushed to the repository. Make sure to never store the key files in the same place as the vault files.
### Decrypt a vault ### Decrypt a vault
To decrypt a vault, run the following command: To decrypt a vault, run the following command:
```bash ```bash
confidant decrypt confidant decrypt
``` ```
Make sure all the files `data.con`, `key.fid` and `vault.ant` are present in the current directory. Also make sure you have the password and the recovery phrase. The vault will be decrypted and the contents will be shown.
Make sure the files `dirname.vault` and `dirname.key` are present in the current directory. Also make sure you have the password. The vault will be decrypted and the contents will be shown.
### Encrypt a vault ### Encrypt a vault
To encrypt a vault, run the following command: To encrypt a vault, run the following command:
```bash ```bash
confidant encrypt confidant encrypt
``` ```
Make sure the files `data.con`, `key.fid` and `vault.ant` are present in the current directory. The vault will be encrypted and the files will be updated, after which you can move them to a safe place.
Make sure the file `dirname.vault` is present in the current directory. The vault will be encrypted and the files will be updated, after which you can move them to a safe place. The key file is not required to encrypt the vault.
### Change password
To change the password of a vault, run the following command:
```bash
confidant reset
```
Make sure the files `dirname.vault` and `dirname.key` are present in the current directory. The recovery string that was generated during the vault creation process will be required. The password will be changed and the files will be updated.
---
## Build from source
To build the project from source, follow the steps below:
1. Clone the repository.
2. Run `bun install` to install the dependencies.
3. Run `bun run init` to create an `env.ts` file.
4. Modify the `env.ts` to include a unique `AUTH_KEY` and `PHRASE`.
5. Run `bun run build` to compile the project into executables for Windows, MacOS and Linux.
---
## Disclaimer
This project is built with the [Kerckhoff's Principle](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle) in mind. The security of the vault is based on the secrecy of the key files and the password. Make sure to store the key files and the password in a safe place. The recovery phrase is the only way to recover the vault in case the password is lost. Make sure to store the recovery phrase in a safe place as well. The author is not responsible for any loss of data due to misuse of the tool.

3
scripts/init.ts
View File

@@ -8,9 +8,6 @@ const env = {
// Re-run to get a new value // Re-run to get a new value
AUTH_KEY: "${stringy(randomBytes(32))}", AUTH_KEY: "${stringy(randomBytes(32))}",
// Re-run to get a new value
AUTH_SALT: "${stringy(randomBytes(64))}",
// Can be literally anything! // Can be literally anything!
PHRASE: "May the Force be with you!", PHRASE: "May the Force be with you!",
} }