Skip to content
/ rsecure Public

Secure file encryption using pure Rust and AES πŸ”’

License

GPL-3.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

containerscrew/rsecure

BranchesTags

Repository files navigation

rsecure

rsecure is a simple and secure command-line tool for AES-GCM file encryption and decryption, built in pure Rust. Ideal for protecting sensitive files, backups, and personal data.

Keep It Simple Stupid

GitHub code size in bytes GitHub last commit GitHub issues GitHub pull requests GitHub Repo stars GitHub watchers License Crates.io AUR Version Crates.io Total Downloads GitHub Releases Downloads

example

Installation

curl --proto '=https' --tlsv1.2 -sSfL https://raw.githubusercontent.com/containerscrew/rsecure/main/install.sh | sh

Specific version:

curl --proto '=https' --tlsv1.2 -sSfL https://raw.githubusercontent.com/containerscrew/rsecure/main/install.sh | sh -s -- -v "0.3.0"

Note

The installation script automatic detects your OS and ARCH and install the correct binary for you (rpm, deb, apk or just a binary in /usr/local/bin). In alpine, install the package apk add gcompat sine the binary is built with glibc and alpine uses musl.

AUR (Arch Linux)

paru -S rsecure # or yay -S rsecure

Homebrew

brew tap containerscrew/tap
brew install --cask rsecure

Warning

Since this binary is not signed by the Apple ecosystem, you will need to run the following command to allow it to run on your system.

xattr -d com.apple.quarantine /opt/homebrew/bin/rsecure

If you still have issues running the binary, I recommend using the cargo installation method or downloading the binary from the releases page. Use the first method (installing via curl and the install.sh script).

Using cargo

cargo install rsecure
cargo install rsecure@0.3.3 # specific version

Local build

git clone https://github.com/containerscrew/rsecure.git
cd rsecure
cargo build --release
sudo cp ./target/release/rsecure /usr/local/bin/

Usage

Commands

Command Description
rsecure create-key -o /mnt/myusb/rsecure.key Generate a new AES-256 key and save it to a file
openssl rand -out /mnt/myusb/rsecure.key 32 Alternative: generate a random 256-bit key using OpenSSL
rsecure encrypt -p /mnt/myusb/rsecure.key -s /tmp/mydirectory/text_to_encrypt.txt Encrypt a single file (.enc file is created in the same directory)
rsecure encrypt -p /mnt/myusb/rsecure.key -s /tmp/mydirectory/files/ Encrypt all files in a directory
rsecure decrypt -p /mnt/myusb/rsecure.key -s /tmp/mydirectory/text_to_encrypt.txt.enc Decrypt a single encrypted file
rsecure decrypt -p /mnt/myusb/rsecure.key -s /tmp/mydirectory/files/ Decrypt all files in a directory
rsecure encrypt -r -p /mnt/myusb/rsecure.key -s /tmp/rsecure/dirtoencrypt/ Encrypt and remove original files (plain text)
rsecure encrypt -p /mnt/myusb/rsecure.key -s /tmp/rsecure/dirtoencrypt -e '.git' Encrypt all files in a directory excluding .git/ files

Warning

Saving the key in the same local filesystem where you save the encrypted files is not a good idea. Save the key in a secure location, like a USB drive or a password manager. Or just save it in a root owned directory with strict permissions (will require sudo to use it).

Something like:

sudo rsecure encrypt -p /root/rsecure.key -s /home/dcr/Documents/PrivateDocuments -r

rsecure must be in a PATH directory where root user can execute it. Which means, if you installed it using cargo, you need to add ~/.cargo/bin to the PATH variable in the root user environment. Or just copy the binary to /usr/local/bin/ or any other directory in the PATH.

Important

By default, rsecure will not delete the source plain files after encryption to avoid data loss. If you want to delete the source files after encryption, use -r flag.

Local dev

Testing encryption and decryption:

mkdir -p /tmp/rsecure/dirtoencrypt
touch /tmp/rsecure/filetoencrypt.txt
echo 'please, hack me!' > /tmp/rsecure/filetoencrypt.txt
for i in {1..10}; do
    head -c 100 /dev/urandom | base64 > /tmp/rsecure/dirtoencrypt/file_$i.txt
done
mkdir /tmp/rsecure/dirtoencrypt/.git/
touch /tmp/rsecure/dirtoencrypt/.git/ignoreme.txt
touch /tmp/rsecure/dirtoencrypt/.git/notthisfile.txt
rsecure create-key -o ~/.keys/rsecure.key
rsecure encrypt -p ~/.keys/rsecure.key -s /tmp/rsecure/filetoencrypt.txt
rsecure decrypt -p ~/.keys/rsecure.key -s /tmp/rsecure/filetoencrypt.txt.enc
#
rsecure encrypt -p ~/.keys/rsecure.key -s /tmp/rsecure/dirtoencrypt/
rsecure decrypt -p ~/.keys/rsecure.key -s /tmp/rsecure/dirtoencrypt/
rsecyre encrypt -p ~/.keys/rsecure.key -s /tmp/rsecure/dirtoencrypt/ -e '.git'

TODO

  • Current logic reads every file into memory before encrypting it, which is not good for large files. I need to implement a streaming encryption and decryption logic to handle large files without consuming too much memory. Also take a look to implement parallel encryption and decryption to speed up the process.
  • Share my public GPG key to verify the integrity of the binary releases

License

rsecure is distributed under the terms of the GPL3 license.

About

Secure file encryption using pure Rust and AES πŸ”’

Topics

rust cli security cryptography privacy aes-gcm crates-io crypto-library data-protection file-encryption aur-package

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 4

0.3.5 Latest
Feb 28, 2026
+ 3 releases

Contributors

Languages