enc_file 0.6.3

Password-based file encryption tool with a versioned header, AEAD, Argon2id KDF, and streaming mode. Library + CLI + GUI.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

//! Streaming-focused integration tests that run against *both* algorithms.
//! Uses uniform KiB/MiB helpers.

use std::fs;
use std::io::{Read, Write};
use std::path::Path;

use enc_file::{AeadAlg, decrypt_file, encrypt_file};
use secrecy::SecretString;
use tempfile::tempdir;

// --- Size helpers (KiB/MiB) ---

const KIB: usize = 1024;
const MIB: usize = 1024 * 1024;

#[inline]
fn kib(n: usize) -> usize {
    n.saturating_mul(KIB)
}
#[inline]
fn mib(n: usize) -> usize {
    n.saturating_mul(MIB)
}

// --- Local helpers ---

fn write_blob(path: &Path, len: usize) {
    let mut data = vec![0u8; len];
    // Deterministic pseudo-random-ish content (good for repeatable tests)
    for (i, b) in data.iter_mut().enumerate() {
        *b = (i as u32).wrapping_mul(1664525).wrapping_add(1013904223) as u8;
    }
    fs::File::create(path).unwrap().write_all(&data).unwrap();
}

fn slurp(path: &Path) -> Vec<u8> {
    let mut v = Vec::new();
    fs::File::open(path).unwrap().read_to_end(&mut v).unwrap();
    v
}

/// Build streaming encryption options for the given algorithm.
/// Armor and other defaults can be toggled here if desired.
fn streaming_opts(alg: enc_file::AeadAlg) -> enc_file::EncryptOptions {
    enc_file::EncryptOptions {
        alg,
        stream: true,
        armor: false, // change to true if you want ASCII armor in streaming tests
        ..Default::default()
    }
}

#[test]
fn streaming_empty_file_both_algs() {
    let algs = [AeadAlg::XChaCha20Poly1305, AeadAlg::Aes256GcmSiv];

    for &alg in &algs {
        let dir = tempdir().unwrap();
        let infile = dir.path().join("in.bin");
        let enc = dir.path().join("out.enc");
        let back = dir.path().join("back.bin");

        write_blob(&infile, 0);
        let pw = SecretString::new("pw".into());

        encrypt_file(&infile, Some(&enc), pw.clone(), streaming_opts(alg)).unwrap();
        decrypt_file(&enc, Some(&back), pw).unwrap();

        assert_eq!(slurp(&infile), slurp(&back), "alg={alg:?}");
    }
}

#[test]
fn streaming_boundary_sized_both_algs() {
    let algs = [AeadAlg::XChaCha20Poly1305, AeadAlg::Aes256GcmSiv];

    for &alg in &algs {
        let dir = tempdir().unwrap();
        let infile = dir.path().join("in.bin");
        let enc = dir.path().join("out.enc");
        let back = dir.path().join("back.bin");

        // Size that should exercise final-frame boundaries
        let size = mib(1) + kib(64) + 7;
        write_blob(&infile, size);

        let pw = SecretString::new("pw".into());

        encrypt_file(&infile, Some(&enc), pw.clone(), streaming_opts(alg)).unwrap();
        decrypt_file(&enc, Some(&back), pw).unwrap();

        assert_eq!(slurp(&infile), slurp(&back), "alg={alg:?}");
    }
}

#[test]
fn streaming_roundtrip_large_both_algs() {
    let algs = [AeadAlg::XChaCha20Poly1305, AeadAlg::Aes256GcmSiv];

    for &alg in &algs {
        let dir = tempdir().unwrap();
        let infile = dir.path().join("in.bin");
        let enc = dir.path().join("out.enc");
        let back = dir.path().join("back.bin");

        write_blob(&infile, mib(2));
        let pw = SecretString::new("pw".into());

        encrypt_file(&infile, Some(&enc), pw.clone(), streaming_opts(alg)).unwrap();
        decrypt_file(&enc, Some(&back), pw).unwrap();

        assert_eq!(slurp(&infile), slurp(&back), "alg={alg:?}");
    }
}

#[test]
fn streaming_mid_body_tamper_fails_both_algs() {
    let algs = [AeadAlg::XChaCha20Poly1305, AeadAlg::Aes256GcmSiv];

    for &alg in &algs {
        let dir = tempdir().unwrap();
        let infile = dir.path().join("in.bin");
        let enc = dir.path().join("out.enc");
        let back = dir.path().join("back.bin");

        write_blob(&infile, kib(256));
        let pw = SecretString::new("pw".into());

        encrypt_file(&infile, Some(&enc), pw.clone(), streaming_opts(alg)).unwrap();

        // Tamper somewhere in the middle of the ciphertext body
        let mut ct = slurp(&enc);
        let mid = ct.len().saturating_div(2);
        let start = mid.saturating_sub(8);
        let end = (mid + 8).min(ct.len());
        for byte in &mut ct[start..end] {
            *byte ^= 0xA5;
        }

        fs::write(&enc, &ct).unwrap();

        let err = decrypt_file(&enc, Some(&back), pw).unwrap_err();
        assert!(matches!(err, enc_file::EncFileError::Crypto), "alg={alg:?}");
    }
}