/Deniable-Encryption-Tool-For-Python

Deniable Encryption Tool For Python

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

Deniable Encryption Tool For Python

About

This Deniable Encryption Tool uses custom AES-256 encryption with password-based access, no plaintext metadata, and no standard format β€” making it:

Non-compatible with any other known tool.

Very resistant to detection or forensic scanning.

Only decryptable by someone who has this Python Deniable Encryption Tool and correct password.

Setup

venv pip install pycryptodome pip install pqcrypto # optional for post-quantum support

python deniable_crypto.py


How it works

Custom Encrypted Container Format Specification
Version: 1.0
Author: J~Net
Created by: Python-based AES-256 volume manager
Purpose: Secure, deniable, multi-volume container with password-based encryption

πŸ” Encryption Overview
Cipher: AES-256-CBC

Password Derivation: PBKDF2 (SHA-256, 100,000 iterations)

Key Size: 256 bits

IV Size: 16 bytes (random per volume)

Salt Size: 16 bytes (random per volume)

HMAC: Optional, not used by default

Compression: zlib before encryption

Padding: PKCS7

πŸ“¦ Container File Structure
A single container file holds one or more encrypted volumes, concatenated together. Each volume has:

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Volume Blob β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
Format:

Offset	Size	Description
0	16 bytes	Salt (random for key derivation)
16	16 bytes	IV (random for AES-CBC)
32	8 bytes	Decompressed length (big endian int)
40	β‰₯ N bytes	Encrypted payload (AES-256-CBC encrypted zlib compressed volume data)

Each volume is prepended by its salt and IV, and terminated only by the end of its ciphertext (length inferred during decryption).

πŸ“ Volume Data (before encryption)
The decrypted volume data is a serialized Python dictionary:

python
Copy
Edit
{
    "filename": "example.txt",
    "timestamp": 1690000000,  # UNIX timestamp (optional)
    "data": b"...",           # Original file contents (binary)
}
This dict is:

Pickled with pickle.dumps()

Compressed with zlib.compress()

Then encrypted with AES-256-CBC.

πŸ“œ Notes
There’s no global index or header. Each volume is independent and only recoverable by guessing the correct password.

Invalid passwords will produce garbage after decryption, typically failing during decompression or unpickling.

No metadata leaks exist in plaintext.

Multiple volumes can coexist in a container, offering plausible deniability (e.g., β€œthis just contains junk”).

πŸ” Decryption Steps
To extract a volume:

Open container file in binary mode.

Read sequentially:

16 bytes β†’ Salt

16 bytes β†’ IV

8 bytes β†’ Length of decompressed data

N bytes β†’ Ciphertext

Derive AES key via PBKDF2 (SHA-256) using password + salt.

Decrypt ciphertext using AES-256-CBC and IV.

Decompress with zlib.

Unpickle result β†’ yields a dict with original file data.

πŸ§ͺ Detection Resistance
No volume markers or known plaintext β†’ can't be detected via signature scanning.

Volumes with unknown passwords are indistinguishable from random data.

Compatible with steganographic hiding (e.g., inside images or unused disk blocks).