Windham is free and open-source software for disk encryption, an implementation of its own specification, based on the Linux dm-crypt module.
- Transparent & on-the-fly disk (or partition) encryption.
- Plausible deniability: through Decoy Partition (steganography) and completely signature-less & mathematically random header.
- Tamper resistance: The encryption header scheme is designed to prevent malicious tampering.
- Password management: supports registering multiple passwords, revoking them with (optional) authorization.
- Atomic metadata: metadata will entangle each minor change to the full modifiable region. It is impossible to compare the partition header thus extracting information about the previous modification, reducing the attack surface.
You can Choose to:
- Download the repository and use the
auto-install.sh
script, which will install all dependencies automatically and build Windham using CMake. Most distros are supported. - Compile by your own. See Compile Instructions below.
- Locate the device that you want to encrypt under
/dev
, you can do this by using your disk manager or commandlsblk
. It might be something like/dev/sdb
or/dev/nvme0n1
;/dev/sdb2
or/dev/nvme0n2p2
if you prefer to create an encrypted partition instead. - use
windham New *your device*
to create a new Windham device. e.g: creating a Windham device on/dev/sdb
, usesudo windham New /dev/sdb
. - To open and map your device, use
windham Open *your device* --to=*name*
. e.g:sudo windham Open /dev/sdb --to=enc1
will open/dev/sdb
: at/dev/mapper/enc1
. - create the filesystem as if it is an empty disk. You can use your disk manager or
mkfs
. e.g: usingsudo mkfs.ext4 /dev/mapper/*name*
to create an ext4 partition. - close and lock your device using
windham close *name*
. - (Optional, but recommended) run
windham Open *your device* --dry-run
to view your master key; back it up into a safe place. The master key can access, control and modify the entire partition. It's unique and impossible to regenerate when compromised!!
cmake
make
and gcc
(with gas
, usually bundled with GCC) are required to build Windham (windham uses kconfig
so you can't use ninja). You can use the auto build
script,
or build from source manually.
Windham only runs on glibc.
Run auto-install.sh
at the root directory of the source code:
git clone https://level-128-git.com/level-128/windham.git --depth=1
cd windham
sudo sh auto-install.sh
auto-install.sh
will install all dependencies automatically and build Windham using CMake. Most distros are supported. This is the
preferred installation method with native architecture.
Install additional required libraries:
Description | Debian-based | Fedora-based / SUSE | Arch-based |
---|---|---|---|
device mapper | libdevmapper-dev |
device-mapper-devel |
device-mapper |
Kernel key retention service(**) | libkeyutils-dev |
keyutils-libs-devel |
keyutils |
EXT filesystem development package(*) | libext2fs-dev |
e2fsprogs-devel |
e2fsprogs |
Kernel Header | linux-headers-$(uname -r) |
kernel-devel |
linux-headers |
GNU Gettext | libgettextpo-dev |
gettext-runtime and gettext-tools |
gettext |
ncurses | libncurses-dev |
ncurses-devel |
ncurses |
libblkid library | libblkid-dev |
libblkid-devel |
util-linux |
Additional userspace programs (Optional, but functionality will be reduced ifs these userspace programs are absent)
- (*)
resize2fs
: userspace ext2/ext3/ext4 file system resizer (undere2fsprogs
). - (***)
kpartx
: Create device maps from partition tables.
(*): only if Submodule support -> dynamic conversion and in place encryption support. (Experimental)
enabled.
(**): only if Submodule support -> Kernel key retention service support
set to 1 or 2.
(***): only if Submodule support -> post-unlock partition table discovery support
set to 1 or 2.
Build windham using cmake:
cmake CMakeLists.txt -B build
cd build
make
make install # Optional
To configure Windham, use make menuconfig
under build
directory.
See: How To Use?
Windham supports Decoy Partition: a feature that provides encrypted partitions with a high degree of plausible deniability.
A Decoy Partition allows an external partition located at the same logical level with the encrypted partition. The encrypted partition occupies the lower sectors of the partition. In a case where the user needs to deny the existence of the encrypted partition (while the cryptographically random header doesn't constitute a strong rebuttal of its existence), Decoy Partition could then be used to achieve a high degree of plausible deniability by placing an identifiable partition that occupies the upper sectors. The size of the decoy partition is usually much smaller than the full space of the partition. Also, The identifiable partition on top of it should be linear, otherwise the decoy partition may be damaged due to overwritten by the identifiable partition.
Use windham New *your device* --decoy
to create a decoy partition along with the encrypted partition. To Open an
encrypted partition, which contains a Decoy Partition, use argument --decoy
(Except
Close
); the program then recognizes the given device as a Decoy Partition.
There are no protection and no ways to ensure the modification to the identifiable partition will not overwrite the underlying encrypted partition. In a case that a large amount of file needs to be modified, reformatting the identifiable filesystem is a better idea.
Exfat and FAT32 are recommended. These filesystems have (by default) linear sequences when writing.
🥰🥰 Contributions are highly welcome 🥰🥰!
Oh, make sure that you have acknowledged the code of conduct.
Any questions? email me: level-128@gmx.com
Copyright (C) 2023- W. Wang (level-128)
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
The early version of this program has granted "Additional permissions" applied from article (7) when using, propagating and conveying the unmodified covered work. The "Additional permissions" have been revoked and removed from version 0.231128.
Windham is classified under ECCN 5D002 that provides or performs "non-standard cryptography" as defined in part 772 of the EAR, and is subject to Export Administration Regulation jurisdiction from the Bureau of Industry and Security. A notification to BIS and the ENC Encryption Request Coordinator via email of the internet location (e.g., URL or internet address) of the source code is required when the cryptographic functionality of the source code is updated or modified. This can be done by notifying level-128 (Email: level-128@gmx.com) when making contributions or forking the software.
I know this is not ideal...