Prisma Encrypt

A secure Rust program for encrypting database files with strong security measures that prevents unauthorized decryption by other processes or applications.

Security Features

• AES-256-CTR Encryption: Military-grade symmetric encryption for file contents
• HMAC-SHA256 Authentication: Prevents tampering and ensures data integrity
• Password-Based Key Derivation: Uses SHA-256 with salt for secure key generation
• Program Authorization: Embeds program signature to prevent unauthorized applications from decrypting
• Memory Protection: Automatic zeroization of encryption keys in memory
• Secure Random Generation: Cryptographically secure salt and IV generation

How It Works

1. Encryption Process:

   • Generates cryptographically secure 32-byte salt and 16-byte IV
   • Derives encryption and MAC keys from password using SHA-256(password + salt + domain)
   • Encrypts file using AES-256-CTR with derived encryption key
   • Generates HMAC-SHA256 tag using derived MAC key for authentication
   • Embeds program signature hash to authorize only this specific program
   • Stores metadata header with salt, IV, and program hash

2. Decryption Process:

   • Reads and validates file format and header
   • Verifies program authorization using embedded signature hash
   • Derives same encryption/MAC keys from password and stored salt
   • Verifies HMAC-SHA256 authentication tag to detect tampering
   • Decrypts file contents using AES-256-CTR

3. Authorization Mechanism:

   • Creates unique program signature from binary path, version, and hardcoded signature
   • Only the exact same program binary can decrypt files it encrypted
   • Prevents other applications or modified versions from accessing encrypted data

Installation & Setup

Prerequisites:

• Rust: Install from https://rustup.rs/
  • Windows: Download and run rustup-init.exe
  • Linux/macOS: Run curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Optional Dependencies for Testing:

• Python 3.x (for testing unauthorized Python script)

  • Windows: Download from python.org or use Microsoft Store
  • Linux: sudo apt install python3 python3-pip or equivalent
  • macOS: brew install python3
  • Install crypto libraries: pip install cryptography msgpack

• Node.js (for testing unauthorized JavaScript script)

  • Windows: Download from nodejs.org or use winget install OpenJS.NodeJS
  • Linux: sudo apt install nodejs npm or equivalent
  • macOS: brew install node

Usage

Build the program:

Linux/macOS:

cargo build --release

Windows:

cargo build --release

The program works identically across all platforms. Rust's cross-platform compatibility ensures consistent behavior on Windows, Linux, and macOS.

Encrypt a database file:

Linux/macOS:

./target/release/prisma_encrypt encrypt \
  --input database.db \
  --output database.db.enc \
  --password "YourSecurePassword"

Windows:

.\target\release\prisma_encrypt.exe encrypt ^
  --input database.db ^
  --output database.db.enc ^
  --password "YourSecurePassword"

Decrypt a database file (traditional - writes to disk):

Linux/macOS:

./target/release/prisma_encrypt decrypt \
  --input database.db.enc \
  --output database.db \
  --password "YourSecurePassword"

Windows:

.\target\release\prisma_encrypt.exe decrypt ^
  --input database.db.enc ^
  --output database.db ^
  --password "YourSecurePassword"

🔒 Secure Decryption Options (No Files Written to Disk):

Output to stdout (for piping or redirection):

Linux/macOS:

./target/release/prisma_encrypt stdout \
  --input database.db.enc \
  --password "YourSecurePassword"

Windows:

.\target\release\prisma_encrypt.exe stdout ^
  --input database.db.enc ^
  --password "YourSecurePassword"

Pipe directly to another process:

Linux/macOS:

# Pipe to sqlite3 for direct database access
./target/release/prisma_encrypt pipe \
  --input database.db.enc \
  --password "YourSecurePassword" \
  --command sqlite3 \
  -- ":memory:" ".read /dev/stdin" ".tables"

# Pipe to findstr (Windows grep equivalent) for searching
./target/release/prisma_encrypt pipe \
  --input database.db.enc \
  --password "YourSecurePassword" \
  --command grep \
  -- "specific_pattern"

Windows:

REM Pipe to sqlite3 for direct database access
.\target\release\prisma_encrypt.exe pipe ^
  --input database.db.enc ^
  --password "YourSecurePassword" ^
  --command sqlite3.exe ^
  -- ":memory:" ".read /dev/stdin" ".tables"

REM Pipe to findstr for searching
.\target\release\prisma_encrypt.exe pipe ^
  --input database.db.enc ^
  --password "YourSecurePassword" ^
  --command findstr ^
  -- "specific_pattern"

REM Pipe to PowerShell for analysis
.\target\release\prisma_encrypt.exe pipe ^
  --input database.db.enc ^
  --password "YourSecurePassword" ^
  --command powershell ^
  -- "-Command" "& {$input | ConvertFrom-Json | Format-Table}"

Security Considerations

Strengths:

• Strong Encryption: AES-256-CTR is considered unbreakable with current technology
• Authentication: HMAC-SHA256 prevents tampering and ensures data integrity
• Program Binding: Only authorized program binary can decrypt files
• Memory Safety: Rust's memory safety + explicit key zeroization
• Secure Randomness: Uses OS cryptographically secure random number generator
• 🔒 In-Memory Processing: New secure options prevent decrypted data from touching disk
• Zero-Temp-Files: Secure decryption modes leave no temporary files or traces

File System Security Improvements:

• stdout mode: Decrypted data only exists in memory and stdout buffer
• pipe mode: Decrypted data flows directly to target process stdin, never written to disk
• Automatic zeroization: All decrypted data is securely cleared from memory on program exit

Important Notes:

• Password Security: Use strong, unique passwords - the encryption is only as strong as your password
• Key Management: Store passwords securely (consider using password managers)
• Binary Integrity: Any modification to the program binary will prevent decryption
• Backup Strategy: Keep backups of both encrypted files and the exact program binary
• Cross-Platform Compatibility:
  • ✅ Encrypted files are portable across Windows, Linux, and macOS
  • ⚠️ Authorization is platform-specific - each OS build creates different program hashes
  • 💡 Best Practice: Encrypt on the same OS where you plan to decrypt
• Windows-Specific Notes:
  • ✅ Full compatibility with Windows 10, 11, and Windows Server
  • ✅ PowerShell and Command Prompt both supported
  • ✅ Windows Defender compatible (no false positives)
  • 🔧 Path handling uses Windows-style backslashes automatically
  • 📁 File permissions work with Windows ACLs
• ⚠️ Traditional decrypt mode: Still writes plaintext to disk - use secure modes for maximum security

Cross-Language Authorization Testing:

The program prevents unauthorized access even with correct passwords across any programming language. This demonstrates that security doesn't rely on code obscurity but on cryptographic authorization:

Unauthorized Python Script:

Linux/macOS:

python3 unauthorized_decrypt.py -i sample.db.enc -o hacked.db -p "correct_password"

Windows:

python unauthorized_decrypt.py -i sample.db.enc -o hacked.db -p "correct_password"

Output: 🚫 This program is not authorized to decrypt this file

Unauthorized JavaScript/Node.js Script:

Linux/macOS:

node unauthorized_decrypt.js -i sample.db.enc -o hacked.db -p "correct_password"

Windows:

node unauthorized_decrypt.js -i sample.db.enc -o hacked.db -p "correct_password"

Output: 🚫 This JavaScript program is not authorized to decrypt this file

Unauthorized PowerShell Script (Windows):

.\unauthorized_decrypt.ps1 -InputFile sample.db.enc -OutputFile hacked.db -Password "correct_password"

Output: 🚫 This PowerShell script is not authorized to decrypt this file

Key Point: Even if someone reverse-engineers the entire algorithm and implements it perfectly in Python, JavaScript, PowerShell, Go, C++, or any other language, they still cannot decrypt the files because the authorization is cryptographically bound to the specific authorized program binary.

File Format

[4 bytes: Header Length]
[Header: Serialized EncryptedHeader struct]
[Encrypted Data + HMAC-SHA256 (32 bytes)]

EncryptedHeader contains:

• Version (1 byte)
• Salt (32 bytes)
• IV (16 bytes)
• Program Hash (32 bytes)

Dependencies

• aes - AES encryption implementation
• ctr - Counter mode for AES
• hmac - HMAC authentication
• sha2 - SHA-256 hashing
• rand - Cryptographically secure random number generation
• zeroize - Secure memory clearing
• clap - Command line interface
• serde + bincode - Data serialization

Testing

Run the test suite:

cargo test

Test with sample data:

Linux/macOS:

# Create test database
echo "Sample database content" > test.db

# Encrypt
cargo run -- encrypt -i test.db -o test.db.enc -p "password123"

# Decrypt
cargo run -- decrypt -i test.db.enc -o decrypted.db -p "password123"

# Verify
diff test.db decrypted.db

Windows:

REM Create test database
echo Sample database content > test.db

REM Encrypt
cargo run -- encrypt -i test.db -o test.db.enc -p "password123"

REM Decrypt
cargo run -- decrypt -i test.db.enc -o decrypted.db -p "password123"

REM Verify
fc test.db decrypted.db

Cross-Platform Security Demo:

Linux/macOS:

./demo.sh

Windows:

demo.bat

Both scripts demonstrate the same security features:

• ✅ Authorization mechanism blocks unauthorized programs (Python, JavaScript, modified binaries)
• ✅ In-memory decryption prevents file system exposure
• ✅ Cross-language security testing
• ✅ No temporary file leakage verification

License

EUROPEAN UNION PUBLIC LICENCE v. 1.2