Metadata-Version: 2.4
Name: vault-tar
Version: 0.1.2
Summary: AES-256-GCM file and directory encryption with chunked streaming and optional splitting.
Project-URL: Homepage, https://github.com/l1asis/vault-tar
Project-URL: Repository, https://github.com/l1asis/vault-tar.git
Project-URL: Issues, https://github.com/l1asis/vault-tar/issues
Author: Volodymyr Horshenin
License-Expression: MIT
License-File: LICENSE
Keywords: aes,aes-256-gcm,cryptography,directory-encryption,encryption,file-encryption,pbkdf2,privacy,security
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: End Users/Desktop
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Classifier: Programming Language :: Python :: 3.15
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: System :: Archiving
Classifier: Topic :: Utilities
Classifier: Typing :: Typed
Requires-Python: >=3.12
Requires-Dist: cryptography>=43.0
Provides-Extra: all
Requires-Dist: pytest>=8.0; extra == 'all'
Provides-Extra: test
Requires-Dist: pytest>=8.0; extra == 'test'
Description-Content-Type: text/markdown

# vault-tar

AES-256-GCM file and directory encryption with chunked streaming, configurable
compression, and optional output splitting.

## Features

- **AES-256-GCM** authenticated encryption with PBKDF2-HMAC-SHA256 key
  derivation (1 200 000 iterations by default).
- **Chunked streaming** — encrypts/decrypts in 1 MiB chunks so memory usage
  stays constant regardless of input size.
- **Compression** — choose between `xz`, `gz`, `bz2`, `zst`
  (Python ≥ 3.14), or `none`.
- **Output splitting** — split encrypted output into fixed-size parts (default
  1 GiB) for easier storage and transfer.
- **Single-file mode** — encrypt/decrypt individual files without tar
  archiving.
- **Directory comparison** — recursively compare two directory trees after a
  round-trip to verify integrity.
- **Progress bars** — optional verbose mode (`-v`) with real-time byte-level
  progress during compression, encryption, and decryption.

## Requirements

- Python ≥ 3.12
- [`cryptography`](https://cryptography.io/) ≥ 43.0

## Installation

### From PyPI

```bash
pip install vault-tar
```

### From source

```bash
git clone https://github.com/l1asis/vault-tar.git
cd vault-tar
pip install .
```

## Usage

After installation the `vtar` command is available on your `PATH`.

### Encrypt directories

```bash
vtar encrypt -i secret_docs/ photos/ -o encrypted -v
```

### Encrypt with a specific algorithm

```bash
vtar encrypt -i data/ -o data --algorithm zst -v        # zstandard (Python ≥ 3.14)
vtar encrypt -i data/ -o data --algorithm gz -v          # gzip
vtar encrypt -i data/ -o data --algorithm none -v        # tar only, no compression
```

### Encrypt a single file (skip archiving)

```bash
vtar encrypt -i backup.sql -o backup.enc --file-only --no-split
```

### Decrypt

```bash
vtar decrypt -i encrypted -o restored/ -v
vtar decrypt -i backup.enc -o backup.sql --file-only
```

### Compare directories

Verify that decrypted output matches the original:

```bash
vtar compare original/ restored/ -v
```

### Additional options

| Flag | Description |
|---|---|
| `-v`, `--verbose` | Show progress bars and status messages |
| `--password TEXT` | Supply password on command line (prompted if omitted) |
| `--algorithm {xz,gz,bz2,zst,none}` | Compression algorithm (default: `xz`) |
| `--compression-level N` | Algorithm-specific compression level |
| `--chunk-size SIZE` | Plaintext chunk size (default: `1MiB`) |
| `--split-size SIZE` | Max part-file size (default: `1GiB`) |
| `--no-split` | Write a single output file |
| `--file-only` | Encrypt/decrypt a single file directly |
| `--cleanup` | Remove original input after success |
| `-V`, `--version` | Show version and exit |

Sizes accept human-readable suffixes: `KiB`, `MiB`, ... `TiB` 
for binary units (default), as well as `KB`, `MB`, ... `TB`
for decimal units.

## File format

All encrypted output follows a custom binary format (v1):

```
Header (first part only):
  [2 B]  magic  0xEF01
  [1 B]  format version  0x01
  [2 B]  salt length          [N B]  salt
  [2 B]  base-nonce length    [12 B] base nonce

Chunks (sequential across parts):
  [4 B]  ciphertext length    [N B]  ciphertext (plaintext + 16 B GCM tag)
```

Each chunk uses a unique nonce derived as `base_nonce XOR chunk_index`
(big-endian, 12 bytes) with AAD `b"chunk_<index>"`.

## Security

See [SECURITY.md](SECURITY.md) for the threat model, cryptographic details,
known limitations, and responsible disclosure policy.

## Acknowledgments

Built with assistance from [GitHub Copilot](https://github.com/features/copilot)
(Claude Opus 4.6).

## License

[MIT](LICENSE) — Copyright 2026 Volodymyr Horshenin
