ciph 1.2.0

High-performance streaming encryption engine for large files

ciph

ciph is a fast, streaming file‑encryption tool built for large media files and cloud uploads. It uses modern, industry‑standard cryptography and is designed to safely encrypt files larger than your system RAM.

Encrypt locally. Upload anywhere. Decrypt only when you trust the environment.

---

❓ Why ciph?

Most encryption tools load the entire file into memory before encrypting it. ciph streams data in fixed-size chunks, which means you can encrypt a 50 GB 4K video on a machine with only 2 GB of RAM—smoothly and safely.

✨ Features

• 🔐 Strong encryption — AES‑256‑GCM or ChaCha20‑Poly1305
• 🔑 Password protection — Argon2id (memory‑hard key derivation)
• 🚀 High performance — streaming C core (1 MB chunks)
• 🧠 Constant memory usage — works with 10 GB+ files
• ⚙️ Hardware‑aware — AES‑NI when available, ChaCha fallback
• 🧪 Integrity protected — AEAD authentication on every chunk
• ☁️ Cloud / Telegram safe — encrypt before upload
• 🏷️ Filename preserved — original filename & extension are stored and restored on decryption

---

🔐 Cryptographic Design

ciph uses a hybrid (envelope) encryption model, similar to what is used in modern secure storage systems:

1. A random data key encrypts the file in streaming mode.
2. Your password is hardened using Argon2id.
3. The data key is encrypted using the derived password key.
4. Every chunk is authenticated to detect tampering.
5. The original filename (without path) is stored as encrypted metadata and automatically restored on decryption.

No custom crypto. No weak primitives.

---

🔒 Security Strength

Component	Algorithm	Strength
File encryption	AES‑256‑GCM	256‑bit
File encryption (fallback)	ChaCha20‑Poly1305	256‑bit
Password KDF	Argon2id	Memory‑hard
Integrity	AEAD	Tamper‑proof
Nonces	Key‑derived per chunk (unique, no reuse)	No reuse

What this means

• Brute‑force attacks are computationally infeasible
• File corruption or tampering is always detected
• Encrypted files are safe on any cloud platform
• Losing the password means data is unrecoverable

---

🆕 Security Update (v1.2.0 — Hardened)

Starting from v1.2.0, ciph introduces a protocol‑level security hardening. This update does not change the user workflow, but it significantly strengthens the internal guarantees.

What changed internally

• 🔒 Full metadata authentication (AAD binding) All file header fields (magic, version, cipher, salt, filename, encrypted key) are cryptographically bound to the encrypted content. Any modification causes decryption to fail.

• 🔑 Strict key separation Encryption keys and nonce‑derivation keys are derived independently using domain separation. Keys are never reused across purposes.

• 🔁 Chunk replay & reordering protection Each encrypted chunk uses a nonce derived from a secret key and the chunk index. Chunks cannot be reordered, duplicated, or transplanted between files.

• 🧼 Explicit password handling Passwords are treated as raw byte buffers with explicit length. No implicit string handling, truncation, or hidden transformations.

• 🛡️ DoS‑safe streaming Encrypted chunk sizes are validated before allocation to prevent memory exhaustion attacks.

What is now cryptographically impossible

• ❌ Modifying the filename without detection
• ❌ Downgrading the cipher mode
• ❌ Swapping or reordering encrypted chunks
• ❌ Transplanting chunks between different files
• ❌ Reusing nonces under the same key
• ❌ Injecting malformed headers that decrypt silently

This update moves ciph from "strong encryption" to "protocol‑hardened encryption", suitable for long‑term archival and hostile storage environments.

---

🚀 Quick Start (Build from Source)

git clone https://github.com/ankit-chaubey/ciph
cd ciph
make
pip install .

📦 Installation

Requirements

• Linux / Termux
• Python ≥ 3.8
• libsodium

Install from PyPI

pip install ciph

---

🚀 Usage

Encrypt a file

ciph encrypt video.mp4

Output:

video.mp4.ciph

Decrypt a file

ciph decrypt video.mp4.ciph

Output:

video.mp4

The original filename and extension are automatically restored, even if the encrypted file was renamed.

Example workflow (Cloud / Telegram)

ciph encrypt movie.mkv
# upload movie.mkv.ciph anywhere
# share the password securely

ciph decrypt movie.mkv.ciph

---

📝 File Format

Updated & Hardened (v1.2.0) — This section extends the original format without removing any fields. All existing fields remain valid; new guarantees and clarifications are added.

Header Layout (Authenticated as AAD)

Offset	Size	Description
0	4	Magic bytes (CIPH)
4	1	Format version (0x02)
5	1	Cipher mode (1 = AES‑256‑GCM, 2 = ChaCha20‑Poly1305)
6	16	Argon2id salt (random per file)
22	12	Nonce‑derivation key (random per file)
34	1	Filename length (N)
35	N	Original filename (UTF‑8, no path, not NUL‑terminated)
35+N	2	Encrypted data‑key length (big‑endian)
37+N	L	Encrypted data key (AEAD‑protected)

All header fields above are cryptographically authenticated (AAD). Any modification results in decryption failure.

Encrypted Payload Layout (Streaming)

The payload is a sequence of independently authenticated chunks:

Field	Size	Description
ChunkLen	4	Length of encrypted chunk (ciphertext + tag)
ChunkData	M	AEAD‑encrypted chunk data

This pair repeats until end‑of‑file.

Cryptographic Binding Guarantees (v1.2.0)

The following properties are now cryptographically enforced, not policy‑based:

• Header ↔ payload binding (no metadata tampering)
• Cipher mode binding (no downgrade attacks)
• Filename binding (cannot be altered silently)
• Chunk order binding (no reordering or replay)
• Cross‑file isolation (chunks cannot be transplanted)

---

📊 Performance

• Processes data in (4-1024) MB chunks
• Cryptography handled in C (libsodium)
• Python used only for CLI orchestration
• Typical throughput: hundreds of MB/s (CPU‑bound)

Encryption is usually faster than your internet upload speed.

---

⚠️ Limitations (v1.0.0+)

• No resume support yet
• Progress bar shows start → finish (stream handled in C)
• Password‑based encryption only (public‑key mode planned)

---

🧑‍💻 Author & Project

ciph is designed, developed, and maintained by

Ankit Chaubey (@ankit‑chaubey)

GitHub Repository: 👉 https://github.com/ankit-chaubey/ciph

The project focuses on building secure, efficient, and practical cryptographic tools for real‑world usage, especially for media files and cloud storage.

---

📜 License

Apache License 2.0

Copyright © 2026 Ankit Chaubey

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

---

🔮 Roadmap

Planned future improvements:

• Parallel chunk encryption
• Resume / partial decryption
• Public‑key encryption mode
• Real‑time progress callbacks
• Prebuilt wheels (manylinux)

---

⚠️ Disclaimer

This tool uses strong cryptography.

If you forget your password, your data cannot be recovered.

Use responsibly.