Password manager using steganography to embed encrypted credentials in images
Project description
StegVault
Secure password manager using steganography to embed encrypted credentials within images
StegVault is a full-featured password manager that combines modern cryptography with steganography. It can store either a single password or an entire vault of credentials, all encrypted using battle-tested algorithms (XChaCha20-Poly1305 + Argon2id) and hidden within ordinary PNG images using LSB steganography.
Latest Features (v0.4.0): Complete password manager with vault import/export, secure clipboard integration, TOTP/2FA authenticator with QR codes, and realistic password strength validation using zxcvbn!
Features
Core Features
- ๐ Strong Encryption: XChaCha20-Poly1305 AEAD with Argon2id KDF
- ๐ผ๏ธ Invisible Storage: LSB steganography with sequential pixel ordering
- ๐ Zero-Knowledge: All operations performed locally, no cloud dependencies
- โ Authenticated: AEAD tag ensures data integrity
- ๐งช Well-Tested: 275 unit tests with 80% overall coverage (all passing)
- โฑ๏ธ User-Friendly: Progress indicators for long operations
Vault Mode
- ๐๏ธ Multiple Passwords: Store entire password vault in one image
- ๐ฏ Key-Based Access: Retrieve specific passwords by key (e.g., "gmail", "github")
- ๐ Password Generator: Cryptographically secure password generation
- ๐ Rich Metadata: Username, URL, notes, tags, timestamps for each entry
- ๐ Dual-Mode: Choose single password OR vault mode
- โป๏ธ Auto-Detection: Automatically detects format on restore (backward compatible)
- ๐ค Import/Export: Backup and restore vaults via JSON
- ๐ Clipboard Support: Copy passwords to clipboard with auto-clear
- ๐ TOTP/2FA: Built-in authenticator with QR code support
- ๐ก๏ธ Password Strength: Realistic validation using zxcvbn with actionable feedback
Quick Start
Installation
# Install from PyPI (recommended)
pip install stegvault
# Or install from source
git clone https://github.com/kalashnikxvxiii-collab/stegvault.git
cd stegvault
pip install -e .
Usage
Mode 1: Single Password (Simple Backup)
1. Check Image Capacity
stegvault check -i myimage.png
2. Create Backup
stegvault backup -i cover.png -o backup.png
3. Restore Password
stegvault restore backup.png
Mode 2: Vault (Multiple Passwords) - NEW!
1. Create Vault with First Entry
stegvault vault create -i cover.png -o vault.png -k gmail --generate
# Automatically generates a secure password for Gmail
2. Add More Passwords
stegvault vault add vault.png -o vault_v2.png -k github -u myusername --generate
stegvault vault add vault_v2.png -o vault_v3.png -k aws
3. Retrieve Specific Password
stegvault vault get vault_v3.png -k gmail
# Output:
# Entry: gmail
# Username: user@gmail.com
# URL: https://gmail.com
# Password: X7k$mP2!qL5@wN
4. List All Keys
stegvault vault list vault_v3.png
# Output:
# Vault contains 3 entries:
# 1. gmail (user@gmail.com)
# 2. github (myusername)
# 3. aws
5. Update Entry
stegvault vault update vault_v3.png -o vault_v4.png -k gmail --password newpass123
6. Export Vault
stegvault vault export vault_v4.png -o backup.json --pretty
7. Import Vault
stegvault vault import backup.json -i cover.png -o restored_vault.png
8. Delete Entry
stegvault vault delete vault_v4.png -o vault_v5.png -k oldservice
9. Copy Password to Clipboard
stegvault vault get vault.png -k gmail --clipboard
# Password copied to clipboard (not displayed on screen)
# Auto-clear clipboard after 30 seconds
stegvault vault get vault.png -k gmail --clipboard --clipboard-timeout 30
10. Setup TOTP/2FA
# Add TOTP secret to entry
stegvault vault add vault.png -o vault_v2.png -k github -u myuser --totp
# Generate TOTP code
stegvault vault totp vault_v2.png -k github
# Output: Current TOTP code for 'github': 123456 (valid for 25 seconds)
# Show QR code for authenticator app
stegvault vault totp vault_v2.png -k github --qr
How It Works
Architecture Overview
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ StegVault Workflow โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
BACKUP CREATION PASSWORD RECOVERY
โ โ
1. User Input 1. Load Stego Image
โข Master Password โข backup.png
โข Passphrase โข Enter Passphrase
โข Cover Image
2. Extract Payload
2. Encryption โข LSB Extraction
โข Generate Salt (16B) โข Sequential Order
โข Derive Key (Argon2id) โข Parse Binary Format
โข Encrypt (XChaCha20)
3. Decryption
3. Payload Format โข Verify AEAD Tag
โข Magic: "SPW1" โข Derive Key (Argon2id)
โข Salt + Nonce โข Decrypt Ciphertext
โข Ciphertext + Tag
4. Recover Password
4. LSB Embedding โข Display/Save Password
โข Sequential Pixels
โข Modify LSB of R,G,B
โข Save Stego Image
5. Output: backup.png
Cryptographic Stack
| Component | Algorithm | Parameters |
|---|---|---|
| AEAD Cipher | XChaCha20-Poly1305 | 256-bit key, 192-bit nonce |
| KDF | Argon2id | 3 iterations, 64MB memory, 4 threads |
| Salt | CSPRNG | 128 bits (16 bytes) |
| Nonce | CSPRNG | 192 bits (24 bytes) |
| Tag | Poly1305 | 128 bits (16 bytes) |
Payload Format
Binary structure embedded in images:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Offset โ Size โ Field โ Description โ
โโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโค
โ 0 โ 4B โ Magic Header โ "SPW1" โ
โ 4 โ 16B โ Salt โ For Argon2id โ
โ 20 โ 24B โ Nonce โ For XChaCha20โ
โ 44 โ 4B โ CT Length โ Big-endian โ
โ 48 โ N โ Ciphertext โ Variable โ
โ 48+N โ 16B โ AEAD Tag โ (appended) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Steganography Technique
LSB (Least Significant Bit) Embedding:
- Sequential Pixel Ordering: All payload bits stored left-to-right, top-to-bottom for reliability and simplicity
- Distributed Embedding: Payload bits spread across R, G, B channels
- Minimal Visual Impact: Only LSB modified (imperceptible to human eye)
- Security Philosophy: Cryptographic strength (XChaCha20-Poly1305 + Argon2id) provides security, not pixel ordering
# Simplified example
for y in range(height):
for x in range(width):
for channel in [R, G, B]:
channel_value = (channel_value & 0xFE) | payload_bit
Security Considerations
โ Strong Security Features
- Modern Cryptography: XChaCha20-Poly1305 is a modern AEAD cipher resistant to various attacks
- Strong KDF: Argon2id winner of Password Hashing Competition, resistant to GPU/ASIC attacks
- Authenticated Encryption: Poly1305 MAC ensures integrity; tampering detected automatically
- Cryptographic Security: Security provided by strong cryptography, not by hiding embedding pattern
- No Key Reuse: Fresh nonce generated for each encryption
โ ๏ธ Limitations & Warnings
- Not Invisible: Advanced steganalysis may detect embedded data
- No Deniability: Payload has identifiable magic header
- JPEG Lossy: Recompressing JPEG images destroys payload (use PNG)
- Both Required: Losing either image OR passphrase = permanent data loss
- Offline Attacks: Attacker with image can attempt brute-force (mitigated by Argon2id)
๐ Best Practices
- Strong Passphrase: Use 16+ character passphrase with mixed case, numbers, symbols
- Multiple Backups: Store copies in different locations
- PNG Format: Always use PNG (lossless) not JPEG (lossy)
- Verify Backups: Test restore process after creating backup
- Secure Storage: Protect image files as you would protect passwords
Development
Running Tests
# Run all tests
pytest
# Run with coverage
pytest --cov=stegvault --cov-report=html
# Run specific module tests
pytest tests/unit/test_crypto.py -v
Code Quality
# Format code
black stegvault tests
# Type checking
mypy stegvault
Project Structure
stegvault/
โโโ stegvault/ # Source code
โ โโโ crypto/ # Cryptography (Argon2id + XChaCha20)
โ โ โโโ __init__.py
โ โ โโโ core.py
โ โโโ stego/ # Steganography (PNG LSB)
โ โ โโโ __init__.py
โ โ โโโ png_lsb.py
โ โโโ utils/ # Payload format handling
โ โ โโโ __init__.py
โ โ โโโ payload.py
โ โ โโโ config.py
โ โโโ vault/ # Password vault management (NEW in v0.4.0)
โ โ โโโ __init__.py
โ โ โโโ core.py # Vault and VaultEntry classes
โ โ โโโ operations.py # Vault CRUD operations + import
โ โ โโโ generator.py # Password generator
โ โ โโโ totp.py # TOTP/2FA support
โ โโโ batch/ # Batch operations
โ โ โโโ __init__.py
โ โ โโโ processor.py
โ โโโ __init__.py
โ โโโ cli.py # Command-line interface
โโโ tests/ # Test suite (275 tests, 80% coverage)
โ โโโ unit/
โ โ โโโ test_crypto.py # 26 tests
โ โ โโโ test_payload.py # 22 tests
โ โ โโโ test_stego.py # 16 tests
โ โ โโโ test_config.py # 28 tests
โ โ โโโ test_batch.py # 20 tests
โ โ โโโ test_vault.py # 49 tests (vault module)
โ โ โโโ test_cli.py # 53 tests (core CLI)
โ โ โโโ test_vault_cli.py # 38 tests (vault CLI)
โ โ โโโ test_totp.py # 19 tests (TOTP/2FA)
โ โ โโโ test_password_strength.py # 24 tests (password validation)
โ โโโ __init__.py
โโโ docs/ # Documentation
โโโ examples/ # Example images
โโโ .gitignore
โโโ CHANGELOG.md
โโโ CONTRIBUTING.md
โโโ LICENSE # MIT License
โโโ README.md # This file
โโโ ROADMAP.md
โโโ pyproject.toml
โโโ requirements.txt
Roadmap
See ROADMAP.md for planned features and development timeline.
Coming Soon
- GUI application (Electron or Qt)
- JPEG DCT steganography (more robust)
- Multi-vault operations and search
- Gallery foundation for multi-file vault management
- Optional cloud storage integration
Contributing
Contributions are welcome! Please read CONTRIBUTING.md for guidelines.
Quick Contribution Guide
- Fork the repository
- Create feature branch (
git checkout -b feature/amazing-feature) - Make changes with tests
- Commit (
git commit -m 'feat: add amazing feature') - Push (
git push origin feature/amazing-feature) - Open Pull Request
License
This project is licensed under the MIT License - see LICENSE file for details.
Disclaimer
StegVault is provided "as-is" for educational and personal use. The authors are not responsible for any data loss or security breaches. Always maintain multiple backups of critical passwords.
Security Notice: While StegVault uses strong cryptography, no system is perfect. This tool is best used as a supplementary backup method alongside traditional password managers.
Acknowledgments
- PyNaCl - libsodium bindings for Python
- argon2-cffi - Argon2 password hashing
- Pillow - Python Imaging Library
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
stegvault-0.4.0.tar.gz
(40.8 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
stegvault-0.4.0-py3-none-any.whl
(41.2 kB
view details)
File details
Details for the file stegvault-0.4.0.tar.gz.
File metadata
- Download URL: stegvault-0.4.0.tar.gz
- Upload date:
- Size: 40.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fe597e8afd810454912987b2e71fae0a8a0f0b8d3c793e1fddf7e86cc52b3b35
|
|
| MD5 |
4ad7864c26adcf8f890d5e541ec0f7ae
|
|
| BLAKE2b-256 |
e942f1c97b032e68404819fc781fb1e2889056ef0d3cf78d66c8c3d30bd18ab7
|
File details
Details for the file stegvault-0.4.0-py3-none-any.whl.
File metadata
- Download URL: stegvault-0.4.0-py3-none-any.whl
- Upload date:
- Size: 41.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9bbe01fa16eb8a8d9bcf6e73c4a433b4fa0a5563b75067b45a56afd44620d956
|
|
| MD5 |
ff59000cb771c5cb1fd44a1caf4e6a1a
|
|
| BLAKE2b-256 |
95ecc950f8b84099fbcb0f187a642fac6ba022256d386b97084744a7a345f9e8
|
