Entropy Vault (evlt) is a command-line application designed for securely storing and retrieving data blobs using a vault file. The application leverages cryptographic keys as coordinates, allowing for the recovery of stored data. With evlt, multiple users can independently store data in the same vault without being aware of each other's data. To access a specific data blob, one must know the vault name, three unique keys, and the number of segments used during storage. This makes evlt particularly suitable for storing sensitive information such as cryptographic keys, passwords, automated login scripts containing sensitive credentials, binary files, and even compiled executables. Essentially, any type of data or file can be stored in an entropy vault.

This tool is primarily intended for system administrators who require secure data storage and management on critical systems, often accessed via the console or with root privileges.

This application is currently still in an experimental state. Consider it as such. Do not use it to store production-critical data.

• Secure data storage using cryptographic keys.
• Multiple independent data blobs in the same vault.
• Storage and retrieval of any data type.
• Command-line interface for easy integration with scripts and automation.
• On top of the 3 coordinate keys, there is also a master key.
• A default master key can be provided and locally cached in an obscured manner.
• A custom master key can be used for extra secret data.

The basic syntax to store a file:

evlt put /myvault/myfile.jpeg < myfile.jpeg

And to recover the file you can simply run:

evlt get /myvault/myfile.jpeg > myfile.jpeg

Note that you can use up to 3 "keys" in the form of /vaultname/keystring1/keystring2/keystring3, but that is optional. The missing keys will be filled in by a generated hash-based string.

You can also use more '/' subcategories (or subdirs if you want to call it that). These will work as extra keys but will just add to the key3 string. So /v/a/b/c/d/e --> vault=v key1=a key2=b key3=c/d/e

Technically you could consider it as a sort-of directory structure, but you have no way to list its content without knowing the full "path".

To store a sensitive password in the vault:

evlt put /myvault/apl5a7qs89viok9lqsl23mdkzec/passwords/my_password -p

When using a .pwd or .password extension, the -p parameter is automatically assumed.

evlt put /myvault/apl5a7qs89viok9lqsl23mdkzec/passwords/my_password.pwd

To retrieve the stored password, but output as an invisible string between >>> and <<< characters. (copy/paste)

evlt get /myvault/apl5a7qs89viok9lqsl23mdkzec/passwords/my_password -p

or

evlt get /myvault/apl5a7qs89viok9lqsl23mdkzec/passwords/my_password.pwd

evlt get /myvault/category/passwords/my_password.pwd -Q

You can also use the .qr extension to signify the content has be printed as qr code by default

You can store otpauth://totp/ URI strings and have a get calculate the one-time authentication password. Simply use the .totp extension to signify it is a time-based one time passwords.

echo 'otpauth://totp/MyApplication?secret=JBSWY3DPEERAQHQOBORX&issuer=CompanyXYZ&algorithm=SHA1&digits=6&period=30' | evlt put /secret/totp/test.totp -S

evlt get /secret/totp/test.totp
TOTP authentication code : 564246

Use the -Q option if you want to print the URI as a qr code to scan it with your phone

evlt get /secret/totp/test.totp -Q

Use the -F flag to retrieve the original URI string

evlt get /secret/totp/test.totp -F

To store the content of a file, such as an SSH private key:

evlt put /myvault/oiq4fho9qis7hf/rsakeys/id_rsa -n 8 < id_rsa

To retrieve the stored key file and output as invisible copy/paste content on the terminal:

evlt get /myvault/oiq4fho9qis7hf/rsakeys/id_rsa -n 8 -i

You can store whatever is currently in the clipboard into a vault. Or you can get text data from the vault and put it in the clipboard.

evlt put /myvault/mypassword.pwd -B
evlt get /myvault/mypassword.pwd -B

To store a script in the vault:

evlt put /myvault/sysadmin/scripts/my_script.sh -f my_script.sh

To recover and execute the script:

evlt run /myvault/sysadmin/scripts/my_script.sh 

The -c option executes the content of the script or binary executable data.

Use the "del" action to remove a data blob and free its space in the vault.

evlt del /myvault/sysadmin/scripts/my_data 
evlt del /myvault/sysadmin/scripts/my_data2 -n 4
evlt del /password/mypassword -p

Technically using /dev/null or an empty file as input technically has the same effect.

The default master key can be set with the following command :

evlt master

This master key is stored in an encrypted form and expires after a certain amount of time. When you do not provide a master key with a put or get request it will use this stored master key if it is available and not expired. You can configure the expiration of the default master key by adjusting the config file parameter MasterExpire (minutes)

Add an RSA private key for a remote connection.

ssh-keygen -b 2048 -f mykey
evlt put /.secrets/.remotehosts/.privatekey/username@remotehost -n 1 -f mykey

The .secrets vault used is always the single-segment version. Make sure "-n 1"

Store an item in a remote vault.

evlt put /myvault/mydata/item -R username@remotehost -f inputfile

Retrieve an item from a remote vault.

evlt get /myvault/mydata/item -R username@remotehost -f inputfile

A remote vault is always completely copied over locally. When altered, the new version will again be uploaded to the remote location.

Optionally, you can also use custom TCP ports with -R username@hostname:PORT. If you do this, make sure your private key is also stored in /.secrets/.remotehosts/.privatekey/username@remotehost:PORT

You can use remote vaults with any of the above use cases and options.

To install evlt, clone the repository and compile the source code:

git clone https://github.com/oli4vr/evlt.git
cd evlt
make
make install

Currently, "make install" copies the executable to ~/bin. Make sure this is in your PATH.

evlt             Entropy Vault
                 by Olivier Van Rompuy

 Syntax          evlt [command] /vaultname/key1/key2/key3/path [options]
                 evlt master

 Commands
 put/get         Store/Recall a data blob. Uses stdin/stdout by default
 append          Append the input data to the end of an existing data blob
 del             Delete a data blob
 run             Run content as a script or command. (same as -c parameter)
 ls              List data entries in a path
 master          Set the default master key

 Options
 -v              Verbose mode
 -S              Secret mode -> Do not index entry -> Invisible to ls command
 -n NR           Use NR number of parallel vault file segments between 1 and 32. Default=1
 -b KBsize       Blocksize in KB Default=1KB Allowed=1 2 4 8 16 32 64
 -p              Password content -> Put: enter value using a password prompt
                                  -> Get: Invisible copy/paste output
 -Q              QR mode : Same as -p but output printed as a QR code on the terminal
 -B              Copy or Paste content from/to X11 clipboard
 -i              Invisible copy/paste output. Good for keys.
 -c              Run content as a script or command
 -d path         Use an alternate dir path for the vault files
 -f file         Use file for input or output instead of stdin or stdout
 -m [masterkey]  Use a custom master key.
                 If not provided you need to enter it manually via a password prompt.
 -m prompt       Prompt for the default masterkey and store/change the value.
 -R [username@]host[:port]
                 Work on a remote vault via ssh. The rsa public key must be in ~/.ssh/authorized_keys on the remote host.
                 You can store RSA private keys in vault location /.secrets/.remotehosts/.privatekey/user@host[:port]

A config file is looked for in the local path ./.evlt.cfg, in /etc/evlt.cfg or in ~/.evlt/.evlt.cfg Example config file content :

[evlt]
DefaultSegments=4 
DefaultBlocksize=1 
DefaultPath=localvaults
MasterExpire=60
RemoteHost=user@remotehost:22

DefaultPath can be practical when you want to store the vault files in a subdir of a local path (or on a usb thumb drive). MasterExpire configures the default master key expiration in minutes. RemoteHost sets a default remote host (sftp) where the vault files are located.

You can use certain extensions in the vault path to signify specific types of data like you would with files in a filesystem.

 .password or .pwd      -> Does the same as the -p parameter (treat it as a password)

Data is written and processed one block at a time. Each block is divided into a specified number of subblocks (-n), which are then encrypted. Every subblock is stored in a segment file, accompanied by a SHA512 hash to ensure integrity. Each subblock undergoes encryption three times using distinct keys for enhanced security. When an EOF is hit on the input file stream, a "stop" flag is set on the last blocks of each segment.

All vault data resides within the ~/.evlt directory. The names of the vault segment files are derived from hashed strings, which serves to obscure their contents and purpose.

To retrieve data from the vault, the segment file blocks must be processed from the beginning until the stop marker. Each block is decrypted, the sha512 is recalculated and compared. If the hashes match then the data is considered to be part of the requested data blob and sent to the output FILE stream.