📦 v1.1.0 - The Hardening Update
"An honest start, a more secure future."
This release marks the first step in our journey to transform shhcrypt from a "vibecoded" experiment into a robust encryption tool. Following a community audit on Reddit, we have addressed critical security flaws and prioritized transparency.
🛠 What’s New in v1.1.0?
🛡️ Per-file Random Salt: Removed the static salt (pepper). Every encryption process now generates a unique, random 16-byte Salt, which is stored in the header of the .shh file. This prevents pre-computation and rainbow table attacks.
🔗 Symlink Safety: The secure_delete function has been hardened. It no longer follows symbolic links, preventing accidental deletion of system files or external data.
🧹 Memory Hygiene: Improved use of the zeroize crate to ensure that sensitive keys and passwords are wiped from RAM immediately after use.
⚠️ Engineering Transparency: Updated the documentation and source code with clear warnings regarding the project's experimental nature and its development process (LLM-assisted "vibecoding").
📖 Updated Project Status
[!IMPORTANT] This project is currently undergoing a security refactoring. While v1.1.0 fixes several junior-level cryptographic errors, it is still intended for educational and review purposes only. Do not use it for production-grade sensitive data yet.
🛤 Refactoring Roadmap (Next Steps)
[x] Implement proper per-password Salt (Fixed in v1.1.0).
[x] Fix symlink handling in secure wipe (Fixed in v1.1.0).
[ ] Transition to RAM-only processing (Eliminating plaintext temp files).
[ ] Implement Path Traversal protection during extraction.
[ ] Add a comprehensive unit testing suite.
Developed with ❤️ by CipherStray — Committed to learning, honesty, and better code.