Secure file encryption tool for long-term data protection.
by Massimo Parisi (antaresfil)
π§ clavemhelp@noxfarm.com Β |Β
π οΈ Support: clavemhelp@noxfarm.com
CLAVEM is a Windows desktop application that encrypts files and folders using modern, authenticated cryptography. It is designed for users who want strong, local, offline protection for sensitive data β with no cloud, no accounts, and no backdoors.
Every encrypted file becomes a .svlt container. Without the correct password (and keyfile, if used), the content is computationally unrecoverable.
- π AES-256-GCM β authenticated encryption (confidentiality + integrity in one pass)
- π Argon2id key derivation β memory-hard, GPU/ASIC resistant (OWASP recommended)
- π Optional keyfile β cryptographic second factor derived from file content only (name and path are ignored)
- ποΈ File and folder encryption β folders are packaged as ZIP then encrypted in a single
.zip.svlt - ποΈ 3-pass secure delete β optional DoD-style overwrite of the original after encryption
- π‘οΈ Privacy-preserving design β CLAVEM never stores or reveals whether a keyfile was used
- β Legacy compatibility β reads SVLT v1, v2, and v3 containers
- π₯οΈ DPI-aware UI β PerMonitorV2 manifest, ClearType rendering on all displays
| Component | Algorithm | Notes |
|---|---|---|
| Encryption | AES-256-GCM | 128-bit authentication tag |
| Key Derivation | Argon2id | 64 MiB Β· 3 iterations Β· 4 lanes |
| Salt | 256-bit random | Per-file, generated via OS CSPRNG |
| Nonce | 96-bit random | Per-file, generated via OS CSPRNG |
| Keyfile hashing | SHA-256 | Content-only β path and filename ignored |
Master key construction:
Password only: M = UTF8(password)
Password + Keyfile: M = UTF8(password) || 0x00 || SHA-256(keyfile_bytes)
M is then passed to Argon2id with a per-file random salt to derive the AES-256-GCM key.
SVLT v3 container layout:
[4 bytes] Magic: "SVLT"
[1 byte ] Version: 3
[32 bytes] Salt (Argon2id)
[12 bytes] Nonce (AES-GCM)
[16 bytes] Authentication Tag (GCM)
[n bytes ] Ciphertext β includes original filename inside encrypted payload
In v3, the filename is protected inside the ciphertext β not stored in the cleartext header.
The entire header is authenticated as AAD: any tampering causes immediate decryption failure.
| # | Issue | Severity | Status |
|---|---|---|---|
| 1 | Master-key zeroing bug β DeriveMasterKey returned an already-zeroed buffer |
Critical | β Fixed |
| 2 | Integer overflow on payload sizing near 2 GB | High | β Fixed |
| 3 | Infinite loop in SecureDelete on 0-byte files |
Medium | β Fixed |
| 4 | Crash in metadata reader when file disappears mid-read | Low | β Fixed |
| 5 | Duplicate error dialogs from nested try/catch | Low | β Fixed |
| 6 | Keyfile bytes lived in memory for entire operation duration | Low | β Fixed (v2.0.2) |
CLAVEM protects against:
- Offline attackers who obtain
.svltfiles and attempt brute-force decryption - Ciphertext tampering (detected by the GCM authentication tag)
- Filename disclosure (filename is inside the ciphertext in v3)
- Malicious ZIP entries during folder decryption (Zip Slip protection)
CLAVEM does NOT protect against:
- Compromised endpoints (keyloggers, malware with memory access)
- RAM forensics during active operation
- Weak or guessable passwords
These are platform constraints, not implementation defects.
- Secure Delete on SSD/NVMe β wear leveling may prevent physical overwrite of original sectors. Use full-disk encryption (e.g. BitLocker) for high-assurance requirements.
- Folder mode β a temporary ZIP is created before encryption. It is securely deleted after the operation.
- File size β files larger than 2 GB are not supported (in-memory design).
- Windows 10 / 11 (64-bit)
- .NET 8.0 SDK
- Visual Studio 2022 (optional) or
dotnetCLI
dotnet restore
dotnet build -c Release
dotnet run| Script | Purpose |
|---|---|
build.bat |
Standard debug build |
create-portable-release.bat |
Builds a self-contained portable release |
create-source-package.bat |
Packages source for distribution |
CLAVEM/
βββ CryptoEngine.cs # AES-256-GCM, Argon2id, SecureDelete, SVLT format
βββ AuthenticationManager.cs # Master key construction (password + optional keyfile)
βββ MainWindow.xaml / .cs # UI + async execution pipeline
βββ FolderCryptoHelper.cs # Folder analysis, ZIP, Zip Slip-safe extraction
βββ SecureLogger.cs # Append-only audit log (no sensitive data)
βββ FileMetadata.cs # Privacy-preserving SVLT metadata reader
βββ FolderPicker.cs # Windows folder dialog
βββ Resources/
β βββ clavem.ico # Application icon (transparent background)
β βββ clavem_logo.png # Logo
βββ app.manifest # PerMonitorV2 DPI awareness
βββ Clavem.csproj
| Package | Version | Purpose |
|---|---|---|
Konscious.Security.Cryptography.Argon2 |
1.3.0 | Argon2id implementation |
.NET 8.0 BCL |
built-in | AES-GCM, SHA-256, RandomNumberGenerator, SecureString |
System.IO.Compression |
built-in | ZIP for folder encryption mode |
CLAVEM is dual-licensed:
- AGPL-3.0-only β free for personal and open-source use
- Commercial license β for closed-source or proprietary distribution
For commercial licensing: xilomen@gmail.com
See SECURITY.md for the responsible disclosure process.
v2.0.2 source package SHA-256:
9a72d9d3e7e6fe58586b188f256592bfe8856a0ae9f7370eac60935c9d685dc4
Made with β€οΈ for secure file protection
Massimo Parisi (antaresfil) Β· clavemhelp@noxfarm.com