obsidenc uses XChaCha20-Poly1305 with per-chunk authentication tags, so tampering is detected immediately. The Argon2id key derivation adapts to available memory (512 MiB to 2 GiB), adjusting iterations to maintain security on constrained systems per RFC 9106.
Sensitive data is locked in RAM (mlock/VirtualLock) to prevent swap exposure, and the zeroize crate clears secrets when done. Decryption verifies authentication before exposing plaintext and streams data to minimize memory exposure.
The parser strictly validates container format, uses constant-time comparisons, and rejects malformed inputs. Zip-bomb protection caps file counts at one million and path lengths at 4KB. Decryption uses staging directories with atomic rename on success, preventing partial extractions. Automatic cleanup runs on failure.
You can combine a password with an optional keyfile (up to 4 MiB). On Unix, the tool checks that keyfiles aren't world-readable. Keys are derived via HKDF with distinct domain strings, preventing reuse between encryption and nonce generation.
The design prioritizes security: no compression to avoid side-channels, symlink rejection, permission sanitization on extract, and a 20-character minimum password.